deploying and managing security in the cloud - forcepoint...deploying security solutions in the...

sponsored by Osterman Research, Inc.

P.O. Box 1058 • Black Diamond, Washington • 98010-1058 • USA Tel: +1 206 683 5683 • [email protected]

www.ostermanresearch.com • @mosterman

An Osterman Research White Paper

Published May 2017

sponsored by

Deploying and Managing

Security in the Cloud SPON

WH

ITE

PA

PE

R

SP

ON

sponsored by

©2017 Osterman Research, Inc. 1

Deploying and Managing Security in the Cloud

EXECUTIVE SUMMARY More and more sensitive and confidential corporate data, as well as an increasing number of IT capabilities that traditionally have been managed using on-premises infrastructure, are moving to the cloud. The survey conducted specifically for this white paper found that the vast majority of organizations store sensitive data in the cloud. As shown in Figure 1, when organizations were asked how much of their sensitive corporate data is stored in cloud-based services like Salesforce, Office 365, Dropbox, etc., 92 percent responded that at least some of their sensitive data is stored in the cloud. Figure 1 Proportion of Sensitive Corporate Data Stored in the Cloud

Source: Osterman Research, Inc. The large and growing proportion of sensitive corporate data stored in cloud services and other repositories necessitates a substantially new way of thinking about security. Traditional, perimeter-focused security models that sufficed for an on-premises world simply don’t work in a cloud-centric reality, and decision makers must address new and innovative ways of protecting their corporate data that now resides on-premises, on mobile devices, and in the cloud. KEY TAKEAWAYS • Organizations face a variety challenges when choosing, planning for and

deploying security solutions in the cloud – and the process of evaluating options is becoming more, not less, difficult over time.

• The cloud introduces new capabilities of significant benefit to organizations of all sizes, but also a new set of attack vectors that need to be mitigated.

• The old, “tried and true” approach of guarding the network and erecting perimeter defenses is tried, but no longer true in the cloud era. IT capability is increasingly delivered outside of the network via cloud and hybrid cloud architectures, and the changing threatscape increasingly targets vulnerabilities in applications (e.g., zero-day exploits) and people (e.g., social engineering).

The large and growing proportion of sensitive corporate data stored in cloud services and other repositories necessitates a substantially new way of thinking about security.



• A unified approach to security in the new era of cloud and hybrid cloud approaches is the only way that organizations will be able to mitigate risk, meet compliance requirements, reduce vulnerabilities, and stop data breaches and unauthorized access to customer and corporate data by malicious actors.

ABOUT THIS WHITE PAPER This white paper was sponsored by Forcepoint; information on the company and their relevant offerings is provided at the end of this paper. The white paper also includes selected data points from an extensive survey that was conducted for it – the complete results of the survey will be published in a separate document.

SECURITY CHALLENGES IN THE CLOUD As organizations move an increasing proportion of IT capability out of their own data centers and into cloud services, the challenge of security is ever-present. Many of the current security concerns facing organizations using on-premises IT capabilities are amplified with cloud services, and a new set of challenges are introduced to the mix. Organizations face a long list of security threats in the cloud, but simultaneously face a significant number of barriers to cloud adoption, as shown in Figure 2. Figure 2 Barriers to the Adoption of the Cloud Percentage of Organizations Indicating Issue is a Barrier

Source: Osterman Research, Inc. DATA BREACHES AT CLOUD PROVIDERS The aggregation and concentration of data – in all its forms – makes cloud providers an attractive target to attack. While cloud providers generally have better security capabilities than most organizations and suffer fewer data breaches as a result, a successful data breach can open an organization to stiff financial penalties, regulatory fines, loss of customer confidence, and declining competitive market positioning, among other significant consequences. Yahoo! has been in the news recently with two massive data breaches in 2013 and 2014 (both covering up to 1.5 billion user accounts), one of which took over three years to disclose. Dropbox, a commonly used cloud storage service, had 60 million accounts taken in a data breach in 2012. When it does happen, data breaches at cloud providers involve huge numbers.



