Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Semelhante a Cloud Security and Privacy Don't Need to Be at Odds
Semelhante a Cloud Security and Privacy Don't Need to Be at Odds (20)
Mais de centralohioissa
Mais de centralohioissa (20)
Último
Último (20)
Cloud Security and Privacy Don't Need to Be at Odds
- 1. No Tradeoffs Cloud Security and Privacy Don’t Need To Be at Odds Jervis Hui, Product Marketing Manager
- 2. There are 10,000 enterprise apps today (and growing).
- 3. © 2015 Netskope. All Rights Reserved. 3 Actual: 917 IT estimate: 40-50 IT is blind to 90% of cloud apps >90% of apps are not enterprise-ready App Redundancy: • 62 Marketing • 37 Collaboration • 28 HR • 34 Finance • 27 Productivity • 23 Cloud Storage Impacts CISO, CIO, and CFO
- 4. © 2015 Netskope. All Rights Reserved. How Do Cloud Apps Get In? 4 IT-led Business-led User-led 10% 70% 20% Mostly Unsanctioned Sanctioned
- 5. 5 apps • 917+ cloud apps per enterprise • 94% are not enterprise-ready users • Malicious or non- intentional • 15% of corporate users have had their account credentials compromised data • 18% of files in cloud apps constitute a policy violation • 22% of those files are shared publicly activities • Cloud makes it easy to share • When is an activity an anomaly?
- 6. Catch-22
- 7. Allow is the new block (allow is new block green light slide) 7
- 8. © 2015 Netskope. All Rights Reserved. What about privacy? 8
- 9. © 2015 Netskope. All Rights Reserved. Dr. Cavoukian’s Privacy by Design Framework 9 Proactive not reactive; preventative not remedial Privacy as the default setting Privacy embedded into design Full functionality: positive-sum, not zero-sum End-to-end security; full lifecycle protection Visibility and transparency – keep it open Respect for user privacy – keep it user- centric
- 10. 7 Requirements for Mitigating Cloud Usage Risk (while maintaining privacy)
- 11. REQ #1 Find all cloud apps running in your environment and assess enterprise- readiness
- 12. Privacy Best Practice #1 Bypass selected cloud apps
- 13. REQ #2 Understand Cloud Usage Details v v Bob in accounting From his mobile phone v Uploading customer data to Dropbox v Bob’s credentials have been compromised
- 14. Privacy Best Practice #2 Obfuscate personal details in UI and do it per role v v Bob in accounting From his mobile phone v Uploading customer data to Dropbox v Bob’s credentials have been compromised
- 15. REQ #3 Use surgical precision in your policies, leveraging contextual data
- 17. REQ #4 Enable right-sized admin privileges SharePoint Admin User Email
- 18. REQ #5 Find sensitive data tied to an activity or stored in a cloud app
- 19. REQ #6 Enforce policies by source and destination country
- 20. REQ #7 Don’t leave users in the dark. Coach them on safe usage.
- 21. 5: Find sensitive data tied to an activity or stored in a cloud app 3: Use surgical precision in your policies and leverage context 2: Understand cloud usage details 4: Enable right-sized admin privileges1: Find all cloud apps and assess enterprise-readiness 6: Enforce ppolicies by source and destination country. Bypass selected cloud apps Obfuscate personal details in UI Differentiate between personal and corporate cloud usage 7: Don’t leave users in the dark. Coach them on safe usage.
- 22. THANK YOU! To learn more, visit the Netskope booth and see a live demo
Notas do Editor
- The SaaS market’s explosive growth is fueled in most part by the enterprise as there are more than 10,000 enterprise apps today and that number is growing.
- However, for all of the cloud goodness that drives this adoption also comes tremendous cloud app sprawl. We at Netskope perform cloud assessments for our prospects and find that while IT usually estimates that they have about 40-50 apps running in their organizations (only a handful of which they manage), we discover more than 900. Beyond the sheer volume of apps, the number of apps in business-critical categories is surprising – 62 marketing, 37 Collaboration, 28 HR, and 34 finance apps. Netskope’s research has also found that 94% of apps are not enterprise-ready and if you combine that with the fact that IT is blind to 90% of these apps, there are potential security risks and additional concerns that impact the CISO, CIO, and CFO.
