The document discusses how cloud security and privacy do not need to be at odds. It notes that there are over 10,000 enterprise apps used today, but IT is only aware of about 40-50 apps. Most cloud apps enter the enterprise through business or user-led adoption rather than IT-led processes. The document outlines seven requirements for mitigating cloud usage risk while maintaining privacy, such as finding all cloud apps, understanding usage details, using precise policies, and educating users on safe usage. It promotes the idea that allowing usage with proper controls is better than outright bans.
5. 5
apps
• 917+ cloud apps
per enterprise
• 94% are not
enterprise-ready
users
• Malicious or
non- intentional
• 15% of corporate
users have had their
account credentials
compromised
data
• 18% of files in cloud
apps constitute a
policy violation
• 22% of those files are
shared publicly
activities
• Cloud makes it
easy to share
• When is an activity
an anomaly?
13. REQ #2
Understand Cloud
Usage Details
v
v
Bob in
accounting
From his
mobile phone
v
Uploading
customer data
to Dropbox
v
Bob’s
credentials
have been
compromised
14. Privacy Best
Practice #2
Obfuscate personal
details in UI and do
it per role
v
v
Bob in
accounting
From his
mobile phone
v
Uploading
customer data
to Dropbox
v
Bob’s
credentials
have been
compromised
21. 5:
Find sensitive data tied to an
activity or stored in a cloud
app
3:
Use surgical precision in your
policies and leverage context
2:
Understand cloud usage
details
4:
Enable right-sized admin
privileges1:
Find all cloud apps and
assess enterprise-readiness
6:
Enforce ppolicies by source
and destination country.
Bypass selected cloud apps
Obfuscate personal details in UI
Differentiate between personal and
corporate cloud usage 7:
Don’t leave users in the dark.
Coach them on safe usage.
The SaaS market’s explosive growth is fueled in most part by the enterprise as there are more than 10,000 enterprise apps today and that number is growing.
However, for all of the cloud goodness that drives this adoption also comes tremendous cloud app sprawl. We at Netskope perform cloud assessments for our prospects and find that while IT usually estimates that they have about 40-50 apps running in their organizations (only a handful of which they manage), we discover more than 900. Beyond the sheer volume of apps, the number of apps in business-critical categories is surprising – 62 marketing, 37 Collaboration, 28 HR, and 34 finance apps.
Netskope’s research has also found that 94% of apps are not enterprise-ready and if you combine that with the fact that IT is blind to 90% of these apps, there are potential security risks and additional concerns that impact the CISO, CIO, and CFO.
One framework we use to think about cloud apps starts with how those apps come into your environment, and whether they’re sanctioned or not. Some are brought in by IT, some by lines-of-business, and some by individuals. Each of these app types has an important, and often business-critical, role to play in the success of your organization. Even Twitter is a must-have for many organizations and not just in marketing, but in customer support, business development, and the executive team. We at Netskope have thought through how to safely enable apps, whether sanctioned or not, and regardless of how they come into your environment.
With more than 900 cloud apps being used by a typical enterprise, what is the risk associated with all this cloud usage?
<advance to apps build>
Let’s start with the cloud apps themselves. As I mentioned before, 94% of cloud apps are not enterprise-ready. If you take key elements of the cloud security alliance cloud controls matrix and combine that with what Netskope’s research team has put together, the enterprise-readiness of an app is measured using 40+ criteria spanning 7 categories.
For example, inherent app security features such as does the app support encryption of data at rest? Or is the data center that hosts the app SOC compliant? Additional criterial include looking at the terms and conditions of the SaaS provider’s legal agreement and determine if the data uploaded to the app is owned by you or the app vendor.
The net-net is that you need the ability to not only discover what cloud apps are running in your environment, but also be able to assess the enterprise-readiness of these apps and ultimately assess the potential risk.
<advance to users build>
Let’s face it users are inherently risky. Sometimes they don’t make the smartest decisions. Sometimes their behavior is accidental and sometimes it is malicious. The other component to user risk is the fact that the credentials they are using to login to cloud apps is often the same credentials they have been using for months or in some cases years. What if those credentials have been compromised as part of a past data breach? You need to understand your users and verify that their credentials have not been compromised.
<advance to activities build>
The activities that users perform can present risk. Maybe they were not supposed to share that info outside of the company. It is important to also track down anomalous behaviors that might signal a risky situation. For example users logging into a cloud app from multiple locations in a small time window could signal account hijacking.
<advance to data build>
The 4th risk vector is data. Data is the lifeblood of any organization and leakage of sensitive data can be costly and damaging to your company’s reputation. Research shows that 18% of files in cloud apps constitute a policy violation. 22% of those files are shared publicly.
Final point
Any of these factors present risk on their own. When you combine them, you have a perfect storm for bad things to happen. For example, a user with compromised credentials is uploading sensitive data to a risky cloud storage app.
There is a catch-22 between using the cloud and being safe. The question is should you block everything to mitigate your risk? That may not be the best solution as many people rely on the cloud for anytime, anywhere, access to data and to help them be more productive.
Next Slide…
Netskope believes that Allow is the New Block and you should allow cloud applications, but block the risky activities instead.