When a cloud provider is breached and its customers’ data is accessed by unauthorized parties, mandatory data breach notification laws are in force in an increasing number of countries. Europe's General Data Protection Regulation (GDPR) comes into force in May 2018, continuing the data breach notification requirements of the earlier directive, while introducing severe financial penalties for failure to protect customer data. Almost all states in the United States have data breach notification laws. The Australian government has recently passed a data breach notification extension to its Privacy Act. Finally, industries such as healthcare have data breach notification requirements, as well. UNAUTHORIZED ACCESS TO CORPORATE INFORMATION There is a persistent threat that corporate information stored in cloud services can be accessed by unauthorized parties. This can result from several vectors, such as malicious outsiders using social engineering to wrangle an invite to a collaborative account, improper access settings within the cloud infrastructure leading to access management vulnerabilities, and permissions that don't transfer properly when a cloud-based application automatically flows to a different region for better usage rates. It can also happen when the cloud provider has not properly implemented controls to prevent tenants sharing a multi-tenant cloud service from gaining access to each others’ data (commonly called data leakage). REGULATORY COMPLIANCE CHALLENGES Regulatory compliance can be more challenging when using cloud services, particularly as related to the physical location of where data is actually stored. For example, the growing set of regulations across the world intended to protect customer data do so by mandating specific storage locations. In some countries, similar controls are applied to where financial data is physically stored. One implication of such regulatory environments is that organizations actually need to know where data is going to be stored in advance of adopting cloud services, and even include provisions for data sovereignty in contracts. Some cloud service providers use the “without involvement from IT” as a Trojan horse strategy to get widespread adoption among employees, so they can then sell an administrative license to the organization in order to manage the content and meet regulatory compliance requirements. From an organizational perspective, this is merely a means of forcing payment, and it can force an organization down a cloud service path that is not in their best overall interest nor aligned with strategic mandates or regulatory compliance schemes. PRODUCTIVITY-FOCUSED, WELL-INTENTIONED…AND RECKLESS EMPLOYEES Many employees operate under relentless daily pressure to be productive, to meet deadlines, and to deliver their work ever-faster and better. In such organizational cultures getting quick and convenient access to cloud services is a boon to productivity, even though doing so normally violates corporate security policies and is outside of IT's line of sight. Before long, employees have migrated much of their day-to-day content away from authorized IT services, and are storing and sharing customer and organizational data freely on cloud services with a questionable security posture. Several other challenges at play often tend toward the reckless and lackadaisical. Employees revolt against complex and revolving password policies with simple tricks to aid memorization (e.g., appending the year and month to their standard password), or just writing them down on a Post-It Note stuck to their screen. Devices are left unlocked and unattended in work and non-work settings (e.g., the airport lounge), enabling the quick fingered to gain access or steal the device itself. Equally, employees setting up cloud services may not do the simple things to harden the security defenses, such as changing default passwords. Finally, use of public Wi-Fi networks is extremely convenient, but can carry risks of unauthorized data access.

There is a persistent threat that corporate information stored in cloud services can be accessed by unauthorized parties.



BUSINESS TEAMS PRESSURING IT SECURITY TO MOVE FASTER Employees acting alone or in small ad-hoc groups are one force inside the organization driving the use of cloud services. A more organized force is where business groups pressure IT security teams to allow fast and convenient access to data and applications, and quick access to Software-as-a-Service (SaaS) offerings without getting tied up in what's viewed as irrelevant “security red tape.” When IT security teams don't respond quickly enough, business groups go off and do their own thing. The proliferation of shadow IT cloud services creates security visibility problems and increases the threat surface area for data breaches and non-compliance. The survey conducted for this white paper found that in nine percent of the organizations surveyed, line-of-business management is able to identify and deploy a new cloud application for business use on their own without the involvement of IT. “LIFT-AND-SHIFT” MIGRATIONS An important security issue occurs during many “lift and shift” migrations – a common type of migration that occurs when a workload/virtual machine migrates to the cloud. Given that an organization may have managed a workload on-premises for many years and has significant experience in managing the security systems that protect it, it is essential that as the workload is moved to the cloud the same level of security is applied. Decision makers will need to apply the same level of security to the cloud-based workload as they did when it was managed on-premises, and may have to come up to speed on cloud-based security capabilities about which they may not have deep expertise. EASE OF USE AND USER FRIENDLINESS OUTWEIGH SECURITY CONSIDERATIONS Security considerations play second fiddle to the desire for ease of use and user friendliness when selecting apps. Employees see the promise of fast and effective collaboration with internal colleagues and external customers and partners, and move ahead quickly; since “everyone else” is doing it, it must be all right. And the cloud provider's representation of “great security” is a good enough warrant to proceed for those uninformed on the nuances of data security, encryption, and compliance mandates. When it is faster to spin up a cloud service for a particular business project compared with going through the internal IT provisioning process for an “approved” service, it's no wonder that cloud services often win. Cloud services often have easy to use capabilities that use obscurity as a way of attempting security. Open sharing links in Box, Dropbox and OneDrive for Business, among other sync-and-share services, are a perfect example. The user sending the sharing link doesn't have to specify any authentication requirements, and all they need to send to their collaborators is a URL (composed of a complex collection of letters and numbers). However, anyone with access to the URL can get access to the associated file or folder; there is no real security implemented over the content, thereby leaving the content potentially open to anyone. MISTAKES AND UNFORESEEN VULNERABILITIES BY CLOUD SERVICE PROVIDERS Cloud service providers themselves make mistakes that create security vulnerabilities, and inadvertent mistakes in daily coding decisions can have significant impacts on cloud services. For example, in February 2017, a spelling mistake in the code at Amazon Web Services caused a five-hour outage that reverberated across the online world. Similarly, a code update at Dropbox a few years ago eliminated the need for password authentication for several hours, rendering it possible for anyone to access any Dropbox account and all of the information stored inside. Code updates to deliver new, user-friendly capabilities in cloud services can create unforeseen security vulnerabilities that come to light only after data has been



