Professional Documents
Culture Documents
Brought to you by
Brought to you by
Table of Contents
Chapter 10: Quantifying the Value of a Cloud Access Security Broker Page 36
KEY STAT: 60% OF CIOS ARE MAKING THE CLOUD THEIR #1 PRIORITY THIS YEAR
The cloud (SaaS, PaaS, and IaaS) is transforming business for the better, making
employees more productive and businesses more agile. As the cloud market
matures, analysts and market researchers are discovering hard data supporting
the benefits of the cloud for enterprises. The latest numbers from Vanson Bourne
Research show that the cloud is providing organizations with a 21% reduction in
product time to market, a 17% reduction in IT maintenance costs, a 15% reduction
in IT spend, and an 18% increase in employee productivity.1 With these types of
metrics in hand, its no surprise that 60% of CIOs state that the cloud is their #1
priority this year.2
1
http://venturebeat.com/2012/08/07/google-cfo-cloud-study/
2
http://www.businessinsider.com/infographic-its-not-easy-to-be-a-cio-2012-2#!HqX9i
3
http://www.opendatacenteralliance.org/docs/1264.pdf
Cloud services are incredibly easy to adopt, with most requiring only an email or a
credit card to sign up. The result is that individual users and business units often
begin using cloud services without any involvement from IT. The benefit is that
users and business units are able to readily and rapidly adopt services that drive
productivity and agility for the business. The downside is that IT often has little to
no visibility into the full scope of IT services employees are using. Without visibility,
it becomes very difficult for IT to manage both cost expenditure and risk in the cloud.
With regards to visibility, Gartner says that enterprises must protect their sensitive
data for various commercial and legal reasons. Regardless of whether the cloud
services in use are shadow IT or sanctioned IT, businesses need visibility into which
services employees are using, what data is stored in them and shared from them,
any anomalies in usage behavior that indicate a compromised account, and who is
using each service and from which devices and geographies.
Enterprises must also ensure that they dont cross a perceived ethical of legal
privacy boundary when monitoring the use of cloud services. For example, the
same methods that can be used to monitor sanctioned cloud services, could also
be used to monitor personal Facebook or Instagram accounts. Requirements for
privacy may vary greatly in different verticals and geographies.
5
Mind The SaaS Security Gaps: G00263947. Craig Lawson, Sid Deshpande. 2014
6
Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014
2 Which services are gaining in popularity and should 8 What are the security capabilities of the services storing
be evaluated for enterprise-wide adoption? sensitive data?
6 How do I quantify the risk from the use of cloud services 12 How do I track and log all user and admin actions for
and compare it to peers in my industry? compliance and investigations?
Todays enterprises have deployed cloud services to support CRM, ERP, HR,
Collaboration, and Backup operations. Applications like Salesforce, ServiceNow,
Workday, Box, and Office 365, support mission-critical business functions, and because
of this they often house sensitive or confidential information, such as customer data,
financial data, employee data, IP, or security infrastructure data. Locating this type of
data in the cloud is not a rare event; in fact, it is now commonplace.
7
Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014
Gartner
Answering the who, what, when, why, Enabling integration within the enterprise
and where questions with provable data by supporting log generation that can be
for various compliance regimes. used with existing SIEMs.
While the cloud provider is responsible for the security of their product, compliance
is based on a shared responsibility model, whereby the enterprise using the cloud
service must also take measures to maintain the privacy of employee and
customer data. Within the enterprise, users, IT/Security, and Audit/Compliance all
share responsibility for compliance.
1 Which applications house sensitive data subject to 6 Which administrators have behavioral anomalies that
regulatory compliance? indicate excessive privilege access?
2 What are the security capabilities of the services 7 When is sensitive data uploaded to the cloud, and what
housing sensitive data? action should be taken (allow, block, quarantine, encrypt)?
4 Which employees are accessing sensitive data, 9 How do we implement a closed workflow to review,
and how are they using or sharing it? remediate compliance violations, and educate violators?
5 Which employees are uploading sensitive data to 10 Is sensitive data kept in a specific country or region to
high-risk services? comply with international data residency requirements?
Cloud services, like on-premise systems, can be the target of attacks aimed at
stealing corporate data or damaging the business. Attacks typically leverage the
cloud in one of two ways: they use cloud services as sources of sensitive data to
steal, or they use cloud services to exfiltrate stolen data.
