Ebook Definitive Guide To Cloud Security

eBook:
The Definitive Guide to
CLOUD SECURITY
The Definitive Guide to Cloud Security
Brought to you by
Brought to you by
Table of Contents
Chapter 1: Introduction Cloud Adoption and Risk Today
Page 1
Chapter 2: Cloud Visibility
Page 4
Chapter 3: Cloud Compliance
Page 7
Chapter 4: Cloud Threat Prevention
Page 11
Chapter 5: Cloud Data Security
Page 16
Chapter 6: Shadow IT
Page 21
Chapter 7: CRM
Page 25
Chapter 8: File-Sharing and Collaboration
Page 28
Chapter 9: What is a CASB?
Page 33
Chapter 10: Quantifying the Value of a Cloud Access Security Broker
Page 36
Chapter 11: Conclusion - Parting Guidance on Evaluating CASB Vendors
Page 39
CHAPTER 1
Introduction Cloud Adoption and Risk Today

KEY STAT: 60% OF CIOS ARE MAKING THE CLOUD THEIR #1 PRIORITY THIS YEAR
The cloud (SaaS, PaaS, and IaaS) is transforming business for the better, making
employees more productive and businesses more agile. As the cloud market
matures, analysts and market researchers are discovering hard data supporting
the benefits of the cloud for enterprises. The latest numbers from Vanson Bourne
Research show that the cloud is providing organizations with a 21% reduction in
product time to market, a 17% reduction in IT maintenance costs, a 15% reduction
in IT spend, and an 18% increase in employee productivity.1 With these types of
metrics in hand, its no surprise that 60% of CIOs state that the cloud is their #1
priority this year.2
However, this enthusiasm for cloud adoption is tempered by security, compliance,
and governance concerns. Analyst firm IDC shows that security and privacy
remain the top inhibitors of cloud adoption.3 Given the seemingly endless supply
of headlines on data breaches, its understandable, if not expected, that security
of data in the cloud is now a board-level concern for 61% of organizations,
according to a recent study by the Cloud Security Alliance (CSA).
http://venturebeat.com/2012/08/07/google-cfo-cloud-study/
http://www.businessinsider.com/infographic-its-not-easy-to-be-a-cio-2012-2#!HqX9i
http://www.opendatacenteralliance.org/docs/1264.pdf
PAGE 1
| CHAPTER 1 | INTRODUCTION CLOUD ADOPTION AND RISK TODAY
The phenomenon of employees self-enabled cloud services (those procured and

managed outside of ITs purview), often referred to as Shadow IT, complicates
the situation for IT and IT Security teams. Even if organizations are taking a
deliberate approach to cloud and adopting cloud services strategically while
implementing the required security, compliance, and governance controls around
them, employees are likely not acting with the same consideration when they sign
up for new cloud services on their own. In fact, with up to 90% of cloud activity
driven by individuals and small teams, the average company now uses 897 cloud
services, up 43% over the last year.4
Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014

4
Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014.
PAGE 2
60% of CIOs state

that the cloud is
their #1 priority
this year.
Vanson Bourne Research
With cloud adoption at an all-time high and damaging headlines catalyzing

conversations around data security, enterprise IT is looking for ways to partner with
the business to manage the move to the cloud. Increasingly, these enterprises are
turning to analyst and industry thought leaders to help them navigate this new
and evolving security landscape.
Neil MacDonald, Craig Lawson, Peter Firstbrook, and Sid Deshpande of Gartner
have been particularly adept in providing the market with a usable framework
for managing cloud security. Their framework organizes around four pillars of
functionality: Visibility, Compliance, Threat Prevention, and Data Security. In this
eBook, we will dive into the details of each pillar, providing relevant and related
data points for consideration, and describe how forward-leaning IT teams are
managing cloud security using this framework.
PAGE 3
In 2015, roughly
10% of overall IT
security enterprise
capabilities will
be delivered as a
cloud service.
Gartner
CHAPTER 2
Cloud Visibility
KEY STAT: 72% OF COMPANIES DONT KNOW THE SCOPE OF
SHADOW IT AT THEIR ORGANIZATION BUT WANT TO KNOW
Cloud services are incredibly easy to adopt, with most requiring only an email or a
credit card to sign up. The result is that individual users and business units often
begin using cloud services without any involvement from IT. The benefit is that
users and business units are able to readily and rapidly adopt services that drive
productivity and agility for the business. The downside is that IT often has little to
no visibility into the full scope of IT services employees are using. Without visibility,
it becomes very difficult for IT to manage both cost expenditure and risk in the cloud.
With regards to visibility, Gartner says that enterprises must protect their sensitive
data for various commercial and legal reasons. Regardless of whether the cloud
services in use are shadow IT or sanctioned IT, businesses need visibility into which
services employees are using, what data is stored in them and shared from them,
any anomalies in usage behavior that indicate a compromised account, and who is
using each service and from which devices and geographies.
Enterprises must also ensure that they dont cross a perceived ethical of legal
privacy boundary when monitoring the use of cloud services. For example, the
same methods that can be used to monitor sanctioned cloud services, could also
be used to monitor personal Facebook or Instagram accounts. Requirements for
privacy may vary greatly in different verticals and geographies.
PAGE 4
| CHAPTER 2 | CLOUD VISIBILITY
Enterprises must also integrate their cloud visibility into existing systems, such
as Security Information and Event Management (SIEM) products for continuous
monitoring and event management.5
The average employee uses 27 different cloud services at work6, including six
collaboration services, four social media services, and three file-sharing services.
Many of the services used in the office are consumer grade services and
security is not a given, so understanding which services employees are using,
what type of data is uploaded and shared through the services, and what
security capabilities the services have is a must.
30% of IT
Security teams
list concerns over
compromised
accounts and
insider threats as
a top challenge
holding back
cloud projects.
Cloud Security Alliance