breached. Box, for example, has had several situations in which customer content has been inadvertently indexed by search engines and made accessible to people who were not authorized to access that material, requiring code remediation by Box to remove the vulnerability. DISCONNECTED ISLANDS OF IDENTITY Cloud services are normally protected with a username and password, but unless IT has federated identity, these new identity credentials are separate and disconnected from the organization's primary identity and access management system. While an employee may use the same username and password across on-premises and cloud services, the identity systems are completely separate with no connection or linkage. When an employee leaves the organization due to being terminated or going to a new firm, his or her main user account should be closed, but any cloud services without identity integration will remain valid and active, potentially giving future customer data to an aggrieved ex-employee (if terminated) or a newly competitive one (if he or she is joining the competition). A linked risk is that if the identity credentials at the cloud service are compromised, the use of the same username and password combination can then be used to gain official-looking, but malicious, access to other organizational systems. The system for managing identity credentials and access rights is one of the crown jewels of an organization, and many organizations are wary about a wholesale migration of their identity store to the cloud, particularly for those with a hybrid environment. Organizations should have one identity system that works across all connected services, whether delivered on-premises or in the cloud, and tightly control updates to the store and changes to employee and contractor status over time. MALWARE, RANSOMWARE AND BEC Email-borne attacks, such as malware, ransomware, and CEO Fraud/Business Email Compromise (BEC) are becoming more commonplace, with a major increase in activity seen across these attack vectors over the past 12 months. Malware provides a mechanism for quietly exfiltrating data for onwards sale or financial leverage, ransomware with a way of demanding payment for regaining access to encrypted files, and CEO Fraud/BEC with a method of extracting valid-looking payments by masquerading as a senior executive or trusted business partner. These attacks disrupt operations, compromise sensitive data, and can lead to loss of financial resources (such as in CEO Fraud) and high cost to restore encrypted data (as with ransomware). RISKY THIRD PARTY APPS Third-party apps offer convenient access to on-premises and cloud services, and will usually request and then store identity credentials to enable quick access by the user. However, third-party apps can be a carrier of malware directly, or vulnerabilities in the apps can be exploited to gain unauthorized access to corporate data. The recent Gooligan malware, for example, spread through compromised apps on Android 4 and 5 devices, and stole authentication tokens that could be used to access data in Google services, including Google Docs, G Suite, and Google Drive. Third-party apps should be security vetted, and controls introduced to mitigate the risk of unauthorized activity. INCREASED CADENCE OF SOFTWARE DELIVERY Enterprises are moving toward new collaborative approaches to developing and delivering software. DevOps, for example, is an emerging practice intended to deliver software to market on a faster cadence, by integrating software development and IT operations teams. This faster cadence means that organizations can be highly responsive to customer needs, delivering new capabilities on a daily basis – or even faster. The increased velocity, however, combined with the use of cloud services where delivered software is available to the world, makes it essential to fully protect

Third-party apps should be security vetted, and controls introduced to mitigate the risk of unauthorized activity.