- One framework we use to think about cloud apps starts with how those apps come into your environment, and whether they’re sanctioned or not. Some are brought in by IT, some by lines-of-business, and some by individuals. Each of these app types has an important, and often business-critical, role to play in the success of your organization. Even Twitter is a must-have for many organizations and not just in marketing, but in customer support, business development, and the executive team. We at Netskope have thought through how to safely enable apps, whether sanctioned or not, and regardless of how they come into your environment.
- With more than 900 cloud apps being used by a typical enterprise, what is the risk associated with all this cloud usage? <advance to apps build> Let’s start with the cloud apps themselves. As I mentioned before, 94% of cloud apps are not enterprise-ready. If you take key elements of the cloud security alliance cloud controls matrix and combine that with what Netskope’s research team has put together, the enterprise-readiness of an app is measured using 40+ criteria spanning 7 categories. For example, inherent app security features such as does the app support encryption of data at rest? Or is the data center that hosts the app SOC compliant? Additional criterial include looking at the terms and conditions of the SaaS provider’s legal agreement and determine if the data uploaded to the app is owned by you or the app vendor. The net-net is that you need the ability to not only discover what cloud apps are running in your environment, but also be able to assess the enterprise-readiness of these apps and ultimately assess the potential risk. <advance to users build> Let’s face it users are inherently risky. Sometimes they don’t make the smartest decisions. Sometimes their behavior is accidental and sometimes it is malicious. The other component to user risk is the fact that the credentials they are using to login to cloud apps is often the same credentials they have been using for months or in some cases years. What if those credentials have been compromised as part of a past data breach? You need to understand your users and verify that their credentials have not been compromised. <advance to activities build> The activities that users perform can present risk. Maybe they were not supposed to share that info outside of the company. It is important to also track down anomalous behaviors that might signal a risky situation. For example users logging into a cloud app from multiple locations in a small time window could signal account hijacking. <advance to data build> The 4th risk vector is data. Data is the lifeblood of any organization and leakage of sensitive data can be costly and damaging to your company’s reputation. Research shows that 18% of files in cloud apps constitute a policy violation. 22% of those files are shared publicly. Final point Any of these factors present risk on their own. When you combine them, you have a perfect storm for bad things to happen. For example, a user with compromised credentials is uploading sensitive data to a risky cloud storage app.
- There is a catch-22 between using the cloud and being safe. The question is should you block everything to mitigate your risk? That may not be the best solution as many people rely on the cloud for anytime, anywhere, access to data and to help them be more productive. Next Slide…
- Netskope believes that Allow is the New Block and you should allow cloud applications, but block the risky activities instead.
