Sensible Advice on Cloud Security from Sanjay Beri

EA: Sanjay, what are some of the cyber security challenges CISO teams face when it comes to cloud applications?

SB: First, even though there’s greater cloud awareness today than ever, CISOs are still mostly in the dark about cloud app usage in their organization. Our experience suggests that many still believe there are fewer than fifty or so apps in use, when in fact the average we’ve measured is approaching a thousand – 935 to be exact. This is not surprising when you consider that entire corporate functions are doing business in the cloud, including HR, finance, sales, engineering, and marketing. The second challenge is determining whether there’s risk, and this begs several important questions: Are apps being used for exfiltration of intellectual property? Is regulated data being uploaded to unsanctioned or un-secured cloud apps? Answering and addressing these questions is an important concern. The third challenge involves protecting data and ensuring compliance in those apps. Since over half of all cloud traffic originates from outside of a browser and from remote users, it’s hard to put contextual policies in place that do the practical and necessary task of preventing exfiltration of sensitive data or governing activities like share, upload, edit, download, delete, and so on. The fourth and final challenge is stopping or responding to threats that propagate in the cloud. Popular apps like Box, Dropbox, Google Drive, and OneDrive are being used to infect users, spread malware, perform command and control functions, and host exfiltrated data. Because many companies don’t inspect the SSL traffic of many popular apps, it’s easy for malware to fly under the radar of traditional tools like Web proxies and firewalls. These are all challenges that cloud access security brokers (CASBs) address.

EA: What are the deployment challenges CISO teams typically have in making cloud-hosted applications available to their users?

SB: Many of the features that make cloud-based applications so attractive, such as sync, share, and ease of collaboration, are the very things that put corporations at risk when it comes to cloud usage. But rather than not allow users and lines of business to deploy those applications, which is not an option, information security teams need to enable them. This means putting the proper admin controls in place, complete with separation of privileges, ensuring that only authorized users on appropriate devices have access, and that organizations can govern specific activities that users can and can’t do. This also includes things like sharing, uploading, downloading, editing, approving, deleting, and more. These are often decisions that get thought about after the application deployment takes place.

EA: What do you see as the best approaches to steering cloud app traffic to users? Does this require coordination with the ISP?

SB: When it comes to steering traffic from the user through a policy enforcement point and then to the cloud app and back again, flexibility is key. Organizations need to satisfy any number of cloud security use cases now and in the future, which requires a variety of deployment modes, from proxy to API to secure TAP mode to log-based discovery. At Netskope, we call this a multi-mode architecture. Using a combination of modes enables you to get the most out of your cloud security provider or CASB. For example, one powerful technique involves using information garnered in e-discovered sensitive data in a sanctioned app using the app’s API to inform real-time, in-line policies to catch data exfiltration to unsanctioned apps in proxy mode. In fact, three-fourths of Netskope customers deploy in multi-mode. In-line deployments require global points of presence and peering relationships with key service providers. This is something you should require of your cloud security provider or CASB.

EA: What are the pros and cons of doing cloud app security as an on-premises device versus a cloud hosted capability?

SB: Several large, regulated organizations – this includes some of the largest banks and energy companies – have chosen to deploy cloud cyber security on-premises or in hybrid mode, with some portions remaining on-premise, on their journey to the cloud. Some view this as an interim step and others view it as longer-term. For organizations that process user data and are beholden to strict privacy and data residency requirements such as ones serving European Union customers, the on-premise or hybrid model may be the right choice. That said, many organizations have chosen the cloud model because of its inherent benefits and flexibility, and then addressed their privacy and data residency concerns by choosing cloud providers with in-region cloud locations and the required security and privacy certifications. The advantage of deployment flexibility is you can enable any use case, irrespective of whether users are on-premise, remote, or mobile, all without having to hairpin cloud traffic back to the corporate network.

EA: This might seem like a dumb question, but do you find that most CISO teams even know what applications are available to their users in the cloud? And yes, I guess the question also extends to whether most CISO teams even know what applications that they have?

SB: They are coming around to the fact that there are a lot of applications in use in their organizations, but don’t yet appreciate the sheer number, breadth of usage, amount of data, level of spend, and creation of data silos and complexity. Many information security teams think of cloud in terms of Dropbox and Twitter, but don’t realize that HR is using cloud apps to onboard and track employees; Finance is using them to authorize payments, do payroll, and visualize key business metrics; Development is using them to build product, collaborate on roadmaps, and manage bugs; Marketing is using them to generate leads and develop pipeline; Sales is using them to track and close deals; Customer Support is using them to measure customer projects and gauge satisfaction; and on and on. Quite simply, cloud apps are the way we work today.

EA: What sort of telemetry and details are useful for security teams to collect regarding cloud app usage?

SB: To truly gauge risk and govern usage in a smart way, information security teams need to collect and correlate security metadata about the who, what, when, where, with whom, and with what content of all cloud transactions whether in a sanctioned app or unsanctioned one. For example, they need to know if anyone in the AD group insidershas shared sensitive financial information outside of the company; or if anyone in Customer Support has downloaded customer data from any CRM app to a personal device; or if any unauthorized developer has uploaded a workload to an IaaS; or whether anyone outside of the HR team has edited salary data; and so on. By combining and correlating details about the user, group, attribute, device, OS, device classification, location, app, app category, app risk, content type, content profile, recipient, and recipient’s company, security teams can get a deterministic view about whether a security incident really occurred and what the steps are in the audit trail before and after the event. Beyond forensics, they also need to incorporate those same granular details into controls to enforce policies such as “No access to Office 365 for BYOD devices,” “No sharing if you are an ‘insider’ and the recipient is outside of the company,” and “No editing financial data if you are not an authorized user in the Finance group.”

EA: You are a cyber security industry veteran, so what sort of trends do you see in the protection of enterprise assets? Are things getting more secure?

SB: In the history of information security, threats have always followed users and data. I know that sounds simple and obvious, but it is important. Enterprise data are moving to cloud apps and environments more than ever, and as a result, enterprises now have hundreds of virtual, shadow IT departments. Similarly, users are performing the bulk of their transactions outside of the corporate perimeter, doing their work remotely on mobile devices, going directly to the cloud or Web without transiting their corporate firewall or security infrastructure. There is no reason these natural trends should make enterprises less secure. Enterprises must shift their thinking from ports and protocols to decoding APIs – the language of today’s cloud and Web, that articulates user activities like share, download, edit, and more. Similarly, they need to use that understanding to develop security policies that enable apps while curbing risky activities versus blocking apps altogether. What’s required is a new breed of security solution that is API-aware, cloud and remote user capable, and can enable the business in a more nuanced way versus forcing IT down the binary path of allow or block.