Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Cloud Apps & Security: When Sharing Matters
Newest First  |  Oldest First  |  Threaded View
krishna@netskope.com
50%
50%
[email protected],
User Rank: Author
8/19/2014 | 6:23:09 PM
Re: Crux of the problem
@Marilyn The proportion of sharing to uploads is not that surprising. One factor that plays into this is the profileration of devices in the enterprise. A study done by Cisco a few years back revealed that the average number of devices per enterprise user is around 3. Another interseting observation is the native clients of cloud apps on mobile endpoints make it extremely easy to share content. The combination of the two creates a pyramid effect for a share that a user initiates. My prediction is that we will see the number of shares grow even further.

@aws0513 - thanks for sharing your thoughts on the issue of sharing and access to sensitive data. I agree with you that us humans are the weak links in the chain. The need to know concept has been deployed successfully in the classified networks (albeit closed) using technology tools. The challenge we are faced with is the evolution of distributed public data repositories (cloud storage) and agile processes where access to data from anywhere, any device and anytime is key to the success of businesses. In fact the "need to know" paradigm can be implemented especially for cloud apps using cloud app control solutions (also referred to as cloud access security brokers) that provide granular policy enforcement for activities that deal with sensitive data like sharing.
aws0513
50%
50%
aws0513,
User Rank: Ninja
8/19/2014 | 2:21:17 PM
Re: Crux of the problem
While it is true that sharing is not necessarily evil, the need for policy regarding the concept of "need to know" should be pervasive throughout the organization, not just in terms of computer systems or a cloud environment.
In many organizations, the policies regarding sensitive or regulatory data are already well founded.  For organizations that must collaborate with others regarding sensitive data, specific protocols, agreements, trust chains, and management structures are usually well established before any data exchanges take place

The problem for security professionals that are tasked to enforce those policies is that no easy to implement system, electronic or not, will provide an automated means to easily identify when unauthorized sharing of sensitive data is taking place.  Much less prevent such activity.

Certainly, the organization can implement a MAC security model for managing sensitive data, and even turn on intensive C2 logging for all the systems involved with data management and sharing.  I have worked in such situations and believe me when I say that this is very expensive and involves a lot of overhead in terms of people to make it work right.  Even with such an environment, need to know is still part of the collaboration and sharing equation.

In the end, it is people who really need to be able to understand and enforce the concept of need to know when it comes to data collaboration and sharing.  If the people involved with managing and handling sensitive data do not understand and adhere to the need to know concept and how it is to be enforced, then unauthorized data sharing will happen regardless of policy.  That fact gives government and private entities around the world great heartburn.  In our world today, one person with access to sensitive data can completely upturn all of the work, plans, and reputation of any organization.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/19/2014 | 1:29:36 PM
Re: Crux of the problem
Thanks @Krishna. Were you surprised about the amount of sharing along with uploading and downloading that you discovered in the data? (Three shares for every upload in storage apps). Do you think that's going to increase?
krishna@netskope.com
50%
50%
[email protected],
User Rank: Author
8/19/2014 | 1:21:01 PM
Re: Crux of the problem
Marilyn - your observation is spot on. Studies have shown that collaboration as enabled by sharing in cloud apps has helped grow not only the top line but the bottom line of businesses. The key is to address the risk and reap the rewards of sharing in the enterprsie. Some of the important factors to consider in sharing are - who are the users the content is being shared with, the domains they belong to (internal vs external), content type and classification (sensitive vs benign), risk posture of the cloud app etc. By adopting a cloud app control solution that provides the capability to address the above factors in a policy, enterprises can safely enable sharing in cloud apps and experience the benefits of doing so.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/19/2014 | 9:01:05 AM
Crux of the problem
It occurs to me that what will be most challenging for enterprise security teams is that "sharing" is not in of self a good thing or a bad thing. As Krishna writes, it can be "very benign or very risky, depending on content and context." So policy discussion will require a fair amount of research and discussion.


COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness
Robert Lemos, Contributing Writer,  7/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4560
PUBLISHED: 2020-08-03
IBM Financial Transaction Manager 3.2.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVE-2019-4589
PUBLISHED: 2020-08-03
IBM Cognos Analytics 11.0 and 11.1 is vulnerable to privlege escalation where the "My schedules and subscriptions" page is visible and accessible to a less privileged user. IBM X-Force ID: 167449.
CVE-2020-4328
PUBLISHED: 2020-08-03
IBM Financial Transaction Manager 3.2.4 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 177839.
CVE-2020-4377
PUBLISHED: 2020-08-03
IBM Cognos Anaytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 179156.
CVE-2020-4534
PUBLISHED: 2020-08-03
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper handling of UNC paths. By scheduling a task with a specially-crafted UNC path, an attacker could exploit this vulnerability to execute arbi...