While cloud adoption is accelerating rapidly, security and data privacy professionals are stretched to the limit keeping up. "How do I ensure data in the cloud is secure?" and "Which cloud applications can I trust with my business critical information?" Cloud apps reside outside the perimeter, typically hosted by third parties, requiring a different breed of security solutions that follow the data, application, and user. Let’s explore a step-by-step cloud protection plan to help you develop a model suitable to protect your valuable data from breach and exfiltration.
Step 1: Discovery
- Are employees using software applications your IT department doesn’t know about? Yes, they are!
- Use cloud app detection tools to identify what’s being used (by whom and how often) and whether critical corporate data is involved.
- Consider a Cloud Access Security Broker (CASB) solution; challenge the vendor to provide a Shadow IT Assessment to learn just how big a shadow IT problem you are contending with.
Step 2: Risk Assessment
- How do you know which apps present the biggest risk? It’s the good cloud/bad cloud challenge: you need to know which apps to sanction, monitor, or block.
- Consider a rating system to identify cloud app risk attributes—this will help focus your protection in the right places. (https://technet.microsoft.com/en-us/magazine/hh750397.aspx)
- Hint: make sure the rating and reporting system can readily upload, anonymize, compress, and cache log data for shadow IT analysis and easily deliver automated risk assessment reports.
Step 3: User Coaching
- Do all your employees know about common cybercrime tactics?
- Do your developers and other IT staff know the OWASP Top 10? The Cloud Controls Matrix?
- Reduce the Gilligan effect (remember Gilligan’s Island? Gilligan caused damage unknowingly everywhere he went). There’s always a Gilligan, but security awareness training will lessen the effect.
- A constant set of reminders and more formalized quarterly training is a simple and low cost way to reduce risks of malware.
Step 4: Policy Enforcement
- Security policy enforcement must be highly granular and real-time. These can be harder to achieve for cloud applications.
- Set policy controls based on user activity, using tools and business rules that are content and context aware based on user group, device, location, browser, and agent.
- Consider using a secure web gateway (on-premise, public cloud, or hybrid), plus an integrated CASB solution with advanced data loss prevention (DLP).
Step 5: Privacy & Governance
- How are you addressing privacy and governance? Data in the cloud requires unique data-centric security policies.
- Appropriate encryption is essential in any context. But for cloud security in particular, tokenization (substitution of secure for non-secure data, complementing a secure lookup table) can be especially practical.
- Hint: make sure encryption doesn’t impact application functionality like searching, sorting, reporting, and emailing. If encryption makes any of these significantly more difficult, then users will figure out how to avoid it.
Step 6: Encrypted Traffic Management
- How are you addressing SSL and other forms of encrypted traffic to/from the cloud? And maintaining privacy while selectively decrypting for security reasons?
- How are you measuring the impact of SSL/TLS on application performance? On payload visibility to internal security professionals?
- Tip: for industries whose traffic is more than 50% encrypted (like financial services and healthcare), policy-based traffic decryption may require a dedicated SSL visibility subsystem and/or specialized network architecture.
Step 7: Incident Response
- How do you identify and quickly respond to malicious activity?
- Avoid the "car alarm syndrome"! Too many false alarms and alerts can be "needles hiding in needles" in the haystack.
- Innocent logs are hard enough to unpack. Malicious software deliberately tries to hide its tracks, and low-level complexity introduced by cloud deployment makes intuitive human interfaces especially key for incident response (e.g. free-form search, visualization, filtering, and integration with 3rd party SIEM systems).
In conclusion, even if you’re not ready to make a big investment in a CASB solution, it’s time to start managing cloud risk. To learn more about how to move to the cloud with confidence, view this webcast: http://dc.bluecoat.com/Forrester_Webinar.