5
Mind The SaaS Security Gaps: G00263947. Craig Lawson, Sid Deshpande. 2014
PAGE 5
KEY QUESTIONS IT SECURITY SHOULD BE ABLE TO ANSWER

RELATED TO CLOUD VISIBILITY:
Which services are employees and business units using

overall and in each category (e.g. file sharing, social
media, collaboration)?
Which services house sensitive or confidential

data today?
Which services are gaining in popularity and should

be evaluated for enterprise-wide adoption?
What are the security capabilities of the services storing

sensitive data?
What is the risk level of each service in use?
Which data is available to external collaborators outside

of the company?
How effective are my firewalls and proxies at identifying

cloud services and enforcing acceptable cloud use policies?
Which redundant services are employees using,

and are they introducing additional cost and risk or
inhibiting collaboration?
How do I quantify the risk from the use of cloud services

and compare it to peers in my industry?
PAGE 6
10
11
12
Which partners cloud services are employees accessing,

and whats the risk of these partners?
Which external collaborators are granted access to our

companys services?
How do I track and log all user and admin actions for
compliance and investigations?
CHAPTER 3
Cloud Compliance
KEY STAT: 37% OF EMPLOYEES UPLOADED AT LEAST ONE FILE TO A FILE-SHARING
CLOUD SERVICE THAT CONTAINED SENSITIVE OR CONFIDENTIAL DATA LAST QUARTER
Todays enterprises have deployed cloud services to support CRM, ERP, HR,
Collaboration, and Backup operations. Applications like Salesforce, ServiceNow,
Workday, Box, and Office 365, support mission-critical business functions, and because
of this they often house sensitive or confidential information, such as customer data,
financial data, employee data, IP, or security infrastructure data. Locating this type of
data in the cloud is not a rare event; in fact, it is now commonplace.
For example, 22% of files uploaded to file-sharing services contain sensitive or
confidential data, including: PII (personally identifiable information) such as social
security number, date of birth, or address; payment information, such as credit card
numbers or bank account numbers; and PHI (protected health information) such as
medical record number or health plan beneficiary number.
Furthermore, 37% of employees uploaded at least one file to a file-sharing cloud
service that contained sensitive or confidential data over the course of a business
quarter.7 In order to drive compliance, IT leaders are looking for ways to identify
enterprise-ready cloud services that support various use cases, locate where
sensitive data is housed, audit how sensitive data is handled, and protect sensitive
data from loss. With regards to compliance, Gartner says that compliance will
always be a core security deliverable.
7
PAGE 7
| CHAPTER 3 | CLOUD COMPLIANCE
Compliance
will always be
a core security
deliverable.
Gartner
They indicate that, with regards to SaaS applications, compliance-supporting

activities should cover:
Answering the who, what, when, why,

and where questions with provable data
for various compliance regimes.
Enabling integration within the enterprise

by supporting log generation that can be
used with existing SIEMs.
Providing assistance with out-of-the-box

compliance reporting for major
compliance standards.
Auditing user behavior across cloud

applications, regardless of the device (e.g.
PC or mobile) or method of access (e.g.
browser or mobile app).
Guiding the organization to specific

cloud services that satisfy both functional
requirements of the users and the
compliance and risk requirements of the
business. This is especially important given
the thousands of options available in the
cloud today.8
PAGE 8
As Gartner references, there are over 10,000 cloud applications today, all with
varying degrees of security, compliance, and governance capabilities. Despite this
diversity of offerings, companies across industries must ensure compliance with
PCI DSS, HIPAA, HITECH, GLBA, SOX, CIPA, FISMA, FERPA, and other regulations.
In order to do so they must ensure the protection of various types of personal
information, including:
Name
Bank account numbers
Address
Professional certificate or license number
Birthdate
License plate number
Telephone or fax number
URLs or IP address
Email address
Finger and voice prints
Social security number
Full face photographs
Medical record number
Any unique identifying number
Health plan number
While the cloud provider is responsible for the security of their product, compliance
is based on a shared responsibility model, whereby the enterprise using the cloud
service must also take measures to maintain the privacy of employee and
customer data. Within the enterprise, users, IT/Security, and Audit/Compliance all
share responsibility for compliance.
PAGE 9
80% or cloud
governance
committees
include IT
Security.
KEY QUESTIONS IT SECURITY SHOULD BE ABLE TO ANSWER

