12:00 PM
Connect Directly

Cloud Apps & Security: When Sharing Matters

Sharing documents and data is happening all over the cloud today but not all sharing activity carries equal risk.

By far the coolest thing about cloud apps is the ability to share data. Whether you’re sharing the latest sales presentation, a link to a customer video, a win/loss report, or a transaction analysis in your business intelligence app, the ability to click a link and quickly collaborate with your team, your boss, or your partner is critical.

Every quarter at Netskope, we do a retrospective analysis on usage, activities, and policy violations in our cloud. We look at anonymized, aggregated data across tens of billions of transactions from millions of users and report on trends in the Netskope Cloud Report. A key theme that emerged this quarter is the activity of sharing.

When we think of sharing, what comes to mind is sharing documents like presentations and contracts within a cloud storage app like Box, Google Drive, or Egnyte. Yes, it’s definitely that; in fact, within that category, there are three shares for every one upload. That’s a pretty telling statistic about data movement in the cloud via the sharing activity.

But perhaps even more telling is that sharing is happening all over the cloud, not just in cloud storage apps. We cover 55 different app categories, from customer relationship management, to finance and accounting, to human resources, to supply chain management. We noticed that people share in apps in 49 of those categories. More than one out of every five cloud apps enables sharing. Three popular non-storage apps that enable sharing include financial and human resources app Workday, project management app Trello, and productivity app Evernote.

What makes some cloud apps more enterprise-ready than others?
(Source: Netskope)
(Source: Netskope)

If you are a member of an enterprise security team you are likely responsible for protecting your organization’s sensitive data. But you probably have little or no visibility into the cloud apps running in your IT environments -- let alone which of those apps enable sharing, and whether data is being uploaded to and shared from those apps.

Sharing can be very benign or very risky, depending on content and context. It can range from a user sharing pictures from a company picnic to an “insider” sharing nonpublic financial results with investors, an engineer sharing top secret product designs with collaborators outside of the company, or an executive inadvertently sharing the company’s acquisition plans with an unauthorized party.

The trick is to know which apps are running in your environment, which enable sharing, and what data they house. Having that data in your hands helps you have a fruitful conversation with your line of business leaders about the risks and benefits of the apps, the data in those apps, and how and with whom it's being shared. Only then can you address the real security risk and create policies that shape sharing versus blocking cloud apps altogether.

Do you know how much uploading and downloading to the cloud is going on in your organization? Let's chat about that in the comments. 

Krishna Narayanaswamy is a founder and chief scientist of Netskope, a leader in cloud app analytics and policy enforcement based in Los Altos, Calif. He is a highly regarded researcher in deep packet inspection, security, and behavioral anomaly detection and leads Netskope's ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
8/19/2014 | 6:23:09 PM
Re: Crux of the problem
@Marilyn The proportion of sharing to uploads is not that surprising. One factor that plays into this is the profileration of devices in the enterprise. A study done by Cisco a few years back revealed that the average number of devices per enterprise user is around 3. Another interseting observation is the native clients of cloud apps on mobile endpoints make it extremely easy to share content. The combination of the two creates a pyramid effect for a share that a user initiates. My prediction is that we will see the number of shares grow even further.

@aws0513 - thanks for sharing your thoughts on the issue of sharing and access to sensitive data. I agree with you that us humans are the weak links in the chain. The need to know concept has been deployed successfully in the classified networks (albeit closed) using technology tools. The challenge we are faced with is the evolution of distributed public data repositories (cloud storage) and agile processes where access to data from anywhere, any device and anytime is key to the success of businesses. In fact the "need to know" paradigm can be implemented especially for cloud apps using cloud app control solutions (also referred to as cloud access security brokers) that provide granular policy enforcement for activities that deal with sensitive data like sharing.
User Rank: Moderator
8/19/2014 | 2:21:17 PM
Re: Crux of the problem
While it is true that sharing is not necessarily evil, the need for policy regarding the concept of "need to know" should be pervasive throughout the organization, not just in terms of computer systems or a cloud environment.
In many organizations, the policies regarding sensitive or regulatory data are already well founded.  For organizations that must collaborate with others regarding sensitive data, specific protocols, agreements, trust chains, and management structures are usually well established before any data exchanges take place

The problem for security professionals that are tasked to enforce those policies is that no easy to implement system, electronic or not, will provide an automated means to easily identify when unauthorized sharing of sensitive data is taking place.  Much less prevent such activity.

Certainly, the organization can implement a MAC security model for managing sensitive data, and even turn on intensive C2 logging for all the systems involved with data management and sharing.  I have worked in such situations and believe me when I say that this is very expensive and involves a lot of overhead in terms of people to make it work right.  Even with such an environment, need to know is still part of the collaboration and sharing equation.

In the end, it is people who really need to be able to understand and enforce the concept of need to know when it comes to data collaboration and sharing.  If the people involved with managing and handling sensitive data do not understand and adhere to the need to know concept and how it is to be enforced, then unauthorized data sharing will happen regardless of policy.  That fact gives government and private entities around the world great heartburn.  In our world today, one person with access to sensitive data can completely upturn all of the work, plans, and reputation of any organization.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
8/19/2014 | 1:29:36 PM
Re: Crux of the problem
Thanks @Krishna. Were you surprised about the amount of sharing along with uploading and downloading that you discovered in the data? (Three shares for every upload in storage apps). Do you think that's going to increase?
User Rank: Author
8/19/2014 | 1:21:01 PM
Re: Crux of the problem
Marilyn - your observation is spot on. Studies have shown that collaboration as enabled by sharing in cloud apps has helped grow not only the top line but the bottom line of businesses. The key is to address the risk and reap the rewards of sharing in the enterprsie. Some of the important factors to consider in sharing are - who are the users the content is being shared with, the domains they belong to (internal vs external), content type and classification (sensitive vs benign), risk posture of the cloud app etc. By adopting a cloud app control solution that provides the capability to address the above factors in a policy, enterprises can safely enable sharing in cloud apps and experience the benefits of doing so.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
8/19/2014 | 9:01:05 AM
Crux of the problem
It occurs to me that what will be most challenging for enterprise security teams is that "sharing" is not in of self a good thing or a bad thing. As Krishna writes, it can be "very benign or very risky, depending on content and context." So policy discussion will require a fair amount of research and discussion.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-25
The Payment for Webform module 7.x-1.x before 7.x-1.5 for Drupal does not restrict access by anonymous users, which allows remote anonymous users to use the payment of other anonymous users when submitting a form that requires payment.

Published: 2014-10-25
The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse executable. NOTE: this is only a vulnerability when /tmp is not mounted with the noexec option.

Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928....

Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulner...

Published: 2014-10-25
python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.