and secure the service, the new code, and stored customer data. Getting security wrong is not an option. CHANGING SECURITY RESPONSIBILITY MODEL While security is ultimately each organization's responsibility, cloud services introduce a different security model with shared responsibility between the organization and the cloud provider. Different types of cloud services – Platform-as-a-Service (PaaS), Infrastructure-as-a-Service (IaaS) and SaaS – have different lines of security demarcation. Organizations must understand where those lines of demarcation fall, be competent to deliver on the security requirements for which they are responsible, and be confident that the cloud provider has the technology, processes, and organizational systems in place to deliver on their requirements. A GROWING AND EVOLVING RANGE OF SECURITY SOLUTIONS Vendors are responding to the security challenges of the hybrid cloud with a growing and evolving range of new and updated security solutions, many of which we will explore later in this paper. New security solutions are offered in different configurations, and organizations need to navigate this changing and evolving market. OTHER ISSUES TO CONSIDER Software that written for on-premises systems (i.e., company-specific software, workloads, etc.) were not written for the cloud and most companies don’t have the time/inclination/bandwidth to re-engineer these applications. Consequently, unless organizations rewrite these applications to leverage all of the built-in cloud security functions, they’re likely going to need to layer-in additional security. Moreover, it is important to note that the cloud cannot completely protect proprietary software. Much of this is due to access and vulnerability design – if cloud providers were to limit access, then they would suddenly become the IT “traffic cops” for the organization. Organizations can perhaps outsource this activity to a managed service provider, but a cloud provider generally is not going to do this and, by design, typically cannot. Providers may block or limit apps that pose risks for other cloud customers, but the company itself bears the responsibility for what it’s putting in the cloud (i.e., the “Shared Responsibility model”). SUMMARY In summary, the litany of security challenges in this new era of cloud-only, hybrid cloud and on-premises delivery models makes it essential that organizations undertake a proactive re-evaluation of their security posture and strategy.

SECURITY OPTIONS IN THE HYBRID CLOUD With the growing use of cloud services by organizations, sometimes as a “cloud-only” strategy, but much more frequently as part of a hybrid on-premises and cloud services approach, creating an adaptable and unified security strategy is a critical task for security professionals. If there is one major concept to take from this white paper, it is this: your organization needs an end-to-end, unified and holistic security strategy in this new era of cloud-only and hybrid cloud deployment models. And, since the threat landscape is ever changing (and in some ways becoming more malicious and dangerous as new threats slip through traditional defense lines), your approach should be adaptable to the evolving threatscape. Moreover, the security strategy needs to be business-driven and aligned with business priorities, understanding and incorporating the business risk models and able to deliver services quickly to satisfy business requirement. The security strategy needs to accelerate growth, while at the same time minimizing risk. Providing security insights and risk-oriented data to



business managers is possible only when security information is relayed in a way that the business can understand, consume and act upon. A security strategy of this nature is necessary because: • Siloed security tools increase cost, amplify complexity for both initial deployment

and ongoing maintenance, and leave gaps through which security threats can penetrate.

• A siloed approach will decrease visibility of new and emerging threats, thereby compromising your ability to respond swiftly and appropriately. On the other hand, products that capture and share threat data, context, critical events, and organizational intelligence allow for an ever-strengthening security posture.

• And finally, having multiple, different tools will require the translation of security policies into tool-appropriate security settings, a complex task initially and over time.

In working out a security strategy, organizations face one of three patterns, and have two general approaches available to address the pattern most relevant to their situation. THREE PATTERNS The three patterns for security are on-premises only, cloud-only, and hybrid on-premises and cloud. Each approach to security has advantages and disadvantages. • Pattern 1: On-Premises Only

Organizations using only on-premises IT delivery capabilities must protect what they can see and touch inside the organizational perimeter. If an organization is an exception to the trend of embracing cloud services, the following statements sum up its security approach. o Advantage: Everything that needs to be protected is inside the

organizational perimeter, providing fewer disparate data locations to protect. Assuming threats to the network, applications, and people can be stopped at the perimeter, thus offering a simple approach to IT and IT security.

o Disadvantage: A decreasing number of organizations are sticking with the

on-premises only pattern, migrating to cloud services on a tactical and/or strategic basis. Protecting only the organizational perimeter is an approach with a decreasingly short shelf life.

o Disadvantage: Even organizations with strict policies for using only on-

premises solutions are likely to find large or small pockets of cloud use across the firm. Focusing solely on protecting on-premises IT capabilities will blind decision makers to the reality of increasing cloud use by some or most employees.

o Disadvantage: Remote and other off-premises workers are more difficult to

secure given that many network level defenses are unavailable in “desktop” forms. Requiring VPN and backhauling all traffic through the organization’s data center can help mitigate some risks, but can introduce additional IT challenges in return.

o Disadvantage: Depending on how security updates are delivered, there can be a time lapse between delivery availability and full protection being restored. This could allow threats to cause damage that then need to be rectified. However, this is a decreasing reality for organizations across the world, with more organizations intentionally embracing cloud services as a strategic

The three patterns for security are on-premises only, cloud-only, and hybrid on-premises and cloud. Each approach to security has advantages and disadvantages.



direction, or being forced into cloud services through shadow IT adoption by employees. It is worth noting that even for organizations that have an exclusive strategy for on-premises capabilities, cloud security services can be leveraged to deliver a strong security posture. For example, Osterman Research has been a long-term advocate of using cloud-delivered messaging security services to keep email-borne threats as far away from the organizational network as possible.