The objectives of Dr. Kavoukian’s Privacy by Design framework is ensuring privacy and gaining personal control over one’s information and, for organizations, gaining a sustainable competitive advantage — may be accomplished by practicing the following 7 Foundational Principles
1. Proactive not Reactive; Preventative not Remedial
The Privacy by Design (PbD) approach is characterized by proactive rather than reactive measures. It anticipates and prevents privacy invasive events before they happen. PbD does not wait for privacy risks to materialize, nor does it offer remedies for resolving privacy infractions once they have occurred — it aims to prevent them from occurring. In short, Privacy by Design comes before-the-fact, not after.
2. Privacy as the Default Setting
We can all be certain of one thing — the default rules! Privacy by Design seeks to deliver the maximum degree of privacy by ensuring that personal data are automatically protected in any given IT system or business practice. If an individual does nothing, their privacy still remains intact. No action is required on the part of the individual to protect their privacy — it is built into the system, by default.
3. Privacy Embedded into Design
Privacy by Design is embedded into the design and architecture of IT systems and business practices. It is not bolted on as an add-on, after the fact. The result is that privacy becomes an essential component of the core functionality being delivered. Privacy is integral to the system, without diminishing functionality.
4. Full Functionality — Positive-Sum, not Zero-Sum
Privacy by Design seeks to accommodate all legitimate interests and objectives in a positive-sum “win-win” manner, not through a dated, zero-sum approach, where unnecessary trade-offs are made. Privacy by Design avoids the pretense of false dichotomies, such as privacy vs. security, demonstrating that it is possible to have both.
5. End-to-End Security — Full Lifecycle Protection
Privacy by Design, having been embedded into the system prior to the first element of information being collected, extends securely throughout the entire lifecycle of the data involved — strong security measures are essential to privacy, from start to finish. This ensures that all data are securely retained, and then securely destroyed at the end of the process, in a timely fashion. Thus, Privacy by Design ensures cradle to grave, secure lifecycle management of information, end-to-end.
6. Visibility and Transparency — Keep it Open
Privacy by Design seeks to assure all stakeholders that whatever the business practice or technology involved, it is in fact, operating according to the stated promises and objectives, subject to independent verification. Its component parts and operations remain visible and transparent, to users and providers alike. Remember, trust but verify.
7. Respect for User Privacy — Keep it User-Centric
Above all, Privacy by Design requires architects and operators to keep the interests of the individual uppermost by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options. Keep it user-centric.
I would like to share with you 6 steps for mitigating the risk associated with cloud usage without blocking all cloud apps.
Step 1: As we discussed previously, you need to get a handle on what cloud apps are running in your environment and measure each one’s enterprise-readiness using 40+ factors.
Step 1: As we discussed previously, you need to get a handle on what cloud apps are running in your environment and measure each one’s enterprise-readiness using 40+ factors.
Step 2: The next step is to understand how those cloud apps are being used. You need visibility into the details of what the activities are taking in account contextual details such as the app, user, specific activity, and device that was used.
Step 2: The next step is to understand how those cloud apps are being used. You need visibility into the details of what the activities are taking in account contextual details such as the app, user, specific activity, and device that was used.
Step 4: Now that we have a framework in place for better understanding our cloud usage, the next step is to take action and enforce policies. Traditional perimeter security is course-grained only allowing you to block at the app level. Cloud security 2.0 supports the ability to block at the activity level. In addition, you can bring context into your policies and be precise.
<next slide>
Step 4: Now that we have a framework in place for better understanding our cloud usage, the next step is to take action and enforce policies. Traditional perimeter security is course-grained only allowing you to block at the app level. Cloud security 2.0 supports the ability to block at the activity level. In addition, you can bring context into your policies and be precise.
<next slide>
Step 2: The next step is to understand how those cloud apps are being used. You need visibility into the details of what the activities are taking in account contextual details such as the app, user, specific activity, and device that was used.
Step 4: The 4th step is all about the data. Preventing data leakage should be a key component to your cloud security strategy. You need to ensure that you employ 360 degree data protection, looking for sensitive data tied to an activity such as upload, download, and share and also be able to eDiscovery sensitive data already stored in a cloud app.
It is also important to point out that not all DLP solutions are created equal. Look for one with robust capabilities such as support for hundreds of file types and data identifiers, custom regex, proximity, and fingerprinting. Also look for a DLP solution that can bring contextual details into DLP policies.
Step 4: Now that we have a framework in place for better understanding our cloud usage, the next step is to take action and enforce policies. Traditional perimeter security is course-grained only allowing you to block at the app level. Cloud security 2.0 supports the ability to block at the activity level. In addition, you can bring context into your policies and be precise.
<next slide>
Step 6 In the immortal words of Jerry McGuire… Help me, help you! You want security, they want to use apps. Help them get use these apps securely by communicating.
Best practices:
Customize your coaching messages based on the situation
Involve users as part of the workflow; enable them to justify their actions
Implement an automated quarantine process for sensitive data and a workflow to approve or deny content
Here, in summary, are my 6 steps. I am confident if you follow these, you will have a safer cloud experience.