12:00 PM
Connect Directly
E-Mail vvv

Cloud Apps & Security: When Sharing Matters

Sharing documents and data is happening all over the cloud today but not all sharing activity carries equal risk.

By far the coolest thing about cloud apps is the ability to share data. Whether you’re sharing the latest sales presentation, a link to a customer video, a win/loss report, or a transaction analysis in your business intelligence app, the ability to click a link and quickly collaborate with your team, your boss, or your partner is critical.

Every quarter at Netskope, we do a retrospective analysis on usage, activities, and policy violations in our cloud. We look at anonymized, aggregated data across tens of billions of transactions from millions of users and report on trends in the Netskope Cloud Report. A key theme that emerged this quarter is the activity of sharing.

When we think of sharing, what comes to mind is sharing documents like presentations and contracts within a cloud storage app like Box, Google Drive, or Egnyte. Yes, it’s definitely that; in fact, within that category, there are three shares for every one upload. That’s a pretty telling statistic about data movement in the cloud via the sharing activity.

But perhaps even more telling is that sharing is happening all over the cloud, not just in cloud storage apps. We cover 55 different app categories, from customer relationship management, to finance and accounting, to human resources, to supply chain management. We noticed that people share in apps in 49 of those categories. More than one out of every five cloud apps enables sharing. Three popular non-storage apps that enable sharing include financial and human resources app Workday, project management app Trello, and productivity app Evernote.

What makes some cloud apps more enterprise-ready than others?
(Source: Netskope)
(Source: Netskope)

If you are a member of an enterprise security team you are likely responsible for protecting your organization’s sensitive data. But you probably have little or no visibility into the cloud apps running in your IT environments -- let alone which of those apps enable sharing, and whether data is being uploaded to and shared from those apps.

Sharing can be very benign or very risky, depending on content and context. It can range from a user sharing pictures from a company picnic to an “insider” sharing nonpublic financial results with investors, an engineer sharing top secret product designs with collaborators outside of the company, or an executive inadvertently sharing the company’s acquisition plans with an unauthorized party.

The trick is to know which apps are running in your environment, which enable sharing, and what data they house. Having that data in your hands helps you have a fruitful conversation with your line of business leaders about the risks and benefits of the apps, the data in those apps, and how and with whom it's being shared. Only then can you address the real security risk and create policies that shape sharing versus blocking cloud apps altogether.

Do you know how much uploading and downloading to the cloud is going on in your organization? Let's chat about that in the comments. 

Krishna Narayanaswamy is a founder and chief scientist of Netskope, a leader in cloud app analytics and policy enforcement based in Los Altos, Calif. He is a highly regarded researcher in deep packet inspection, security, and behavioral anomaly detection and leads Netskope's ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Re: Crux of the problem
@Marilyn The proportion of sharing to uploads is not that surprising. One factor that plays into this is the profileration of devices in the enterprise. A study done by Cisco a few years back revealed that the average number of devices per enterprise user is around 3. Another interseting observation is the native clients of cloud apps on mobile endpoints make it extremely easy to share content. The combination of the two creates a pyramid effect for a share that a user initiates. My prediction is that we will see the number of shares grow even further.

@aws0513 - thanks for sharing your thoughts on the issue of sharing and access to sensitive data. I agree with you that us humans are the weak links in the chain. The need to know concept has been deployed successfully in the classified networks (albeit closed) using technology tools. The challenge we are faced with is the evolution of distributed public data repositories (cloud storage) and agile processes where access to data from anywhere, any device and anytime is key to the success of businesses. In fact the "need to know" paradigm can be implemented especially for cloud apps using cloud app control solutions (also referred to as cloud access security brokers) that provide granular policy enforcement for activities that deal with sensitive data like sharing.
User Rank: Ninja
8/19/2014 | 2:21:17 PM
Re: Crux of the problem
While it is true that sharing is not necessarily evil, the need for policy regarding the concept of "need to know" should be pervasive throughout the organization, not just in terms of computer systems or a cloud environment.
In many organizations, the policies regarding sensitive or regulatory data are already well founded.  For organizations that must collaborate with others regarding sensitive data, specific protocols, agreements, trust chains, and management structures are usually well established before any data exchanges take place

The problem for security professionals that are tasked to enforce those policies is that no easy to implement system, electronic or not, will provide an automated means to easily identify when unauthorized sharing of sensitive data is taking place.  Much less prevent such activity.

Certainly, the organization can implement a MAC security model for managing sensitive data, and even turn on intensive C2 logging for all the systems involved with data management and sharing.  I have worked in such situations and believe me when I say that this is very expensive and involves a lot of overhead in terms of people to make it work right.  Even with such an environment, need to know is still part of the collaboration and sharing equation.

In the end, it is people who really need to be able to understand and enforce the concept of need to know when it comes to data collaboration and sharing.  If the people involved with managing and handling sensitive data do not understand and adhere to the need to know concept and how it is to be enforced, then unauthorized data sharing will happen regardless of policy.  That fact gives government and private entities around the world great heartburn.  In our world today, one person with access to sensitive data can completely upturn all of the work, plans, and reputation of any organization.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
8/19/2014 | 1:29:36 PM
Re: Crux of the problem
Thanks @Krishna. Were you surprised about the amount of sharing along with uploading and downloading that you discovered in the data? (Three shares for every upload in storage apps). Do you think that's going to increase?
Re: Crux of the problem
Marilyn - your observation is spot on. Studies have shown that collaboration as enabled by sharing in cloud apps has helped grow not only the top line but the bottom line of businesses. The key is to address the risk and reap the rewards of sharing in the enterprsie. Some of the important factors to consider in sharing are - who are the users the content is being shared with, the domains they belong to (internal vs external), content type and classification (sensitive vs benign), risk posture of the cloud app etc. By adopting a cloud app control solution that provides the capability to address the above factors in a policy, enterprises can safely enable sharing in cloud apps and experience the benefits of doing so.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
8/19/2014 | 9:01:05 AM
Crux of the problem
It occurs to me that what will be most challenging for enterprise security teams is that "sharing" is not in of self a good thing or a bad thing. As Krishna writes, it can be "very benign or very risky, depending on content and context." So policy discussion will require a fair amount of research and discussion.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.