In today’s computing model, the applications, and the users of those apps, no longer reside inside the firewall. In many cases, the organization doesn’t own the application infrastructure (e.g. Salesforce.com, Dropbox, Box, etc.) or the mobile endpoint. The traditional firewall and secure web gateways that have for many years comprised the perimeter for managing and securing Internet access are no longer enough. And the bad actors certainly know this. Hackers know that existing firewalls, endpoint security and other standard security controls are blind to cloud apps. Welcome to the “post-firewall” era.
We are seeing this play out in a recent report by The Hacker News that reported 7 million Dropbox account credentials may have been hacked. Dropbox has made it clear that their systems weren’t hacked– that these credentials were “stolen from other services and used in attempts to log in to Dropbox accounts.” But everyone does seem to agree they were stolen. And that’s the issue. A couple of weeks ago Salesforce.com warned about attempted credential theft to users resulting from endpoint malware. Crime and malicious activity follow where the volume of users are. They also follow the path of least resistance – your cloud apps.
The challenge is that it’s not practical to block the use of potentially hundreds of cloud apps that help workers be more productive and get their tasks done faster – often with less cost, too. Both IDC and Gartner have published research about the enterprise adoption trends of SaaS apps being in the tens of billions annually. Both expect adoption to continue to increase, and with it, IT staff will increasingly become an enabler rather than an implementer of technology. Security is again a top concern for IT staff – they know their employees and end users aren’t going to be focused on security.
Here are some recommended steps IT organizations can take to help ensure security for their cloud apps:
– Get a handle on all the apps your employees are using in the cloud – this can be the starting point for the right conversations to happen across the IT staff and business units. If you don’t already know what cloud apps are being used, we encourage you to use our free discovery tool that can be downloaded here. It provides an inventory of the apps, users, traffic volume and assesses the related risks.
– By understanding the cloud apps being used, you may be able to configure security settings (such as IP range restrictions) provided by the app provider to help strengthen your security posture.
– Audit what data users are moving to the cloud – understand how sensitive the data is and what applications such as Dropbox, Box, and others are being used to share files. Most companies find multiple cloud storage/file sharing apps.
– Protect the account credentials – these are the keys to the cloud app kingdom. Credential theft will continue to rise. Credentials are the front door to the data (that means encrypted data, too). Cloud Access Security Broker (CASB) products such as those offered by Skyfence can profile valid user behavior and use that information as a benchmark for detecting anomalous behavior which could be an indication of compromised credentials being exploited – with the ability to block the communication in real time.
– Cloud app providers are not responsible for your security – capabilities like enforcing policies based on context, or implementing two-factor authentication for risky operations still need to be led by IT professionals. Again, new CASB products can act as a policy enforcement point between the apps and the users to monitor activity and enforce policy across all your cloud apps. This means you don’t have to leave security with the users or with each individual app provider, rather bring it in-house within IT where it belongs.
In Major League Baseball, we’ve heard purists talk about the post-steroid era. With mobile devices, we heard Steve Jobs talk about the post-PC era. Technology can be disruptive. The adoption of cloud applications – those that are authorized by IT and those that are unauthorized and led by employees – is moving us as an industry into the post-firewall era. The good news is that we know a lot more about security than we did when the first firewalls started being deployed. The fundamentals have not changed, but the way you’ll need to implement comprehensive security for cloud apps is entirely different.