[Originally posted in Oracle Magazine]
By Alan Zeichick
Want to protect your assets in the cloud? You need to know what those assets are and who is using them. Your security teams must be able to see everything going on in the cloud infrastructure, from the cloud’s core to its edge. They need to be certain about which parts of your cloud applications are the business’s responsibility to secure—and which fall under the domain of the cloud service provider. And at the C level, the chief information security officer (CISO) must have a seat at the table during each and every discussion that involves acquiring or using new cloud applications or resources, in order to make sure those services are safe and compliant with enterprise policies.
Those are three of the top takeaways from the “Oracle and KPMG Cloud Threat Report 2019.” Attention to cloud security is essential for modern-day enterprises—as a glance at any newspaper instantly communicates, with headlines reporting downloads of unsecured customer files from retailers, theft of intellectual property from tech firms, and complete business disruption.
Cloud security is a big challenge for another reason: Enterprise use of the cloud has reached surprising levels of adoption and is continuing to increase. In the Oracle/KPMG study, 7 out of 10 organizations reported an increase in the use of business-critical cloud services—and there’s a huge increase in the number of enterprises storing their data in the cloud.
At the same time that cloud usage is accelerating, security considerations are being left behind.
Fully 93% of the participating organizations reported that users have adopted rogue cloud applications. That’s a prime example of “shadow IT”—that is, technology decisions being made by employees without the knowledge or approval of the IT department. These decisions are rooted in the BYOD movement and the consumerization of IT.
Organizations don’t know what their employees are doing with cloud services and where their corporate data is being placed.”
Individual employees, for example, may be running consumer-grade cloud services (think Evernote or Dropbox) to improve personal productivity—and, in the process, might store or even share confidential business information such as customer data or financial documents in those services. Departments may be signing up for hosted SaaS applications (such as WordPress or Adobe Creative Suite). Developers could be using popular cloud-based software development code repositories (GitHub, say, or SourceForge). And staffers might be sharing cloud-based collaboration platforms such as Slack or SharePoint with partners, suppliers, or customers.
Are those cloud applications bad? In most cases, the products are fine from a software-quality perspective. But having a solid reputation doesn’t clear those specific apps for use in your business without the IT department’s knowledge and approval. And even after an application is approved for use, the CISO must ensure that it is implemented in accordance with your company’s security policies; otherwise, the organization is at risk of having critical data lost or stolen or of letting outsiders gain access to confidential internal information and processes. There are too many risks to organizations for leaders to be complacent about security. Here are three key ways to address those threats—and tackle the challenges head-on.
Visibility is essential to every aspect of security. Consider the office building: Cameras are watching over exterior doorways, for example, and logging software is recording when employees and vendors badge in to secure work areas.
The same must be true of critical information about network traffic, successful and unsuccessful attempts to log in to the network, and use of enterprise applications. It’s not enough to know that the CFO logged in to the accounting system at 1 a.m. It’s also important to know the device type, device location, and telemetry involved. The transaction might be completely valid, or it might come from a place halfway around the world when the CFO is actually at home. Or it might come from the CFO’s own smartphone, after a click on a link in a phishing email.
Without visibility, AI-based security software can’t detect anomalies or piece together patterns of behavior that might indicate fraud or illegal activity. Without visibility, security investigators can’t find root causes of unusual situations quickly and accurately.
That’s particularly true with cloud services, says Greg Jensen, senior director of cloud security at Oracle and coauthor of the “Oracle and KPMG Cloud Threat Report 2019.” “There are so many examples throughout this report about challenges with visibility,” he says. “Organizations don’t know what their employees are doing with cloud services and where their corporate data is being placed. Is it going on Google? Or Amazon? Is it going on Bill and Ted’s excellent cloud service? They don’t have that visibility.”
One way to get more visibility is to implement CASB-compliance technology for the cloud ecosystem, says report coauthor Brian Jensen (no relation), a risk-management consultant at KPMG.
A CASB, or Cloud Access Service Broker, provides visibility into the entire cloud stack while providing security automation for enforcing corporate policies. A full-featured CASB platform provides threat detection, automated incident response, predictive analytics, and security configuration management.
“A CASB shows what employees are doing with cloud-sanctioned and unsanctioned cloud services,” says KPMG’s Jensen.
“The average organization is running in excess of 1,900 applications—including cloud applications. By and large, security professionals need to use a CASB to monitor business-critical cloud transactions” and then enforce policies regarding those apps.
In a classic data center application, the enterprise has complete ownership of security: everything from the physical installation to network access, from patching vulnerabilities to checking users’ digital credentials. In a cloud service—any cloud service—security responsibility is shared between the enterprise and the cloud services provider.
Problems occur when the enterprise fails to realize its security responsibilities, says Oracle’s Jensen. This can happen because of shadow IT or because of misunderstandings about the shared security model for cloud services.
If there are suspicious user activities associated with your portion of the shared responsibility model, you have to be aware of those events, monitor them, and react to them.”
For example, take penetration testing, which measures how easy it is to attack a cloud service with known hacking techniques. Many enterprises don’t see that as any part of their responsibility, so they don’t do it. “A lot of businesses believe they aren’t responsible for testing the security of a cloud service,” Oracle’s Jensen says. “The reality is that whether you are using IaaS, PaaS, or SaaS, your business is responsible for doing penetration testing. The business is responsible for ensuring that the cloud cannot be penetrated—either the service or the application itself.”
KPMG’s Jensen points to user authentication as an area of common misunderstanding. “While SaaS providers include a single-sign-on authentication solution, passwords simply aren’t good enough,” he says. “You need balanced user enablement with the requirement to protect sensitive data and transactions, so organizations should consider the use of multifactor authentication with biometrics.”
Event monitoring touches both the visibility issue and responsibility sharing, he adds. “Security event monitoring in SaaS is still your responsibility,” he says. “If there are suspicious user activities associated with your portion of the shared responsibility model, you have to be aware of those events, monitor them, and react to them.” (This shouldn’t be confused with the foundational event monitoring that the cloud services provider uses to defend against a variety of network-level events.)
A line-of-business department is considering adoption of a cloud-based application—perhaps a turnkey SaaS application. Is the CISO invited to the meetings where that product is discussed, evaluated, and approved? Maybe. But then again, maybe not. And it’s quite likely that the CISO’s team is not involved in the implementation and integration of that cloud application. In fact, the security team members may not even know about that app until security incidents begin showing up on their dashboard.
“There’s a lack of communication, lack of collaboration, and lack of visibility across the C-suite,” says Oracle’s Jensen. “The C-suite is facing challenges in terms of how to collaborate on security, risk, compliance, and privacy.”
Teams won’t work together if their managers don’t work together. “We have to address these C-suite problems head-on,” Jensen says. “We have to try to make sure that this is a collaborative conversation where everyone understands their unique role in making cloud security successful for the organization. When executives aren’t doing their part, the company as a whole is at risk.”
Increasingly, organizations trust the cloud for critical applications and for storing essential data. Security technology is doing a good job of keeping up, but more still needs to be done, as is documented in the “Oracle and KPMG Cloud Threat Report 2019,” says Oracle’s Jensen.
“The cloud capabilities and the solutions available today are far superior to what we had just a couple of years ago,” he says. “There is much more security awareness now than what we had in years past—and more acceptance about the need to have conversations with the security teams and the risk teams.”
READ the “Oracle and KPMG Cloud Threat Report 2019.”
LEARN more about Oracle CASB.