Previously, we discussed in very high level about different threat vectors which enterprises need to be able to address cloud services problems and using Skyhigh to address those problems.
The role of IT is changing from provider to enabler and service broker. We want to remove the stigma of Shadow IT which implies people are doing something devious. We want to help our businesses to be more productive and smarter on the way they work.
Discover
Skyhigh solution can Discover the cloud usage and increase the effectiveness of our Cloud Policies and Governance. The Skyhigh solution for Shadow IT can discover our “Proxy/Firewall leakage” where some cloud services traffics are leaked. Then we can use the information to identify leakage points and “plug” the leaks by blocking and educate the business
Analyze
Skyhigh solution will help us to analyse cloud usage to ensure malicious activities is not hurting our business. These can be vary from honest mistake, leaving employee mining the data to attackers doing data exfiltration. Anomaly is also analysed where user logs play important role to detect various threats such as compromised accounts login from two geographically locations in matter of minutes.
Control
Encourage the business to use cloud services to gain competitive advantage but also protect the business by setting up the policies on the back-end to ensure the use of cloud is compliant with industry regulations and internal policies. Skyhigh solution is able to extend the on-premises DLP policies to the cloud services.
Encryption is another thing when we are trying to comply with regulatory standards requirements. The fact is only 9.4% of cloud service providers are encrypting data at rest and only 1.1% customer managed encryption keys. File sharing services alone account for 39% of all company data uploaded to the cloud, and the average company uses 49 such services. What’s more, among file sharing users, 34% have uploaded sensitive information such as personally identifiable information (PII), protected health information (PHI), payment card data, or others forms of confidential data. All together, 21% of documents uploaded to file sharing services contain some sensitive data. When this information is stored unencrypted, it is vulnerable to data breaches, privileged user abuse, and blind government subpoenas.
Security best practices, as well as many government and industry regulations, call for data at rest to be encrypted no matter where it resides, but especially when it’s in the cloud. Data in the cloud is often not under the strict control of its owner. For example, third parties such as the cloud service provider and the underlying infrastructure hosting provider may be able to access the data. A data breach – whether intentional or inadvertent – can expose your data to others.
It’s also true that under the USA PATRIOT Act, the U.S. Federal government can legally subpoena your data, and the cloud provider is required by law to provide it without telling you that your data has been furnished to the government. The best way to prevent this from happening to your organization is to encrypt data stored in the cloud using encryption keys that you manage, rather than ones the cloud provider manages. However, just 1.1% of cloud providers support encryption using customer-managed encryption keys, which can thwart blind government subpoenas of corporate data.
These are all reason enough to not store your sensitive data in the clear in cloud services at any time. There are numerous approaches to implementing encryption for your data—on premises, in the cloud, as part of the SaaS application, via a third party provider, etc. The most important consideration, however, is who has control over the encryption keys. Any entity that has access to the keys would also have access to the data in the clear. Do you want to give that kind of power to your cloud provider? Doing so certainly violates recommended best practices and it might even put your company at odds with security mandates within regulations such as PCI DSS, HIPAA, GLBA and many others.
We need the light for all the cloud services to help us understanding the risks and the impacts to our business so we can be the enabler and service broker. Please do not hesitate to contact me regarding the Skyhigh solution for your environment and how to secure your environment at the age of services.
Andreas Wasita 