Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

6/25/2014
12:00 PM
Tal Klein
Tal Klein
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Cloud Security: Think Today’s Reality, Not Yesterday’s Policy

SaaS, BYOD, and mobility are inseparable, yet time and time again companies attempt to compartmentalize the three when they make a move to the cloud. That's a big mistake.

When an enterprise sanctions or whitelists a SaaS application, promoting it out of "Shadow IT" without allowing for that application to be accessed from any device in any location, it further establishes a dichotomy between the old guard IT way of thinking (users can be persuaded to access data only over the WAN) and the new guard that embraces cloud, mobility, and the idea of accessing data anywhere, any time, and from any device.

To underscore the notion of old guard thinking, some companies are even deploying app-level VPNs, which, in the context of SaaS, is like asking employees to use a different browser to access each application. That’s counter-intuitive to the purpose of SaaS adoption because if you require a corporate-prescribed client to access a SaaS application, you obviate the agility that drove lines of business to SaaS in the first place.

If a company has a BYOD policy, they’re also making a mistake. BYOD isn’t a policy IT creates, it’s a fact that IT must contend with. (Note I didn’t write "embrace," because IT doesn’t have to love it -- though they will learn to do so!) There can’t be a subset of approved devices, clients, or browsers through which users could access productivity applications, because creating such a policy invites the specter of Shadow IT -- which, by the way, is not a real thing.

Shadow IT is a derogatory moniker created by control-obsessed IT leaders who fear the pace of progress and technology democratization spurred by consumerization. IT believes that they are facing an end-user Arab Spring that will cause them to lose the level of control they’ve enjoyed for decades. But in consumerization business tech users are doing what they’ve always done, and what humans have been doing for time immemorial: following the simplest path to productivity.

Shadow IT is what users turn to when the applications and policies offered and proffered by IT are regarded as hurdles to productivity. Whether it’s because the network is too slow, access to some sites is blocked, or a new app simply does the job better, every security control adds friction to the user experience and, as with a rock in the midst of a river, users will naturally flow around the source of friction.

In a recent article, Robert Lemos compared SaaS providers to banks and argued that banks have set a precedent for taking full responsibility over the user accounts. He posited that if bank customer gets infected with malware, and the customer’s money is subsequently sent to the Ukraine, it is a problem for the banks. But the comparison is, at best, idealistic. By law, banks assume full liability and provide complete compensation for lost consumer funds whereas SaaS providers do the opposite, placing the onus of accountability and liability on the customer.

As Gartner noted last year, "[SaaS providers] accept little or no financial responsibility for fulfillment of these vague [security] commitments, so even if it is determined that these obligations were not met, the buyer has no recourse."

Approaching SaaS adoption, BYOD, and mobility as integral elements of a move to the cloud requires enterprise IT to think of information security not as a matter of whitelists and blacklists, but as a model of assumed risk and qualitative loss tethered to today’s reality, not yesterday’s policy.

  Tal Klein is Vice President of Strategy at Lakeside Software. Previously, he was vice president of marketing and strategy at Adallom, a leading Cloud Access Security Broker. He was also senior director of products at Bromium where he led product marketing and strategy ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/30/2014 | 2:01:52 PM
Re: Hmm
That's a truly frightening story. But sadly, I believe it. 
TalKlein
50%
50%
TalKlein,
User Rank: Author
6/30/2014 | 10:49:25 AM
Re: Hmm
BP,

You ask, "How hard is it to put a VPN on a mobile device and require it to authenticate to the network?" - for the most part it's very hard (I dare say, impossible) when the user is on an unmanaged device on a public network.

Now, you write of highly sensitive environments where security is a core competency of the organization - in those scenarios the trifecta of BYOD/Mobility/SaaS are simply disallowed via policy - and IT has what I call "compliance blinders" on, meaning they simply can't acklowledge that users are breaking policy even though they know they are.

I am reminded of a scenario in a previous company, we were in a meeting at a top secret military contractor facility when all of a sudden someone announced that the CIO was coming. All of a sudden the wifi router was turned off and everyone pocketed their iPhones, and started clicking away on their Blackberry's. After the CIO left I asked our contact why the wifi was turned off and iPhones pocketed, and he said, "we're not allowed to surf the public web from this office. As far as the CIO is concerned, it doesn't happen." I asked, "You mean he doesn't know about it?", and his response floored me, "Of course he knows about it, he just can't see it. Plausible deniability, you understand?"

I understood. Do you? :)
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/28/2014 | 1:55:36 AM
Hmm
I agree with the overall point of that last graph, but there is another part of me that quibbles with some of the other points you made. I don't necessarily agree that enterprises should abandon the idea of approved devices, particularly in highly sensitive environments (critical infrastructure, certain government agencies, financial industry, etc). How hard is it to put a VPN client on a mobile device and require it to authenticate to the network? 