RELATED TO CLOUD COMPLIANCE:
Which applications house sensitive data subject to

regulatory compliance?
Which administrators have behavioral anomalies that

indicate excessive privilege access?
What are the security capabilities of the services

housing sensitive data?
When is sensitive data uploaded to the cloud, and what

action should be taken (allow, block, quarantine, encrypt)?
What are the legal terms of the services housing

sensitive data?
How do we leverage previous resource investments and

extend existing on-premise data loss prevention policies
to the cloud?
Which employees are accessing sensitive data,

and how are they using or sharing it?
How do we implement a closed workflow to review,

remediate compliance violations, and educate violators?
Which employees are uploading sensitive data to

high-risk services?
10
Is sensitive data kept in a specific country or region to

comply with international data residency requirements?
PAGE 10
CHAPTER 4
Cloud Threat Prevention

KEY STAT: 17% OF COMPANIES REPORTED AN INSIDER THREAT LAST YEAR,
BUT 85% OF COMPANIES EXPERIENCED ONE
Cloud services, like on-premise systems, can be the target of attacks aimed at
stealing corporate data or damaging the business. Attacks typically leverage the
cloud in one of two ways: they use cloud services as sources of sensitive data to
steal, or they use cloud services to exfiltrate stolen data.
Some enterprise-ready cloud services have security capabilities that exceed
those of the enterprise data center, but that does not necessarily protect them
from insider threats or compromised identities. In fact, compromised identities
and insider threat are the two main drivers of the first threat vector (cloud
services as the source of data to steal), and they are far more common than
most IT professionals realize.
PAGE 11
| CHAPTER 4 | CLOUD THREAT PREVENTION
According to the Cloud Security Alliance, 17% of companies reported an

insider threat last year, but in fact 85% of companies experienced one.9 This
discrepancy exists because so many attacks go under the radar today.
Further, 92% of companies have at least one corporate cloud service login
credential available for sale on the darknet today.10
30% of IT
Security teams
list concerns over
compromised
accounts and
insider threats as
a top challenge
holding back
cloud projects.

9
10
PAGE 12
In order to prevent against insider threats, organizations can employ machine

learning to identify anomalous behavior that indicates a threat in progress.
Triggers are often large or repeated downloads of sensitive data or excessive
privileged user access. Insider threats could be aimed at stealing enterprise data
from the cloud, such as IP from a file sharing service or security infrastructure from
an IT management service, but the most common insider threat seems to be the
theft of customer sales data from CRM services, perpetrated by sales reps or sales
operations managers who plan to leave the company. Additionally, malware
attacks are also now targeting cloud services. Last years much publicized Dyre
malware would monitor browser activity to steal credentials for cloud services that
housed valuable corporate data.
Attackers also increasingly look upon cloud services as a clever way to exfiltrate
data under the radar. With the average company using almost 900 cloud services
today and IT often not having visibility into their usage, attackers know that
unmanaged cloud services can be a fertile territory for malicious behavior and
frequently use popular and seemingly harmless services to execute their operations.
For example, malware employed by a foreign national government recently used
YouTube to exfiltrate stolen intellectual property. The attackers created VAR
segments, inserted the stolen data into mpg4 files, and then uploaded them onto
YouTube. The videos would play within YouTube, but once downloaded the VAR
segments could be unpacked providing the attackers with the stolen data. In
another startling example, malware leveraged a Twitter account to exfiltrate
stolen data, 140 characters at a time, over a sequence of 86,000 tweets. While
these attacks are almost amusingly clever, they serve as a serious reminder that
threat prevention must be a core focus of any cloud security project.
PAGE 13
31% of companies
are not sure if
they experienced
an insider threat
incident last year.
With regards to threat detection, Gartner says that, in on-premise applications

that were protected by network/host security and access management, Security
could control all application access from authorized users from defined locations
while also inspecting for malicious content, regardless of the network channel or
protocol. However, in todays Internet Age, with billions of users accessing the
Internet via browsers, enterprise cloud applications are now accessible to anyone
with an internet connection. Because of this fundamental change, new controls are
required in order to protect enterprise data. Particularly, new controls are needed
for cloud service to manage events such as:
Access from known suspicious countries,

locations, devices, locations, or unusual
access times or data volumes.
Access from compromised cloud

service accounts.
Access from canceled accounts or from

accounts that have remained idle for
excessive periods of time.
11
Access directly to cloud services that

bypasses security controls.
Access via outdated operating systems or

browsers that are no longer supported and
are thus more vulnerable to attacks.11
PAGE 14
Malware
leveraged Twitter
to exfiltrate
stolen data,
140 characters
at a time, over
a sequence of
86,000 tweets.
KEY QUESTIONS SECURITY SHOULD BE ABLE TO ANSWER