• Pattern 2: Cloud Only

Organizations that have migrated all IT capabilities to the cloud – and rely on no on-premises IT capabilities – will need to make use of cloud-delivered security solutions.

o Advantage: Cloud security solutions are normally complemented with

proactive security analysis based on discrete events across the cloud service. The cloud security provider correlates seemingly random events to identify patterns of new zero-day and emerging threats, and then develops responses to mitigate these before vulnerabilities are exploited. Having a cloud-scale set of data points to analyze leads to faster threat identification and mitigation.

o Advantage: As soon as a cloud security provider rolls out mitigations to new

threats, their customer organizations are protected. The cloud security provider is strongly motivated to ensure that no threats get through, hence rapid time-to-mitigation, and organizations don't have to patch or update internal systems before being protected.

o Advantage: Most cloud solutions easily secure remote and other off-network

workers while giving IT central visibility and control.

o Advantage: Reducing hardware provides significant savings in rack space, power, cooling, IT maintenance and other indirect costs, while also offering increased flexibility to adjust the mix of services by eliminating appliance lifecycle obstacles.

o Disadvantage: Individual cloud services offer their own security capabilities

and, in addition, to assessing fitness-to-purpose against organizational security and compliance requirements, organizations need to ensure consistency in security capabilities across multiple cloud environments. Key differences in what is and is not supported can cause weaknesses in security posture.

o Disadvantage: A cloud-only approach necessitates securing and ensuring

reliable and redundant connectivity to cloud resources. Organizations that maintain mission-critical applications and data assets in the cloud must ensure that access to the cloud is available as close as possible to 100 percent of the time.

o Disadvantage: Many organizations rely on multiple cloud providers to deliver

IT capabilities, and thus face the situation of having multiple cloud service-aligned security solutions, as well. Gaining unified visibility of threats across a collection of disparate cloud services is labor intensive and subject to several risks. Even if an organization has embraced a cloud-only model, it must avoid laxity in security processes. A hands-off IT delivery model using cloud services does not give permission for a hands-off approach to the security landscape.

• Pattern 3: Hybrid On-Premises and Cloud

With most organizations using some combination of on-premises and cloud



services – with the share of cloud services increasing over time – a security strategy that addresses the hybrid nature of IT capabilities is essential. For most organizations, this is the pattern they must get right – in an emerging and dynamic marketplace and security threatscape. o Advantage: Organizations with a unified, end-to-end approach to security

that covers on-premises and cloud services will be well protected from new and emerging threats, and will be addressing the reality that most organizations now have hybrid cloud environments (whether for tactical or strategic reasons).

o Disadvantage: Using separate, non-integrated security tools to deal with individual capabilities on-premises and in the cloud will raise costs, increase complexity, and make it difficult to address new and emerging threats.

As shown in Figure 3, the cloud will consume a significantly greater proportion of IT security spending over just the next two years. Figure 3 Proportion of Cyber Security Spending for On-Premises vs. Cloud 2017 and 2019

Source: Osterman Research, Inc. TWO APPROACHES The two general approaches to addressing whichever pattern is most relevant are a) integrating best-of-breed products to create a unified security posture, or b) embracing a unified solution that delivers an integrated best-in-class security posture. As with the patterns, both of these approaches have advantages and disadvantages. • Approach 1: Integrate Multiple Products

Integrating multiple products is based on the idea that different vendors have different strengths, and that one vendor is unlikely to offer a complete suite of defensive tools. Organizations proceeding down this path take on-board the responsibility to identify, provision, and integrate the right mix of products to address current and emerging threats.

The cloud will consume a significantly greater proportion of IT security spending over just the next two years.



o Advantage: Organizations can create a tailored security environment that is

responsive to the specific threats they are experiencing, using the best-in-class products available to address specific challenges.

o Disadvantage: Acquiring and managing multiple security products is

generally a more expensive route compared with buying a unified solution. It comes with the responsibility to manage the complexities of multiple disparate products, such as working with different security interfaces.

o Disadvantage: The capabilities of products from different vendors can

diverge over time, undermining an integration story that made sense on day one with the realities of vendors responding to different opportunities in a dynamic market. When one vendor upgrades its security capabilities, and these are dependent on another security vendor that is putting fewer engineering resources into its products, the degraded interlinked dependencies can cause a weakened posture.

o Disadvantage: Organizations going down the integration path need to

ensure they have sufficiently well-trained IT security professionals to manage a diverse array of security capabilities. With cyber security specialists being difficult to find and expensive as a consequence, the war for talent can render it difficult to find and retain the right people.