9
Skyhigh Networks Cloud Adoption and Risk Report: Q3 2014
10
Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014
Attackers also increasingly look upon cloud services as a clever way to exfiltrate
data under the radar. With the average company using almost 900 cloud services
today and IT often not having visibility into their usage, attackers know that
unmanaged cloud services can be a fertile territory for malicious behavior and
frequently use popular and seemingly harmless services to execute their operations.
11
Mind The SaaS Security Gaps: G00263947. Craig Lawson, Sid Deshpande. 2014
What does normal behavior for any given service Which cloud services have behavioral anomalies
1 look like? 6 that indicate insider threat?
How does a users role affect their normal cloud service Which cloud services have behavioral anomalies that
2 usage patterns? 7 indicate malware at work?
Which users are accessing large volumes of Which cloud services in use are rated as high-risk and
4 sensitive data? 9 have an anonymous use policy?
As many a CIO and CISO will tell you - IT Security, today, is all about protecting
data, not data centers and this is largely product of cloud. When considering
data security, it can be helpful to examine both the security of the service the
data lives in and the security of the devices that have access to the data.
Some cloud services have security capabilities that far exceed most corporate
data centers. However, with over 10,000 cloud services available today, there is a
large variation in the security capabilities offered. The good news is that an
increasing number of cloud services are investing in security, but a larger number
still do not offer even basic security features. Only 17% of cloud services provide
multi-factor authentication, only 5% are ISO 27001 certified and only 11% encrypt
data at rest. For this reason, it is important to look at the risk of services
individually and enable risk-based policies on acceptable usage.12
In services with high levels of built-in security, users and their devices can often
be the weakest link. Users frequently lose devices or leave them in insecure
locations and are prone to lose passwords as well. 12% of employees have at
least one corporate identity (username and password) for a cloud service that
has been compromised for sale on the darknet (online black markets) today.13
12, 13
Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014
14
Mind The SaaS Security Gaps: G00263947. Craig Lawson, Sid Deshpande. 2014
Which cloud services encrypt data at rest and provide How do we encrypt data while maintaining required
1 multi-factor authentication? 6 functionality within cloud services?
What are the compliance certifications of the services How do we encrypt data while controlling our own
2 employees are using? 7 encryption keys?
Which of our cloud services undergo regular How do we employ tokenization to ensure data
3 penetration testing? 8 privacy in addition to security?
Which of our cloud services has been compromised How do we enforce access policies based on user,
4 in the last week, month, year? 9 device, and location?
When employees and departments deploy SaaS applications, it can also reduce
the burden on IT help desks to take calls. However, while IT is no longer
responsible for the physical infrastructure or even managing the application, its still
responsible for ensuring security and compliance for the corporate data employees
upload to cloud services. Instead of seeing Shadow IT as a threat, Ralph Loura,
CIO of HP Enterprise, sees it as an opportunity to leverage employees to identify
the applications they want to use so IT can enable the ones that have gained
traction and are enterprise-ready.
15
http://www.forbes.com/sites/tomgroenfeldt/2013/12/02/40-percent-of-it-spending-is-outside-cio-control/
Ralph Loura,
CIO, Enterprise Group,
HP
16
Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014
Log-based visibility into all users, services (SaaS, PaaS, Ability to leverage policies from on-premise DLP
1 IaaS), and data transfers 11 systems and extend them to cloud services
On-premise tokenization of log data for security Ability to quantify cloud risk, compare it to benchmarks
2 and privacy 12 from peers in the industry, and track it over time
Comprehensive cloud registry covering a minimum Anomaly detection across all services to identify
3 of 10,000 cloud services 13 insider threats or security breaches
Detailed risk assessments provided for all cloud Ability to identify unmatched uploads for further
4 services 14 investigations
Ability to audit the effectiveness of firewall and proxies Darknet intelligence to identify stolen credentials
6 at enforcing policies 16 of employees
Ability to identify all third-party applications accessing Ability to manage encryption keys via integration with
3 CRM services and their data 12 key management servers supporting the KMIP protocol
File-sharing and collaboration services like 0ffice 365, Box, Dropbox, Google Drive,
and Jive are incredibly popular. The average company uses 27 file-sharing
services and 45 collaboration services today, which may actually impede
collaboration.17 The security controls of file-sharing and collaboration services can
vary widely, so organizations must also evaluate the services to understand the
risk they present to the organization. Some services claim ownership of your data,
dont encrypt data at rest, or permit anonymous use, making them unsuited for
enterprise use.