RELATED TO CLOUD THREAT DETECTION:
What does normal behavior for any given service

look like?
Which cloud services have behavioral anomalies

that indicate insider threat?
How does a users role affect their normal cloud service

usage patterns?
Which cloud services have behavioral anomalies that

indicate malware at work?
How do I monitor and baseline usage across the

enterprise for both local and remote employees?
Which users are accessing large volumes of

sensitive data?
Which administrators are accessing large volumes

of sensitive data?
PAGE 15
Which cloud services have behavioral anomalies that

indicate an account is compromised?
Which cloud services in use are rated as high-risk and

have an anonymous use policy?
CHAPTER 5
Cloud Data Security

KEY STAT: ONLY 17% OF CLOUD SERVICES PROVIDE MULTI-FACTOR AUTHENTICATION,
ONLY 5% ARE ISO 27001 CERTIFIED, AND ONLY 11% ENCRYPT DATA AT REST.
As many a CIO and CISO will tell you - IT Security, today, is all about protecting
data, not data centers and this is largely product of cloud. When considering
data security, it can be helpful to examine both the security of the service the
data lives in and the security of the devices that have access to the data.
Some cloud services have security capabilities that far exceed most corporate
data centers. However, with over 10,000 cloud services available today, there is a
large variation in the security capabilities offered. The good news is that an
increasing number of cloud services are investing in security, but a larger number
still do not offer even basic security features. Only 17% of cloud services provide
multi-factor authentication, only 5% are ISO 27001 certified and only 11% encrypt
data at rest. For this reason, it is important to look at the risk of services
individually and enable risk-based policies on acceptable usage.12
In services with high levels of built-in security, users and their devices can often
be the weakest link. Users frequently lose devices or leave them in insecure
locations and are prone to lose passwords as well. 12% of employees have at
least one corporate identity (username and password) for a cloud service that
has been compromised for sale on the darknet (online black markets) today.13
12, 13
PAGE 16
| CHAPTER 5 | CLOUD DATA SECURITY
A study by Joseph Bonneau at the University of Cambridge showed that 31% of

passwords are re-used in multiple places. The implication here is that, for 31% of
compromised identities, an attacker could not only gain access to all the data in
that cloud service, but potentially all the data in the other cloud services in use by
that person as well. Considering that the average person uses three different cloud
file-sharing services, and 37% of users upload sensitive data to cloud file-sharing
services, the impact of one compromised account can be immense.
PAGE 17
Enterprises can improve the security of their data by employing access control
policies for cloud services that take into account the context of the user, data,
device, and location. For example, an executive may be able to view and
download important financial data to her laptop when in the office, but may be
restricted to viewing only when on her mobile device in a foreign country.
Additionally, enterprises can take extra steps to ensure the security of their data
by employing encryption and tokenization and controlling their own keys.
Encryption can be tricky, and several considerations must be made when
evaluating encryption options.
First, enterprises must avoid proprietary algorithms in favor of encryption
algorithms that are both peer- and academia-reviewed to ensure that they are up
to modern cryptographic standards.
Second, enterprises must also verify that the algorithms used can support the
required functionality of their application since there is a trade-off between the
security of an algorithms and the functionality that it can support. To better
understand the specific tradeoffs, read The Cloud Encryption Handbook:
Encryption Schemes and Their Relative Strengths and Weaknesses. Finally, to
maximize data security, enterprises must own their own encryption keys. By taking
ownership of their keys, they prevent a malicious insider at a cloud service or an
inquiring government agency from gaining access to their data.
PAGE 18
Enterprises must
avoid proprietary
algorithms
in favor of
encryption
algorithms that
are both peerand academiareviewed to
ensure that they
are up to modern
cryptographic
standards.
With regards to data security, Gartner says that data is mission-critical to the
enterprise and that securing that data is the primary goal of any IT Security
organization. Therefore, if the enterprise is moving its data into cloud services,
IT Security must:
Ensure that sensitive data is encrypted

using known good algorithms or tokenized
before entering the cloud service via a
configurable data security policy.
Ensure that robust authentication
procedures are defined and enforced,
including central credential store usage,
certificates, and multi-factor authentication.
Support encryption key management via a

hardware security module (HSM).
Ensure that only the authorized users and

groups have access to enterprise data.
14
Prevent data from being lost within cloud

services when the owner is de-provisioned.
Ensure functionality within cloud services is

maintained when data within those services
is encrypted or tokenized so that the value
of the services can be fully realized.
Ensure that data loss prevention and

e-discovery are available for cloud
services, just as they are for on-premise
systems today.14
PAGE 19
73% of IT Security
teams list security
of their data in
the cloud as a top
challenge holding
back cloud
projects.
KEY QUESTIONS SECURITY SHOULD BE ABLE TO ANSWER