• Approach 2: Acquire a Unified Security Solution

Vendors developing a unified security solution attempt to create a wide-ranging offering with as many separate capabilities as well integrated as possible, with usage and management coherency across the different modules and subsystems. For example, vendors talk about a “single pane of glass” through which to manage all of the available capabilities, as opposed to having separate and different management interfaces. o Advantage: While security is an organizational responsibility for many

customers, it is a core competency for very few. Coordinating the integration of multiple security products is a conceptually challenging task, with many technical complexities. Acquiring a unified security solution allows an organization to leverage vendors where security is the core competency.

o Advantage: Vendors often have greater weight in the war for talent, being

able to attract top cyber security talent with remuneration schemes and challenging and complex work tasks that surpass what any one organization can deliver. Working with a vendor offering a unified solution gives organizations an indirect way of gaining access to that same talent.

o Advantage: Increasingly, unified security offerings allow subscription to

various defenses independently, allowing replacement of existing on-premises vendors at staggered renewal times, supporting a smooth transition from multiple products to a unified security posture. This is applicable to UTM vendors that force switching to everything at once. For example, if an organization’s web security is up for renewal and decision makers are looking at replacements, it may be necessary to replace other parts of the defense even if there is still remaining time on those subscriptions.

o Disadvantage: New entrant vendors generally bring new security products to

market faster than large and established security vendors can update their unified offerings. This means that new and emerging threats may be better addressed by a new point solution, giving faster protection to organizational networks, applications, data and people in some situations. It must be noted, however, that while employing these point vendors may offer a short-term advantage, it may not be the best long-term strategy.



ASSESSMENT OF TCO AND LEVEL OF SECURITY Organizations that are able to use fewer security products that individually offer more capability are likely to have a lower total cost of ownership and a higher overall level of security. Fewer, separate products means lower coordination and configuration costs both initially and over time, and the holy grail of a unified end-to-end security solution is likely to provide the best coverage against current, new and emerging threats. As shown in Figure 4, one-half of the organizations surveyed for this white paper are employing multiple cloud vendors. Figure 4 Number of Different Cloud Providers Used in Production

Source: Osterman Research, Inc.

BEST PRACTICES AND DECISION RULES Against the backdrop of new and emerging security threats in the hybrid cloud era, how do decision makers decide how best to implement security? Here are four best practices and decision rules to guide decision makers’ thinking. KNOW WHAT YOU HAVE TO PROTECT Carry out an end-to-end security audit. Look at the data systems, processes, and storage locations currently being used across the organization, and assess the vulnerability of these to current, new and emerging threats. Overlay the above current reality with the approach to current security. The audit should also consider the specific people who are most vulnerable to new threats, such as social engineering via CEO Fraud that can result in expensive losses. If an organization does not have the capability to audit the current state of systems and security, engage an external professional services firm with specific expertise in security. UNDERTAKE A RISK-BASED ASSESSMENT The audit will reveal where and how data is being processed and stored, and the nature of the data contained in each system or process. Some of this data will be sensitive, confidential, commercially-valuable, and some will be the core intellectual property of the organization. Sensitive data types like customer data, financial

Against the backdrop of new and emerging security threats in the hybrid cloud era, how do decision makers decide how best to implement security?



records, credit card information, healthcare data, and employee data require specific security and protection mechanisms, and are often subject to regulatory requirements that include breach notification laws. Note where this data is being authoritatively stored, the security mechanisms in place today, and where new and emerging threats are likely to surface. DETERMINE THE DEMARCATION OF RESPONSIBILITY Use of cloud services introduces a shared responsibility model between the cloud provider and the organization. Different types of cloud services have different demarcations of security. Once decision makers understand the elements for which they are responsible, they can analyze the responsibilities held by the cloud providers with which they are working and assess fitness-to-purpose. Where multiple cloud services are being used, decision makers should look for ways to unify their approach to security across on-premises systems and the various cloud services. For example, a unified approach to identity and access management is much to be preferred than having separate islands of identity. Likewise, a unified logging and monitoring mechanism reduces the use of separate and different management interfaces. ENSURE THE BASICS ARE DONE RIGHT, PARTICULARLY THE HUMAN ELEMENT People are a key vector of attack in the current threatscape, and sometimes the biggest threat is employees with malicious intent masquerading as trusted insiders. There are some basic things to do right to design security thinking into organizational processes. For example: • Design data processes that capture and process sensitive and confidential data

so they are not dependent on any one person. The principle of segregating duties, along with the principle of rotating duties periodically, helps prevent bad actors from going unnoticed before it’s too late.

