Cloud
6/25/2014
12:00 PM
Tal Klein
Tal Klein
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Cloud Security: Think Today’s Reality, Not Yesterday’s Policy

SaaS, BYOD, and mobility are inseparable, yet time and time again companies attempt to compartmentalize the three when they make a move to the cloud. That's a big mistake.

When an enterprise sanctions or whitelists a SaaS application, promoting it out of "Shadow IT" without allowing for that application to be accessed from any device in any location, it further establishes a dichotomy between the old guard IT way of thinking (users can be persuaded to access data only over the WAN) and the new guard that embraces cloud, mobility, and the idea of accessing data anywhere, any time, and from any device.

To underscore the notion of old guard thinking, some companies are even deploying app-level VPNs, which, in the context of SaaS, is like asking employees to use a different browser to access each application. That’s counter-intuitive to the purpose of SaaS adoption because if you require a corporate-prescribed client to access a SaaS application, you obviate the agility that drove lines of business to SaaS in the first place.

If a company has a BYOD policy, they’re also making a mistake. BYOD isn’t a policy IT creates, it’s a fact that IT must contend with. (Note I didn’t write "embrace," because IT doesn’t have to love it -- though they will learn to do so!) There can’t be a subset of approved devices, clients, or browsers through which users could access productivity applications, because creating such a policy invites the specter of Shadow IT -- which, by the way, is not a real thing.

Shadow IT is a derogatory moniker created by control-obsessed IT leaders who fear the pace of progress and technology democratization spurred by consumerization. IT believes that they are facing an end-user Arab Spring that will cause them to lose the level of control they’ve enjoyed for decades. But in consumerization business tech users are doing what they’ve always done, and what humans have been doing for time immemorial: following the simplest path to productivity.

Shadow IT is what users turn to when the applications and policies offered and proffered by IT are regarded as hurdles to productivity. Whether it’s because the network is too slow, access to some sites is blocked, or a new app simply does the job better, every security control adds friction to the user experience and, as with a rock in the midst of a river, users will naturally flow around the source of friction.

In a recent article, Robert Lemos compared SaaS providers to banks and argued that banks have set a precedent for taking full responsibility over the user accounts. He posited that if bank customer gets infected with malware, and the customer’s money is subsequently sent to the Ukraine, it is a problem for the banks. But the comparison is, at best, idealistic. By law, banks assume full liability and provide complete compensation for lost consumer funds whereas SaaS providers do the opposite, placing the onus of accountability and liability on the customer.

As Gartner noted last year, "[SaaS providers] accept little or no financial responsibility for fulfillment of these vague [security] commitments, so even if it is determined that these obligations were not met, the buyer has no recourse."

Approaching SaaS adoption, BYOD, and mobility as integral elements of a move to the cloud requires enterprise IT to think of information security not as a matter of whitelists and blacklists, but as a model of assumed risk and qualitative loss tethered to today’s reality, not yesterday’s policy.

Tal Klein is Vice President of Strategy at Adallom. Previously, he was senior director of products at Bromium where he led product marketing and strategy from stealth mode to a multimillion-dollar business, disrupting the enterprise information security landscape. Prior to ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/30/2014 | 2:01:52 PM
Re: Hmm
That's a truly frightening story. But sadly, I believe it. 
TalKlein
50%
50%
TalKlein,
User Rank: Author
6/30/2014 | 10:49:25 AM
Re: Hmm
BP,

You ask, "How hard is it to put a VPN on a mobile device and require it to authenticate to the network?" - for the most part it's very hard (I dare say, impossible) when the user is on an unmanaged device on a public network.

Now, you write of highly sensitive environments where security is a core competency of the organization - in those scenarios the trifecta of BYOD/Mobility/SaaS are simply disallowed via policy - and IT has what I call "compliance blinders" on, meaning they simply can't acklowledge that users are breaking policy even though they know they are.

I am reminded of a scenario in a previous company, we were in a meeting at a top secret military contractor facility when all of a sudden someone announced that the CIO was coming. All of a sudden the wifi router was turned off and everyone pocketed their iPhones, and started clicking away on their Blackberry's. After the CIO left I asked our contact why the wifi was turned off and iPhones pocketed, and he said, "we're not allowed to surf the public web from this office. As far as the CIO is concerned, it doesn't happen." I asked, "You mean he doesn't know about it?", and his response floored me, "Of course he knows about it, he just can't see it. Plausible deniability, you understand?"