RELATED TO CLOUD DATA SECURITY:
Which cloud services encrypt data at rest and provide

multi-factor authentication?
How do we encrypt data while maintaining required

functionality within cloud services?
What are the compliance certifications of the services

employees are using?
How do we encrypt data while controlling our own

encryption keys?
Which of our cloud services undergo regular

penetration testing?
How do we employ tokenization to ensure data

privacy in addition to security?
Which of our cloud services has been compromised

in the last week, month, year?
How do we enforce access policies based on user,

device, and location?
Which data should be encrypted in which

cloud services?
PAGE 20
CHAPTER 6
Shadow IT
KEY STAT: THE AVERAGE EMPLOYEE USES 27 DIFFERENT CLOUD SERVICES.
ON AVERAGE, IT IS AWARE OF 3 OF THEM.
Shadow IT refers to information technology that is managed outside of, and
without the knowledge of, the IT department. At one time Shadow IT was limited
to unapproved Excel macros and boxes of software employees purchased at office
supply stores. It has grown exponentially in recent years, with advisory firm CEB
estimating that 40% of all IT spending at a company occurs outside the IT department.15
This rapid growth is partly driven by the quality of consumer applications in
the cloud such as file-sharing apps, social media platforms, and collaboration
tools, but its also increasingly driven by lines of business deploying enterpriseclass SaaS applications. In many ways Shadow IT is helping to make
businesses more competitive and employees more productive.
When employees and departments deploy SaaS applications, it can also reduce
the burden on IT help desks to take calls. However, while IT is no longer
responsible for the physical infrastructure or even managing the application, its still
responsible for ensuring security and compliance for the corporate data employees
upload to cloud services. Instead of seeing Shadow IT as a threat, Ralph Loura,
CIO of HP Enterprise, sees it as an opportunity to leverage employees to identify
the applications they want to use so IT can enable the ones that have gained
traction and are enterprise-ready.
15
http://www.forbes.com/sites/tomgroenfeldt/2013/12/02/40-percent-of-it-spending-is-outside-cio-control/
PAGE 21
| CHAPTER 6 | SHADOW IT
According to Loura, We embrace the idea of this shallow exploration of new

technologies, new tools, and new processes by our users. To the degree that they
discover these applications or services that make their jobs easier, make them
more efficient at selling or better at running a supply chain or better at sourcing
talent, then everybody wins. Promoting low-risk services that have reached a
tipping point starts with understanding what cloud services employees use, how
they use them, and their associated risk.
We embrace
the idea of
this shallow
exploration of
new technologies,
new tools, and
new processes
by our users.
Ralph Loura,
CIO, Enterprise Group,
HP
PAGE 22
When IT examines the use of cloud services across the organization, they
generally find Shadow IT is 10 times more prevalent than they initially assumed,
with the average organization today using 897 different cloud services.16 Often IT
departments discover many services in use that they have never heard of before.
After auditing the risk of each service and its security controls, IT teams can make
informed choices about what services to promote or enable. This is more than
just an exercise in risk management. The average company uses nearly 30
different file-sharing services, and using this many different services can impede
collaboration between employees. Standardizing on enterprise licenses for 2-3
services not only improves collaboration, but also reduces cost. Below are key
questions related to shadow IT that IT Security should be able to answer:
VISIBILITY
THREAT DETECTION
Which users and business units are using

which cloud services, and what is the risk
of each of the services in use?
Are there behavioral anomalies that

indicate an insider threat?
How effective are my firewalls and proxies

at enforcing my cloud security policies?
Are there behavioral anomalies that

indicate a security breach from malware
or a compromised identity?
COMPLIANCE
DATA SECURITY
Where is sensitive data being stored

today, and what certifications do services
storing sensitive data have?
Which data in which services can users

access from various devices?
Which data loss prevention policies for

which services do I need to implement
to ensure compliance with industry
regulations moving forward?
Do I need to encrypt or tokenize

data to protect confidential or
sensitive information?
16
PAGE 23
Last quarter, the

average company
uploaded 86.5 GB
to high-risk cloud
services.
Q2 Cloud Adoption
and Risk Report
19 KEY REQUIREMENTS FOR ENABLING SECURE SHADOW IT USAGE:
Log-based visibility into all users, services (SaaS, PaaS,

IaaS), and data transfers
11
Ability to leverage policies from on-premise DLP

systems and extend them to cloud services
On-premise tokenization of log data for security

and privacy
12
Ability to quantify cloud risk, compare it to benchmarks

from peers in the industry, and track it over time
Comprehensive cloud registry covering a minimum

of 10,000 cloud services
13
Anomaly detection across all services to identify

insider threats or security breaches
Detailed risk assessments provided for all cloud

services
14
Ability to identify unmatched uploads for further

investigations
Usage analytics to identify redundant services and popular

and growing services primed for enterprise adoption
15
Integration with SIEMs for incident response remediation
Ability to audit the effectiveness of firewall and proxies

at enforcing policies
16
Darknet intelligence to identify stolen credentials

of employees
Closed-loop remediation with firewalls and proxies
17
User reputation analysis based on correlated activities

across cloud services
Ability to coach employees using integration with

firewalls and proxies
18
Function-preserving encryption for data security
Customizable reporting with automatic periodic

reporting capabilities
19
Frictionless deployment that doesnt impact end users
10
Vertical-specific, pre-built DLP policy templates
PAGE 24
CHAPTER 7
CRM
KEY STAT: 4% OF FIELDS IN CRM APPLICATIONS CONTAIN SENSITIVE OR CONFIDENTIAL