17
Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014
In addition to the security risk, companies must evaluate the compliance risk
as well. 22% of files uploaded to file-sharing cloud service contain sensitive or
confidential data, including: PII (personally identifiable information) such as social
security number, date of birth, or address; payment information, such as credit card
numbers or bank account numbers; or PHI (protected health information) such
as medical record number or health plan beneficiary number. Organizations must
ensure that their valuable data is protected and that the use of file-sharing and
collaboration services is in compliance with industry regulations such as PCI DSS,
HIPAA, HITECH, GLBA, SOX, CIPA, FISMA, and FERPA.
18
Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014
Ability to identify all third party application accessing Ability to identify all externally shared data and view
3 file-sharing and collaboration services and their data 12 sharing permission details
Ability to identify sensitive data subject to compliance Ability to coach users on acceptable use when in violation
5 requirements or security policies 14 of security, compliance, and governance policies
Out-of-the-box DLP templates for all major verticals Ability to encrypt data with peer- and academia-reviewed
7 and regulations to help identify sensitive content. 16 encryption schemes
Behavioral modeling of normal user and admin activity Ability to deploy in the cloud, on-premise as a virtual
9 within the file-sharing and collaboration services 18 appliance, or in a hybrid architecture
KEY STAT: NINETY PERCENT OF SAAS ADOPTERS EXPECT SAAS TO CONSTITUTE MORE
THAN 50% OF THEIR SPENDING ON ENTERPRISE APPLICATIONS BY 2018, CREATING
SIGNIFICANT NEED FOR CASB PROVIDERS. (GARTNER)
With cloud adoption accelerating every year, enterprise IT is looking for ways to
partner with the business to enable secure utilization of the cloud. Increasingly,
these enterprises are turning to a new breed of technology, referred to by Gartner
as Cloud Access Security Brokers (CASB), in order to do this.
Gartner analysts Neil MacDonald and Peter Firstbrook first defined the Cloud
Access Security Broker category in May 2012 in their report, The Growing
Importance of Cloud Security Brokers." Other firms, such as Forrester, Securosis,
and 451 Research have defined similar categories, alternatively referring to the
technology as Cloud Security Gateways and Cloud Access Controllers. Since
then, Gartner has elevated the importance of CASB and now lists it as #1 in the
top ten technologies for information security.19
19
http://www.information-age.com/technology/security/123458169/gartners-top-10-security-technologies-2014
Gartner
Can I identify all of the cloud services employees are Which devices and locations are users accessing
1 using and assess the risk of each service? 6 cloud services from?
Does the data being shared contain sensitive Can I detect compromised cloud service accounts
4 information such as PII, PHI, or financial data? 9 and prevent malicious behavior?
A common element of all Cloud Access Security Brokers is they interject security controls by brokering access to a cloud
service. This enables IT to securely enable the use of cloud services within their organizations without compromising
compliance or security. By bundling security functions with a single enforcement point, CASBs also reduce the complexity
of securing data in the cloud.
20
Mind The SaaS Security Gaps: G00263947. Craig Lawson, Sid Deshpande. 2014
A Cloud Access Security Broker can provide value across two axes: cost savings
and risk reduction. Within cost saving there are six primary areas of cost
reduction:
1. Reduction in manual efforts required to 4. Subscription consolidation
analyze log data for cloud visibility
5. Elimination of orphaned subscriptions
2. Streamlined security assessments for
cloud services 6. Accelerated response to breaches
and vulnerabilities
3. Elimination of unapproved IaaS usage
$530,001 $1,514,251
Average Reported Savings in
Each Savings Category
$266,000 $36,800
$186,250
$276,000
$219,200
21
Quantifying the Value of a Cloud Access Security Broker. Skyhigh Networks. 2014
Monthly Data Sent to High-Risk File Sharing Services 16GB .5GB 97%
22
How 200 Enterprises Flipped Shadow IT from Concern to Opportunity. Jim Reavis, Brandon Cook. 2014
When evaluating different CASB vendors, there are several factors IT leaders
must consider. In addition to understanding whether the capabilities offered
match the business requirements, IT leaders must determine whether the
deployment model fits with their organization. For example, organization should
consider whether they want their CASB to be cloud-based or if they prefer to
manage all of the infrastructure and maintenance of an on-premise solution
themselves.
Many CASB vendors are emerging and have not yet deployed their solution at
scale. This may be acceptable to a smaller organization, but this is likely to be an
area of concern for a larger enterprise. To get started, Gartner offers a
framework for evaluating CASB vendors organized around the types of cloud
services the enterprise is aiming to enable. This framework is provided below for
your reference:
23
Mind The SaaS Security Gaps: G00263947. Craig Lawson, Sid Deshpande. 2014