Vulnerabilities / Threats // Insider Threats
1/12/2015
10:30 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
100%
0%

Insider Threat, Shadow IT Concerns Spur Cloud Security

Surveys show cloud tops 2015 priorities.

As security professional prioritize for 2015, cloud security initiatives once again sit on top of their to-do lists. According to two surveys out in the past week, insider threat and shadow IT concerns continue to thrust cloud security to the forefront, with cloud identity and access management and cloud governance among those controls needing the most help.

“As companies move data to the cloud, they are looking to put in place policies and processes so that employees can take advantage of cloud services that drive business growth without compromising the security, compliance, and governance of corporate data,” said Jim Reavis, CEO of the Cloud Security Alliance, which together with vendor Skyhigh released a report that showed cloud security as the top security priority for IT organizations in 2015.

The highlights from the survey detailed in that report showed that only about 8 percent of organizations today believe they truly know the scope of unauthorized cloud purchasing—so-called shadow IT.  This jibes with findings in another report released last week from Netskope, which showed that IT professionals constantly underestimate the extent of shadow IT in their organization—with organizations estimating one-tenth of the actual number of apps found by cloud app audits.

This poses scary consequences as organizational data exits corporate boundaries within unsanctioned apps. For example, 17 percent of organizations last year experienced an insider incident, according to the CSA report, and 15 percent of corporate cloud users have had their credentials compromised, according to the Netskope report.

Part of the reason this situation has arisen is that security organizations are ill-equipped help their businesses move quickly toward the cloud through well-crafted and balanced cloud governance policies. According to the CSA survey, about a third of organizations today are full-steam ahead with cloud adoption and 51 percent of respondents feel pressured to approve services that don't meet security or compliance requirements. But just 16 percent of organizations have a fully enforced cloud governance policy.

What's more, even among organizations with policies or in the middle of creating a policy through a cloud governance committee, just 43 percent of them include line-of-business representation.

“Employees today have shifted from thinking of apps as a nice-to-have to a must-have, and CISOs must continue to adapt to that trend to secure their sensitive corporate and customer data across all cloud apps, including those unsanctioned by IT,” says Sanjay Beri, CEO and founder of Netskope. 

As the CSA concludes in its report, IT in 2015 must find better ways to govern data in the cloud similar to data on premises. Not only will that take investment in enforcement technology, but also collaboration with the very stakeholders who are driving cloud adoption in the first place.

"IT will also need to work more collaboratively with busiess users to understand the motivations behind shadow IT and enable the cloud services that drive employee productivity and growth in the business without sacrificing security," the report concludes. 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tprendergast
50%
50%
tprendergast,
User Rank: Author
1/12/2015 | 10:00:08 PM
Re: Reality Bites
Reality is -- every organization is using cloud computing in some form. I've found the most risk averse organizations tend to be the ones who realize it least:

SalesForce, Workday, ADP, etc...

The list goes on and on for the processes we've outsourced for convenience, store our (potentially) most critical data in, and never remember to question it because we've come to accept those cloud services in the name of efficiency or reliability in function. 

Now that we, as an industry, are outsourcing some of the core functions of IT, there is a sudden objection. The reason is because people and process are subjec to disruption, and traditional IT functions don't understand (or dont want to understand) the new world order. This leaves them at perceived risk of losing the world they know, so terms like "shadow IT" were created to polarize the conversation. The business, not rogue employees, is moving workloads outside the constraints of traditional IT to capitalize on the gains possible through agility and time-to-market. The business will follow the money, and IT will follow the business. Savvy IT shops get ahead of the business and create a security process that enables the business, as opposed to security as a gating factor as it has historically been.

"Will they adjust" is the wrong question. "Where in the adoption cycle will they adjust" is the correct question, IMO.
PZav
50%
50%
PZav,
User Rank: Author
1/12/2015 | 8:02:27 PM
Reality Bites
Of course in a perfect world all organizations would be able to adjust for technologies like cloud accordingly. But in the real world that's probably not going to be realistic in most cases. I wonder if those who are on the side of adoption controls have already lost and now the name of the game is how do we secure this now that this floodgate is open?
tprendergast
50%
50%
tprendergast,
User Rank: Author
1/12/2015 | 7:48:03 PM
Security Investments need refreshed, not just a "shadow-IT" problem
One of the interesting things that keep being bubbled up from these surveys is that we, as an industry, are quick to categorize unexpected usage as "Shadow IT". What is really happening is that we are seeing the commoditization of IT outpace the availability of security technologies. One side is rushing to make it easier to get the technologies necessary to be agile in today's world, and the other is almost sitting still on legacy investments and technologies due to poor planning and preparation. So we, collectively as security people, were quick to demonize this as "Shadow IT", when it is really the business need driving the organization forward in our absence.

Even in the organizations that have prepared themselves for the shift, security professionals are fighting to get the budget they need to refresh their toolkit. We're shifting from a model of enterprise security sales (on 3-5 year cycles) to annual cycles necessitated by the rapidly moving cloud industry. There are several good new security paradigms being built out by startups and incumbents alike for the cloud ecosystems, but uptake is slower because organizations don't want to run multiple panes of glass to obtain a view of their risk and security postures. As we see integrations into devops toolchains, legacy security products, and even natively into cloud provider platforms, we will see the adoption rate lift significantly.

The biggest threat to cloud adoption is not malicious hackers or state-sponsored attacks, but human error, policy failure, and lack of transparency into your global security posture. Those are the key things that must be managed to enable cloud adoption with full access to the agility and flexibility that cloud can provide to organizations.

 

 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.