FINANCIAL DATA, PII, OR PHI
Customer Relationship Management (CRM) platforms, such as Salesforce, provide
business-critical functionality for Sales, Sales Operations, Customer Service, and
Marketing. In order to support these business units, CRM services frequently contain
sensitive or confidential customer information including PII, financial data, or PHI.
While popular CRM platforms such as Salesforce have industry-leading security
capabilities, organizations must ensure that their valuable data is protected and
that the use of their CRM service is in compliance with industry regulations such as
PCI DSS, HIPAA, HITECH, GLBA, SOX, CIPA, FISMA, and FERPA.
PAGE 25
| CHAPTER 7 | CRM
Enterprises must not rely solely on the security capabilities of the CRM service
itself, as users may not always be using cloud products in ways that meet your
security, compliance, and governance requirements. For example, users may
be storing sensitive data such as payment card data and protected health
data in Salesforce as part of their normal workflow outside of policy, putting
the organization at risk of compliance violations. Or, consider the example of a
salesperson that downloads all the companys opportunities before leaving to join
a competitor. Below are key questions related to CRM services that IT Security
should be able to answer:
VISIBILITY
THREAT DETECTION
How many instances of Salesforce, or

other CRM applications, are we running?
Which users and groups are using

which products, and where is sensitive
data stored?
Are there behavior anomalies, such as a

salesperson downloading more data than
usual, that indicate an insider threat?
Are there behavioral anomalies, such as

a salesperson logging in from Boston
and Bangkok within the same hour, that
indicate a compromised identity?
COMPLIANCE
DATA SECURITY
Which devices and geographies are

employees accessing CRM services from?
How can I encrypt or tokenize data while

maintaining important functionalities like
search, sort and order?
Which types of sensitive data are

uploaded into our CRM service in
customer fields or comments sections
and where is it being stored?
Are we in compliance with PCI DSS,
HIPAA, HITECH, GLBA, SOX, CIPA, FISMA,
FERPA, and international data residency
requirements?
PAGE 26
| CHAPTER 7 | CRM
CRM is expected
to grow to a $36.5
billion market
worldwide within
the next three
years.
Gartner
17 KEY REQUIREMENTS FOR ENABLING SECURE AND

COMPLIANT CRM USAGE:
Usage analytics across all CRM services for both

individuals and business units
10
Academia- and peer-reviewed encryption schemes
Ability to substitute sensitive data with randomly

generated tokens (tokenization) to keep data
on-premise and satisfy data residency requirements
Ability to identify redundant CRM services and coach

users over to standardized services
11
Ability to identify all third-party applications accessing

CRM services and their data
12
Ability to manage encryption keys via integration with

key management servers supporting the KMIP protocol
Detailed activity monitoring of all user, admin, and thirdparty application activities including uploads, downloads,
views, edits, and deletes
13
Behavioral modeling of normal user and admin activity

within the CRM services
Ability to identify sensitive data subject to compliance

requirements or security policies
14
Ability to leverage behavioral models and machine

learning to identify usage anomalies indicative of
compromised accounts or insider threat
Ability to enforce DLP policies and support several

actions, including alerting and blocking
15
Integration with SIEMs for incident response remediation
Ability to extend existing on-premise DLP policies from

on-premise systems and provide integration and closedloop remediation
16
Integration with SAML v2 compatible single

sign-on services
Ability to encrypt structured and unstructured data with

standards-based AES or function-preserving encryption
using enterprise-owned encryption keys
17
Ability to deploy in the cloud, on-premise as a

virtual appliance, or in a hybrid architecture
Ability to apply encryption while preserving enduser functions such as search, sort, and format
PAGE 27
| CHAPTER 7 | CRM
CHAPTER 8
File-Sharing and Collaboration

