Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Cloud Apps & Security: When Sharing Matters
Newest First  |  Oldest First  |  Threaded View
krishna@netskope.com
50%
50%
[email protected],
 User Rank: Author
8/19/2014 | 6:23:09 PM
Re: Crux of the problem
@Marilyn The proportion of sharing to uploads is not that surprising. One factor that plays into this is the profileration of devices in the enterprise. A study done by Cisco a few years back revealed that the average number of devices per enterprise user is around 3. Another interseting observation is the native clients of cloud apps on mobile endpoints make it extremely easy to share content. The combination of the two creates a pyramid effect for a share that a user initiates. My prediction is that we will see the number of shares grow even further.

@aws0513 - thanks for sharing your thoughts on the issue of sharing and access to sensitive data. I agree with you that us humans are the weak links in the chain. The need to know concept has been deployed successfully in the classified networks (albeit closed) using technology tools. The challenge we are faced with is the evolution of distributed public data repositories (cloud storage) and agile processes where access to data from anywhere, any device and anytime is key to the success of businesses. In fact the "need to know" paradigm can be implemented especially for cloud apps using cloud app control solutions (also referred to as cloud access security brokers) that provide granular policy enforcement for activities that deal with sensitive data like sharing.
aws0513
50%
50%
aws0513,
 User Rank: Ninja
8/19/2014 | 2:21:17 PM
Re: Crux of the problem
While it is true that sharing is not necessarily evil, the need for policy regarding the concept of "need to know" should be pervasive throughout the organization, not just in terms of computer systems or a cloud environment.
In many organizations, the policies regarding sensitive or regulatory data are already well founded.  For organizations that must collaborate with others regarding sensitive data, specific protocols, agreements, trust chains, and management structures are usually well established before any data exchanges take place

The problem for security professionals that are tasked to enforce those policies is that no easy to implement system, electronic or not, will provide an automated means to easily identify when unauthorized sharing of sensitive data is taking place.  Much less prevent such activity.

Certainly, the organization can implement a MAC security model for managing sensitive data, and even turn on intensive C2 logging for all the systems involved with data management and sharing.  I have worked in such situations and believe me when I say that this is very expensive and involves a lot of overhead in terms of people to make it work right.  Even with such an environment, need to know is still part of the collaboration and sharing equation.

In the end, it is people who really need to be able to understand and enforce the concept of need to know when it comes to data collaboration and sharing.  If the people involved with managing and handling sensitive data do not understand and adhere to the need to know concept and how it is to be enforced, then unauthorized data sharing will happen regardless of policy.  That fact gives government and private entities around the world great heartburn.  In our world today, one person with access to sensitive data can completely upturn all of the work, plans, and reputation of any organization.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
 User Rank: Strategist
8/19/2014 | 1:29:36 PM
Re: Crux of the problem
Thanks @Krishna. Were you surprised about the amount of sharing along with uploading and downloading that you discovered in the data? (Three shares for every upload in storage apps). Do you think that's going to increase?
krishna@netskope.com
50%
50%
[email protected],
 User Rank: Author
8/19/2014 | 1:21:01 PM
Re: Crux of the problem
Marilyn - your observation is spot on. Studies have shown that collaboration as enabled by sharing in cloud apps has helped grow not only the top line but the bottom line of businesses. The key is to address the risk and reap the rewards of sharing in the enterprsie. Some of the important factors to consider in sharing are - who are the users the content is being shared with, the domains they belong to (internal vs external), content type and classification (sensitive vs benign), risk posture of the cloud app etc. By adopting a cloud app control solution that provides the capability to address the above factors in a policy, enterprises can safely enable sharing in cloud apps and experience the benefits of doing so.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
 User Rank: Strategist
8/19/2014 | 9:01:05 AM
Crux of the problem
It occurs to me that what will be most challenging for enterprise security teams is that "sharing" is not in of self a good thing or a bad thing. As Krishna writes, it can be "very benign or very risky, depending on content and context." So policy discussion will require a fair amount of research and discussion.


News
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-29430
PUBLISHED: 2021-04-15
Sydent is a reference Matrix identity server. Sydent does not limit the size of requests it receives from HTTP clients. A malicious user could send an HTTP request with a very large body, leading to memory exhaustion and denial of service. Sydent also does not limit response size for requests it mak...
CVE-2021-29431
PUBLISHED: 2021-04-15
Sydent is a reference Matrix identity server. Sydent can be induced to send HTTP GET requests to internal systems, due to lack of parameter validation or IP address blacklisting. It is not possible to exfiltrate data or control request headers, but it might be possible to use the attack to perform a...
CVE-2021-29432
PUBLISHED: 2021-04-15
Sydent is a reference matrix identity server. A malicious user could abuse Sydent to send out arbitrary emails from the Sydent email address. This could be used to construct plausible phishing emails, for example. This issue has been fixed in 4469d1d.
CVE-2021-29447
PUBLISHED: 2021-04-15
Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has be...
CVE-2021-30245
PUBLISHED: 2021-04-15
The project received a report that all versions of Apache OpenOffice through 4.1.8 can open non-http(s) hyperlinks. The problem has existed since about 2006 and the issue is also in 4.1.9. If the link is specifically crafted this could lead to untrusted code execution. It is always best practice to ...