• Perform due diligence on the security capabilities of cloud providers, and

wherever possible, have initial and on-going audit rights to ensure that what the cloud provider says they will do from a security perspective are actually being implemented.

• Protect IT administrative accounts, to reduce the likelihood that they can be compromised and used for malicious purposes. One of the key ideas is that administrative accounts should be used only for administrative purposes in on-premises and cloud environments, and should not be used for any day-to-day activities.

CATEGORIES OF PRODUCTS The diverse nature of the threatscape requires a collection of different capabilities to address. Organizations developing a security strategy for the hybrid cloud should evaluate the applicability of the following product categories to their specific requirements. CLOUD ACCESS SECURITY BROKERS A Cloud Access Security Broker (CASB) is a solution that acts as an intermediary between one or more cloud providers and an organization’s on-premises infrastructure, acting to ensure that the organization’s security policies are executed properly by the cloud provider(s). CASBs enable security analysts and others within an organization to understand how cloud applications and services are being used, to identify non-sanctioned “shadow IT” applications, and to provide insight into cloud-to-cloud operations.



IDENTITY AND ACCESS MANAGEMENT (IAM) A unified approach to identity and access management that automates the lifecycle management and governance of user access rights is a critical foundation for security. New employees should be able to be added in one place and be granted appropriate access rights across the entire stack of systems (ideally tied into a unified authentication solution to ensure a convenient and secure experience when users access those systems), and likewise removed from one place and have access rights revoked immediately. Privileged accounts should have extra levels of security to protect from credential compromise. MULTI-FACTOR AUTHENTICATION (MFA) Multi-factor authentication solutions have evolved from simply strong step-up methods of basic password based authentication to providing context and risk based identity assurance solutions that incorporate mobile- and token-based authentication form factors to mitigate the risks of compromised passwords, weak passwords, and brute force password attacks. While it could be used by everyone, it should be, at a minimum, used by employees handling sensitive data and executives who are likely to be the target of special identity-based attacks. FIREWALLS Modern firewalls that offer security capabilities beyond just securing ports, such as protecting applications and offering deep packet inspection to differentiate between valid and compromised traffic, provide an essential defense against security threats. Modern firewalls provide a unified set of security services to protect the network, applications and people. ENCRYPTION Encrypting data wherever it resides and however it is used is a critical mechanism for protecting data in cloud services, and minimizing the exposure risk of a data breach. Stolen, but well-encrypted, data that can withstand brute force decryption attempts means that malicious actors don’t get any leverage from their cybercrime. Whenever possible, organizations should retain ownership of their encryption keys, rather than relying on provider-provided keys, as in a breach of data these keys may also be compromised. ANTI-MALWARE Capabilities that protect against the rising tide of malware are essential, and should be able to identify, block, sandbox, and disable malware from wreaking havoc across an organization. Protection is also required against malware that creeps in undetected and operates in stealth to exfiltrate data over time, and will usually require advanced deep packet analysis security tools. ANTI-PHISHING AND ANTI-SPEARPHISHING Our research found that 66 percent of the organizations we surveyed had been infiltrated by ransomware, other malware, a hacker, etc. because an employee clicked on a phishing link, spearphishing link or attachment in a malicious email. Malicious actors use phishing and spearphishing techniques to give emails an appearance of validity, while hiding threats like malware. A wrong click can lead to compromised systems, loss of productivity, and time to rectify. Anti-phishing and anti-spearphishing security technologies use multiple mechanisms to uncover questionable emails, links, and attachments, and to warn employees of suspicious but innocuous looking content. As one example, phishing employees for their credentials used to sign into cloud-based applications or cloud portals is extremely dangerous and could pose a grave threat to the security of an organization’s data assets by allowing cyber criminals to gain access to sensitive data repositories. The 2017 Verizon Data Breach

Phishing employees for their creden-tials used to sign into cloud-based applications or cloud portals is extremely dangerous and could pose a grave threat to the security of an organ-ization’s data assets.