KEY STAT: 22% OF FILES UPLOADED TO FILE-SHARING CLOUD SERVICES CONTAIN
SENSITIVE OR CONFIDENTIAL DATA, INCLUDING PII, PAYMENT INFORMATION, OR PHI
File-sharing and collaboration services like 0ffice 365, Box, Dropbox, Google Drive,
and Jive are incredibly popular. The average company uses 27 file-sharing
services and 45 collaboration services today, which may actually impede
collaboration.17 The security controls of file-sharing and collaboration services can
vary widely, so organizations must also evaluate the services to understand the
risk they present to the organization. Some services claim ownership of your data,
dont encrypt data at rest, or permit anonymous use, making them unsuited for
enterprise use.
17
PAGE 28
| CHAPTER 8 | FILE-SHARING AND COLLABORATION
The average
company uses
27 different filesharing services,
inhibiting
collaboration and
creating risk.
Q4 2014 Cloud Adoption
and Risk Report
In addition to the security risk, companies must evaluate the compliance risk
as well. 22% of files uploaded to file-sharing cloud service contain sensitive or
confidential data, including: PII (personally identifiable information) such as social
security number, date of birth, or address; payment information, such as credit card
numbers or bank account numbers; or PHI (protected health information) such
as medical record number or health plan beneficiary number. Organizations must
ensure that their valuable data is protected and that the use of file-sharing and
collaboration services is in compliance with industry regulations such as PCI DSS,
HIPAA, HITECH, GLBA, SOX, CIPA, FISMA, and FERPA.
PAGE 29
Additionally, many cloud services offer more than just file syncing across devices;
theyre platforms for collaborating with other people. No matter how secure a
cloud provider is, end users can always use their service in risky ways. Naturally,
users share files with other people at their companies, but files are also frequently
shared via public links, which can be accessed by anyone without restriction.
PAGE 30
Files are
frequently shared
via public links,
which can be
accessed by
anyone without
restriction.
In fact, 11% of all documents shared via file-sharing services were shared outside the
company. The majority of these external collaborators turned out to be business
partners, but 18% of external collaboration requests went to third party email
addresses such as Gmail, Hotmail, and Yahoo! Mail.18 Organizations must ensure
that their governance policies, dictating who has access to services and their data,
are enforced. Below are key questions related to file-sharing and collaboration
that IT Security should be able to answer:
VISIBILITY
THREAT DETECTION
How many file-sharing and collaboration

services are we using, and what is the
risk of each?
Which types of sensitive data are
uploaded into our file-sharing and
collaborations services and where is
it being stored?
Are there behavioral anomalies,

such as excessive downloads of
confidential information, that indicate
an insider threat?
Are there behavioral anomalies, such
as repeated logins from an unusual
geography, that indicate a
compromised identity?
COMPLIANCE
DATA SECURITY
Are we in compliance with PCI DSS,

HIPAA, HITECH, GLBA, SOX, CIPA,
FISMA, FERPA, and international data
residency requirements?
Which devices and geographies are

employees accessing file-sharing and
collaboration services from?
Which data loss prevention policies for

which services do I need to implement
to ensure compliance with industry
regulations moving forward?
How do we see what data is shared

publicly now, and how do we restrict
collaboration to verified business
email accounts?
Are our cloud DLP policies perfectly

aligned with the DLP policies we
enforce on-premise?
18
PAGE 31
18% of external
collaboration
requests went to
third party email
addresses such
as Gmail, Hotmail,
and Yahoo! Mail.
Q4 Cloud Adoption
and Risk Report
18 KEY REQUIREMENTS FOR ENABLING SECURE AND

COMPLIANT FILE-SHARING AND COLLABORATION USAGE:
Usage analytics across all file-sharing and collaboration

services for both individuals and business units
10
Ability to leverage behavioral models and machine

learning to identify usage anomalies indicative of
compromised accounts or insider threat
Ability to identify redundant file-sharing and

collaboration services and coach users over to
standardized low-risk services
Ability to identify all third party application accessing

file-sharing and collaboration services and their data
12
Ability to identify all externally shared data and view

sharing permission details
Detailed activity monitoring of all user, admin, and thirdparty application activities including uploads, downloads,
views, edits, and deletes
13
Ability to enforce external sharing policies based

on domain whitelist/blacklist and content
Ability to identify sensitive data subject to compliance

requirements or security policies
14
Ability to coach users on acceptable use when in violation

of security, compliance, and governance policies
Ability to enforce DLP policies and support several

actions, including alerting, blocking, tombstoning,
and quarantining.
15
Integration with SAML v2 compatible single

sign-on services
Out-of-the-box DLP templates for all major verticals

and regulations to help identify sensitive content.
16
Ability to encrypt data with peer- and academia-reviewed

encryption schemes
Ability to extend existing on-premise DLP policies

from on-premise systems and provide integration
and closed-loop remediation
17
Ability to manage encryption keys via integration with

key management servers supporting the KMIP protocol
Behavioral modeling of normal user and admin activity

within the file-sharing and collaboration services
18
Ability to deploy in the cloud, on-premise as a virtual

appliance, or in a hybrid architecture
PAGE 32
11
Integration with SIEMS for incident response remediation
CHAPTER 9
What is a CASB?
KEY STAT: NINETY PERCENT OF SAAS ADOPTERS EXPECT SAAS TO CONSTITUTE MORE
THAN 50% OF THEIR SPENDING ON ENTERPRISE APPLICATIONS BY 2018, CREATING
SIGNIFICANT NEED FOR CASB PROVIDERS. (GARTNER)
With cloud adoption accelerating every year, enterprise IT is looking for ways to
partner with the business to enable secure utilization of the cloud. Increasingly,
these enterprises are turning to a new breed of technology, referred to by Gartner
as Cloud Access Security Brokers (CASB), in order to do this.
Gartner analysts Neil MacDonald and Peter Firstbrook first defined the Cloud
Access Security Broker category in May 2012 in their report, The Growing
Importance of Cloud Security Brokers." Other firms, such as Forrester, Securosis,
and 451 Research have defined similar categories, alternatively referring to the
technology as Cloud Security Gateways and Cloud Access Controllers. Since
then, Gartner has elevated the importance of CASB and now lists it as #1 in the
top ten technologies for information security.19
19
http://www.information-age.com/technology/security/123458169/gartners-top-10-security-technologies-2014
PAGE 33
| CHAPTER 9 | WHAT IS A CASB?
Cloud Access Security Brokers are on-premise or cloud-hosted software that