BP
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/27/2014 | 4:18:02 PM
Re: Wakeup call to regulators
Aha!  All data is not equal so the the idea of performing a triage of sorts in order to protect the most important data makes perfect sense. Thanks for the clarification. 
TalKlein
50%
50%
TalKlein,
User Rank: Author
6/27/2014 | 10:00:56 AM
Re: Wakeup call to regulators
I think you and I are violently agreeing, perhaps with different expectations of the outcome.

We both agree that everything is broken. Given this fact, I believe we need to start focusing on establishing a risk appetite for data breaches by investing in mechanisms that treat data exfiltration like fraud - to do so, we need to develop operational methods for assigning relative value to data. Personally, you may expend less resources protecting your credit card than you do your passport, even though they are both valuable, your risk appetite for losing one may be greater than the other. We need to apply these types of logic sets to enterprise data. That's the only starting point I can think of in the face of our agreed upon "everything is broken" reality.
TalKlein
100%
0%
TalKlein,
User Rank: Author
6/27/2014 | 9:54:38 AM
Re: Wakeup call to regulators
Sorry, that was a typo, should have been:

Not every breach is the same, and the focus should be on identifying the most valuable data to protect, NOT investing in ways to further lock down users.

I think it's very realistic, there's already an established practice called "risk appetite" in the world of risk management. Today risk appetite mostly measures acceptable transactional fraud in things like credit card and financial transactions. Here is a good example: https://annualreport.deutsche-bank.com/2012/ar/managementreport/riskreport/riskstrategyandappetite.html

With data, because we don't know it's value, we can't have any risk appetite for its loss. And THAT is the problem. We need to accept the we will lose data and start developing our security framework around controlling risk rather than eliminating risk.
AnonymousMan
50%
50%
AnonymousMan,
User Rank: Moderator
6/27/2014 | 9:28:50 AM
Re: Wakeup call to regulators
This says it better than I ever could: https://medium.com/message/everything-is-broken-81e5f33a24e1

You can't enable, "access to anything, from anything, at any time" without a relative increase in risk to the organization and its customers. Any risk management strategy that starts under the premise that everything can be "securely enabled" has chosen to ignore the reality that "everything is broken".
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/27/2014 | 8:19:28 AM
Wakeup call to regulators
The wake up call you reference needs to be regulator bodies recognizing that having absolutely no risk appetite for data loss is not tenable. Not every breach is the same, and the focus should be on identifying the most valuable data to protect, investing in ways to further lock down users. 


How realistic is this? 

 
TalKlein
100%
0%
TalKlein,
User Rank: Author
6/27/2014 | 12:16:00 AM
Re: Shadow IT
"hey IT, this is happening whether you like it or not....do the best you can" is one side of the coin. The other side of the coin is IT working with business units to select and adopt a service that best meets the needs of the company. In my writing I usually refer to this as a philosophical shift IT must take, from being the "jail warden" to becoming the "crossing guard".

None of the recently publicized major breaches were the result of Shadow IT. These were all breaches of sactioned services, and the attack vector was likely the user and not the platform. The wake up call you reference needs to be regulator bodies recognizing that having absolutely no risk appetite for data loss is not tenable. Not every breach is the same, and the focus should be on identifying the most valuable data to protect, investing in ways to further lock down users. 

 
AnonymousMan
50%
50%
AnonymousMan,
User Rank: Moderator
6/25/2014 | 6:11:34 PM
Re: Shadow IT
I don't disagree that this is the current reality, but I can't help but SMH. "Safely enable" is all too often just a fancy way of saying, "hey IT, this is happening whether you like it or not....do the best you can".  There are fundamental security problems that have simply not been solved.

How many breaches must there be? We are collectively failing to secure IT, everywhere you look. NO ONE has been or is immune to this. At some point, and I think soon, there is going to be a reckoning. I'm talking more gov't control and possibly an alternate Internet. The definition of critical infrastructure isn't being expanded by the US Govt just for giggles. It will be interesting to see these two trends collide.

BTW, Choosing to use SaaS may have nothing to do with "accessing data anywhere, any time, and from any device".
Page 1 / 2   >   >>
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3035
PUBLISHED: 2021-04-20
An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.26. Checkov 1.0 versions are not impacted.
CVE-2021-3036
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where secrets in PAN-OS XML API requests are logged in cleartext to the web server logs when the API is used incorrectly. This vulnerability applies only to PAN-OS appliances that are configured to us...
CVE-2021-3037
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where the connection details for a scheduled configuration export are logged in system logs. Logged information includes the cleartext username, password, and IP address used to export the PAN-OS conf...
CVE-2021-3038
PUBLISHED: 2021-04-20
A denial-of-service (DoS) vulnerability in Palo Alto Networks GlobalProtect app on Windows systems allows a limited Windows user to send specifically-crafted input to the GlobalProtect app that results in a Windows blue screen of death (BSOD) error. This issue impacts: GlobalProtect app 5.1 versions...
CVE-2021-3506
PUBLISHED: 2021-04-19
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The hi...