Investigations Report1 found that some industries are particularly targeted for user credentials: for example, credentials represent 71 percent of the data compromised from financial and insurance companies; and 56 percent of the data compromised from information-focused companies. ANTI-CEO FRAUD/BUSINESS EMAIL COMPROMISE With cybercriminals innovating how to extract financial resources from organizations, CEO Fraud/BEC is a rising threat. Security technologies that guard against these threats highlight warning signals, such as subtle differences in email header information, like domain names that look right but are a derivation of the authentic one. Strategies such as these are designed to warn employees of suspicious looking communications. ANTI-RANSOMWARE Ransomware is another way cybercriminals are innovating on how to extract financial rewards from organizations. When files are encrypted and the owner(s) can no longer gain access to them, the urgency of coming to a resolution rises very quickly. Anti-ransomware security tools are designed to highlight suspicious emails or hidden downloads of malware, and capture and stop the execution of the threat payload before it can take hold. DATA LOSS PROTECTION Sensitive or commercially-valuable data can leave organizational systems through multiple paths, and Data Loss Protection (DLP) is a means of identifying when that’s happening and blocking or quarantining the content for remediation or further protection. Sometimes it’s an employee emailing sensitive content to a valid external party, but without encrypting the information first (which can be handled automatically through rules). Other times it is a malicious insider trying to steal corporate information, or an advanced persistent threat exfiltrating data while no one is watching. DLP systems are always watching. ENDPOINT PROTECTION The increasingly mobile employee and executive carries corporate devices freely around the world, connecting and disconnecting from a plethora of networks, and subject to a raft of threats, such as loss, theft or content interception (such as via an aircraft’s Wi-Fi network). All corporate devices – and any employee-owned devices that can access and store corporate information – need protection. This should cover device-level encryption, data protection and access control, among others. SECURITY AWARENESS TRAINING There are many new and emerging security threats, and having an employee population aware of the potential problems is essential. Since all it takes is one or two wrong clicks in a ransomware email to cause some significant problems, employees should have an awareness of the types of security threats they are likely to face on a day-to-day basis. Equally, they need to know how to respond when facing these threats – both at work and at home. UNIFIED LOGGING AND MONITORING The logging and monitoring of system events provides a mechanism for identifying abnormal activity that could signal a security vulnerability. Unifying the logging and monitoring of all the systems – on-premises and in the cloud – used across the organization means there is a consistent and coherent way of tracking everything that’s going on. Unified systems will often have threat intelligence capabilities, as well, for highlighting and prioritizing specific areas of concern.

SUMMARY AND CONCLUSIONS 1 Source: 2017 Data Breach Investigations Report, 10th Edition, Verizon



The threatscape is expanding as organizations are migrating more and more of their data and IT functionality to the cloud. These trends are creating a situation in which the old security models no longer work as well as they once did and must be carefully re-evaluated, new security models must adopted, and new strategies developed to ensure that all sensitive corporate data, regardless of its location, can be adequately protected. Choosing the right security vendors – arguably a more important priority in the cloud era than it ever was in the on-premises era – must be among the highest priorities for both IT and business decision makers.

SPONSOR OF THIS WHITE PAPER Forcepoint is transforming cybersecurity by focusing on what matters most: understanding people’s behaviors and intent as they interact with critical data and IP wherever it resides. Our uncompromising systems enable companies to empower employees with unobstructed access to data while protecting intellectual property and simplifying compliance. Forcepoint was formed in 2016 as a result of the combination of the Raytheon Cyber Products, Websense and Stonesoft organizations, integrating the user protection, data security and cloud expertise of Websense with the insider threat and analytics technology of Raytheon, along with the next-generation network protection capabilities of Stonesoft. The three businesses brought together decades of front-line experience across many domains of cybersecurity, from Fortune 100 enterprise to mid-sized businesses in every industry, to the world’s most highly secure defense, intelligence and law enforcement agencies. Cloud application protection and visibility was also enabled in 2017 with Forcepoint’s acquisition of Skyfence CASB (cloud application security broker). More than 20,000 organizations around the world rely on Forcepoint to enable better decision-making and more efficient security. © 2017 Osterman Research, Inc. All rights reserved. No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of Osterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., without prior written authorization of Osterman Research, Inc. Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this document or any software product or other offering referenced herein serve as a substitute for the reader’s compliance with any laws (including but not limited to any act, statute, regulation, rule, directive, administrative order, executive order, etc. (collectively, “Laws”)) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes no representation or warranty regarding the completeness or accuracy of the information contained in this document. THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL.

www.forcepoint.com

@Forcepointsec

[email protected]

+1 800 723 1166

deploying and managing security in the cloud - forcepoint...deploying security solutions in the...

Documents