- The objectives of Dr. Kavoukian’s Privacy by Design framework is ensuring privacy and gaining personal control over one’s information and, for organizations, gaining a sustainable competitive advantage — may be accomplished by practicing the following 7 Foundational Principles 1. Proactive not Reactive; Preventative not Remedial The Privacy by Design (PbD) approach is characterized by proactive rather than reactive measures. It anticipates and prevents privacy invasive events before they happen. PbD does not wait for privacy risks to materialize, nor does it offer remedies for resolving privacy infractions once they have occurred — it aims to prevent them from occurring. In short, Privacy by Design comes before-the-fact, not after. 2. Privacy as the Default Setting We can all be certain of one thing — the default rules! Privacy by Design seeks to deliver the maximum degree of privacy by ensuring that personal data are automatically protected in any given IT system or business practice. If an individual does nothing, their privacy still remains intact. No action is required on the part of the individual to protect their privacy — it is built into the system, by default. 3. Privacy Embedded into Design Privacy by Design is embedded into the design and architecture of IT systems and business practices. It is not bolted on as an add-on, after the fact. The result is that privacy becomes an essential component of the core functionality being delivered. Privacy is integral to the system, without diminishing functionality. 4. Full Functionality — Positive-Sum, not Zero-Sum Privacy by Design seeks to accommodate all legitimate interests and objectives in a positive-sum “win-win” manner, not through a dated, zero-sum approach, where unnecessary trade-offs are made. Privacy by Design avoids the pretense of false dichotomies, such as privacy vs. security, demonstrating that it is possible to have both. 5. End-to-End Security — Full Lifecycle Protection Privacy by Design, having been embedded into the system prior to the first element of information being collected, extends securely throughout the entire lifecycle of the data involved — strong security measures are essential to privacy, from start to finish. This ensures that all data are securely retained, and then securely destroyed at the end of the process, in a timely fashion. Thus, Privacy by Design ensures cradle to grave, secure lifecycle management of information, end-to-end. 6. Visibility and Transparency — Keep it Open Privacy by Design seeks to assure all stakeholders that whatever the business practice or technology involved, it is in fact, operating according to the stated promises and objectives, subject to independent verification. Its component parts and operations remain visible and transparent, to users and providers alike. Remember, trust but verify. 7. Respect for User Privacy — Keep it User-Centric Above all, Privacy by Design requires architects and operators to keep the interests of the individual uppermost by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options. Keep it user-centric.
- I would like to share with you 6 steps for mitigating the risk associated with cloud usage without blocking all cloud apps.
- Step 1: As we discussed previously, you need to get a handle on what cloud apps are running in your environment and measure each one’s enterprise-readiness using 40+ factors.
- Step 1: As we discussed previously, you need to get a handle on what cloud apps are running in your environment and measure each one’s enterprise-readiness using 40+ factors.
- Step 2: The next step is to understand how those cloud apps are being used. You need visibility into the details of what the activities are taking in account contextual details such as the app, user, specific activity, and device that was used.
- Step 2: The next step is to understand how those cloud apps are being used. You need visibility into the details of what the activities are taking in account contextual details such as the app, user, specific activity, and device that was used.
- Step 4: Now that we have a framework in place for better understanding our cloud usage, the next step is to take action and enforce policies. Traditional perimeter security is course-grained only allowing you to block at the app level. Cloud security 2.0 supports the ability to block at the activity level. In addition, you can bring context into your policies and be precise. <next slide>
- Step 4: Now that we have a framework in place for better understanding our cloud usage, the next step is to take action and enforce policies. Traditional perimeter security is course-grained only allowing you to block at the app level. Cloud security 2.0 supports the ability to block at the activity level. In addition, you can bring context into your policies and be precise. <next slide>
- Step 2: The next step is to understand how those cloud apps are being used. You need visibility into the details of what the activities are taking in account contextual details such as the app, user, specific activity, and device that was used.
- Step 4: The 4th step is all about the data. Preventing data leakage should be a key component to your cloud security strategy. You need to ensure that you employ 360 degree data protection, looking for sensitive data tied to an activity such as upload, download, and share and also be able to eDiscovery sensitive data already stored in a cloud app. It is also important to point out that not all DLP solutions are created equal. Look for one with robust capabilities such as support for hundreds of file types and data identifiers, custom regex, proximity, and fingerprinting. Also look for a DLP solution that can bring contextual details into DLP policies.
- Step 4: Now that we have a framework in place for better understanding our cloud usage, the next step is to take action and enforce policies. Traditional perimeter security is course-grained only allowing you to block at the app level. Cloud security 2.0 supports the ability to block at the activity level. In addition, you can bring context into your policies and be precise. <next slide>
- Step 6 In the immortal words of Jerry McGuire… Help me, help you! You want security, they want to use apps. Help them get use these apps securely by communicating. Best practices: Customize your coaching messages based on the situation Involve users as part of the workflow; enable them to justify their actions Implement an automated quarantine process for sensitive data and a workflow to approve or deny content
- Here, in summary, are my 6 steps. I am confident if you follow these, you will have a safer cloud experience.