Finding Your Happy Place between Cloud Security and Employee Productivity

thumb-happyplace
Skyfence

From 2005 to 2013, the number of remote workers increased an incredible 80% globally.

Even more staggering, Forrester Research’s US Telecommuting Forecast predicts that by next year, 43% of the entire U.S. workforce will conduct business from outside traditional offices.

The reasons for this enormous shift are obvious: remote workers not only allow businesses to recruit top talent and reduce fixed costs, they also increase productivity and, according to the Harvard Business Review, can promote worker engagement and satisfaction.

However, it’s not all good news. All this extra productivity comes at a price.

As cloud app adoption and employee use of BYOD to access these cloud apps becomes further entrenched in the workplace, security strategies and policies need to be revisited to ensure that organizations are properly equipped to meet the unique challenges created by the cloud. Because business-critical data often sits in the cloud outside of the traditional corporate “walls,” a whole new dimension of risk is introduced. Hackers know this and, as a result, are keen to get their evil lil’ hands on this valuable data.

The key question then becomes “how do you strike the right balance between cloud security and employee productivity? Oftentimes, tighter security comes at the expense of worker productivity as more security checks get implemented, more processes are introduced, and in general more, employee dissatisfaction begins to rise.

New security risks
Four new security risks stand out as a result of this shifting landscape.

  1. BYOD (personal devices)
    Many employees are now accessing cloud apps on potentially unsecure devices, either from work or from home. At the end of the day, personal devices are just that: personal. This means unsecured links, ill-advised social media posts, downloads of email attachments containing sensitive info, or just plain careless surfing can all put your organization’s data at risk. Due to the severity of these risks, we’ve written some best practice tips on what makes for an effective BYOD security policy.
  2. Stored passwords or login credentials
    Because remote workers depend on remote access, many employees store and use their passwords on unmanaged devices that not only fall outside of your control, but are far from secure. Again, if these devices fall into the wrong hands via theft, loss, or malicious attacks, your corporate data is ripe for compromise or exfiltration.Often, this occurs without you or the device owner even being aware of it. While no one plans on losing their devices or having their credentials stolen, data leakage is all too common.
  3. Data proliferation
    To enhance ease of use and facilitate collaboration, Dropbox and other popular file-sharing services offer automatic synchronization of files. However, this feature has a downside: because these services automatically download all files onto the endpoint, this means anyone that has access to the sync folder can potentially get their hands on sensitive information. Often, sharing permissions on these files – set by the content owner – are too broad.At the end of the day, organizations should consider third-party security solutions to beef up the native capabilities of the Dropboxes of the world to protect against the downside of data proliferation, especially to unmanaged devices. This applies both to files shared internally among your employees as well as to files shared externally with clients, partners, and contractors. Being able to monitor and restrict data access at a fine-grained level is another must that cloud providers simply don’t provide natively.
  4. User tokens
    Tokens are used by many cloud service providers to confirm the identity of an approved user. As with the previous risk, this is done to improve ease of access on the user’s side. The problem is that these tokens can get hijacked – i.e., stolen – and then pushed onto other devices. When this happens, those new devices can then log into your network or account bypassing any need to enter user credentials. This breach – known as the Man in the Cloud Attack – automatically gives the unapproved user all the permissions that the original user had.

Minimizing the productivity impact of cloud security
While security is necessary for many, it does not have to impact productivity.

Below are a few tips to help you keep your network secure without hindering the efficiency of your employees.

Monitor uploads and downloads in real-time: Real-time monitoring reduces the need for a number of the user-based restrictions that negatively impact productivity. This applies to the uploading and downloading of data as well as user and application governance. Leakage of sensitive or regulated data can occur through careless or malicious uploads, downloads, and sharing so being able to do real-time content inspection and remediation is crucial.

Learn typical user behaviors: Only by understanding employee use patterns (e.g., typical devices, locations, access hours, etc.) can you effectively begin identifying and eliminating suspect behavior. Skyfence utilizes sophisticated algorithms to fingerprint devices and learn user behaviors in order to detect data access anomalies.

Use MFA (Multi-Factor Authentication) only when necessary: Employees may find overly broad application of MFA annoying, which could negatively impact productivity. The key is to only use MFA when there is questionable activity when compared to a person’s normal behavior (i.e., access location, device, time, etc.). This means creating anomaly-based MFA rules factoring in role, action, device, or some other criteria that makes sense for securing your data. For instance, forcing your employees to verify their identity twice each time they want to log into OneDrive, even from an unmanaged device, may be overkill. However, if that same someone tried to download a file that contained social security numbers to an unmanaged device, then applying MFA in this scenario would not be considered too onerous.

Score cloud app risks: Rating and categorizing each cloud app your organization uses as high, medium, or low risk gives you the ability to prioritize which apps need more control and which don’t. In other words, not all apps require the same level of scrutiny and restrictions, especially if they disproportionately impact employee productivity. Several categories must be considered, including compliance, security settings, data leakage, data ownership, account termination policies, and auditing.

Create audit trails: Maintaining audit trails for both admin and non-admin accounts acts as a safety net in that they can be used to highlight security and compliance deficiencies that warrant further attention. Automatic tracking and logging of user activities can help improve security without hindering employee productivity. Audit trails can be set up to include things like user IDs, departmental actions, locations, times, devices, and application actions.

Finding the ideal balance between maximizing productivity and minimizing risk can be an IT nightmare.

And unfortunately, the native security features of most cloud service providers do not offer enough fine-grained control to create this balance.

To find out exactly how we can help protect your organization without sacrificing productivity, click here to connect directly with a Skyfence specialist.