I understood. Do you? :)
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/28/2014 | 1:55:36 AM
Hmm
I agree with the overall point of that last graph, but there is another part of me that quibbles with some of the other points you made. I don't necessarily agree that enterprises should abandon the idea of approved devices, particularly in highly sensitive environments (critical infrastructure, certain government agencies, financial industry, etc). How hard is it to put a VPN client on a mobile device and require it to authenticate to the network? 

BP
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/27/2014 | 4:18:02 PM
Re: Wakeup call to regulators
Aha!  All data is not equal so the the idea of performing a triage of sorts in order to protect the most important data makes perfect sense. Thanks for the clarification. 
TalKlein
50%
50%
TalKlein,
User Rank: Author
6/27/2014 | 10:00:56 AM
Re: Wakeup call to regulators
I think you and I are violently agreeing, perhaps with different expectations of the outcome.

We both agree that everything is broken. Given this fact, I believe we need to start focusing on establishing a risk appetite for data breaches by investing in mechanisms that treat data exfiltration like fraud - to do so, we need to develop operational methods for assigning relative value to data. Personally, you may expend less resources protecting your credit card than you do your passport, even though they are both valuable, your risk appetite for losing one may be greater than the other. We need to apply these types of logic sets to enterprise data. That's the only starting point I can think of in the face of our agreed upon "everything is broken" reality.
TalKlein
100%
0%
TalKlein,
User Rank: Author
6/27/2014 | 9:54:38 AM
Re: Wakeup call to regulators
Sorry, that was a typo, should have been:

Not every breach is the same, and the focus should be on identifying the most valuable data to protect, NOT investing in ways to further lock down users.

I think it's very realistic, there's already an established practice called "risk appetite" in the world of risk management. Today risk appetite mostly measures acceptable transactional fraud in things like credit card and financial transactions. Here is a good example: https://annualreport.deutsche-bank.com/2012/ar/managementreport/riskreport/riskstrategyandappetite.html

With data, because we don't know it's value, we can't have any risk appetite for its loss. And THAT is the problem. We need to accept the we will lose data and start developing our security framework around controlling risk rather than eliminating risk.
AnonymousMan
50%
50%
AnonymousMan,
User Rank: Moderator
6/27/2014 | 9:28:50 AM
Re: Wakeup call to regulators
This says it better than I ever could: https://medium.com/message/everything-is-broken-81e5f33a24e1

You can't enable, "access to anything, from anything, at any time" without a relative increase in risk to the organization and its customers. Any risk management strategy that starts under the premise that everything can be "securely enabled" has chosen to ignore the reality that "everything is broken".
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/27/2014 | 8:19:28 AM
Wakeup call to regulators
The wake up call you reference needs to be regulator bodies recognizing that having absolutely no risk appetite for data loss is not tenable. Not every breach is the same, and the focus should be on identifying the most valuable data to protect, investing in ways to further lock down users. 


How realistic is this? 

 
TalKlein
100%
0%
TalKlein,
User Rank: Author
6/27/2014 | 12:16:00 AM
Re: Shadow IT
"hey IT, this is happening whether you like it or not....do the best you can" is one side of the coin. The other side of the coin is IT working with business units to select and adopt a service that best meets the needs of the company. In my writing I usually refer to this as a philosophical shift IT must take, from being the "jail warden" to becoming the "crossing guard".

None of the recently publicized major breaches were the result of Shadow IT. These were all breaches of sactioned services, and the attack vector was likely the user and not the platform. The wake up call you reference needs to be regulator bodies recognizing that having absolutely no risk appetite for data loss is not tenable. Not every breach is the same, and the focus should be on identifying the most valuable data to protect, investing in ways to further lock down users. 

 
AnonymousMan
50%
50%
AnonymousMan,
User Rank: Moderator
6/25/2014 | 6:11:34 PM
Re: Shadow IT
I don't disagree that this is the current reality, but I can't help but SMH. "Safely enable" is all too often just a fancy way of saying, "hey IT, this is happening whether you like it or not....do the best you can".  There are fundamental security problems that have simply not been solved.

How many breaches must there be? We are collectively failing to secure IT, everywhere you look. NO ONE has been or is immune to this. At some point, and I think soon, there is going to be a reckoning. I'm talking more gov't control and possibly an alternate Internet. The definition of critical infrastructure isn't being expanded by the US Govt just for giggles. It will be interesting to see these two trends collide.

BTW, Choosing to use SaaS may have nothing to do with "accessing data anywhere, any time, and from any device".
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3580
Published: 2014-12-18
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.

CVE-2014-6076
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote attackers to conduct clickjacking attacks via a crafted web site.

CVE-2014-6077
Published: 2014-12-18
Cross-site request forgery (CSRF) vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2014-6078
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack.

CVE-2014-6080
Published: 2014-12-18
SQL injection vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.