acts as a control point to secure cloud services. They generally offer a range of
capabilities including visibility, encryption, auditing, data loss prevention (DLP),
access control, and anomaly detection. While cloud providers individually offer
some of these capabilities, many organizations are looking for consistent policy
enforcement across cloud providers. Given the limited resources to operationalize
a new security process with existing resources, these capabilities should ideally be
delivered as part of a single solution, offering one control point.
In determining whether your organization needs a CASB, Gartner provides several
questions, shared below. If the answer to one or more of the questions is no,
Gartner recommends that your organization considers investing in a CASB.
Cloud access security brokers (CASBs) are on-premise or cloudbased security policy enforcement points, placed between cloud
service consumers and cloud service providers to combine and
interject enterprise security policies as the cloud-based resources
are accessed. CASBs consolidate multiple types of security policy
enforcement. Example security policies include authentication, single
sign-on, authorization, credential mapping, device profiling, encryption,
tokenization, logging, alerting, malware detection/prevention and so on.
Gartner
PAGE 34
10 KEY QUESTIONS FROM GARTNER TO DETERMINE IF YOUR ORGANIZATION NEEDS

A CASB, FROM MIND THE SAAS SECURITY GAPS:
Can I identify all of the cloud services employees are

using and assess the risk of each service?
Which devices and locations are users accessing

cloud services from?
Can I identify which cloud services are housing sensitive

corporate data, and how much data is in each service?
Can I enforce contextual access policies to prevent

specific devices, geographies, or IP addresses from
accessing enterprise cloud services?
Can I identify which users are sharing data, what data

they are sharing, and with whom?
Can I proactively recommend enterprise-ready cloud

services to employees or business units in need of
specific capabilities or categories of cloud services?
Does the data being shared contain sensitive

information such as PII, PHI, or financial data?
Can I detect compromised cloud service accounts

and prevent malicious behavior?
Can I enforce encryption, tokenization, or redaction

to protect sensitive data?
10
Can I offer specific security capabilities such as

encryption or data loss prevention for cloud
services that dont have those capabilities built in?20
A common element of all Cloud Access Security Brokers is they interject security controls by brokering access to a cloud
service. This enables IT to securely enable the use of cloud services within their organizations without compromising
compliance or security. By bundling security functions with a single enforcement point, CASBs also reduce the complexity
of securing data in the cloud.
20
PAGE 35
CHAPTER 10
Quantifying the Value of a

Cloud Access Security Broker
KEY STAT: ORGANIZATIONS USING SKYHIGH TO MANAGE BOTH SHADOW IT AND
SANCTIONED IT SAVED AN AVERAGE OF $1.5M PER YEAR IN IT COSTS AND REDUCED
THE VOLUME OF DATA SENT TO HIGH-RISK SERVICES BY 97%
A Cloud Access Security Broker can provide value across two axes: cost savings
and risk reduction. Within cost saving there are six primary areas of cost
reduction:
1.
Reduction in manual efforts required to

analyze log data for cloud visibility
2.
Streamlined security assessments for

cloud services
3. Elimination of unapproved IaaS usage
PAGE 36
4. Subscription consolidation
5. Elimination of orphaned subscriptions
6. Accelerated response to breaches
and vulnerabilities
| CHAPTER 10 | QUANTIFYING THE VALUE OF A CLOUD ACCESS SECURITY BROKER
Below is a chart depicting the average hard-dollar cost savings across these six categories. Summing the savings, we see that
the average organization saved $1,514,251 annually by managing their shadow IT and sanctioned IT usage with Skyhigh, a
leading cloud access security broker.21
$530,001
Average Reported Savings in

Each Savings Category
$266,000
$186,250
$276,000
$219,200
Average expected cost savings

across ten customers, broken
down by savings category
Quantifying the value of a Cloud Access Security Broker
21
Quantifying the Value of a Cloud Access Security Broker. Skyhigh Networks. 2014
PAGE 37
$36,800
$1,514,251
In addition to cost savings, cloud access security brokers can also mitigate risk in
the enterprise. Risk mitigation from the use of a CASB is typically comprised by
the following four factors:
1.
Reduction in data lost due to the use

of high-risk services
3. Reduction in data lost due to insider threats
2.
Reduction in data lost due to

security breaches
4. Reduction in risk of a compliance violation
Below is a table quantifying some of the risk reduction metrics achieved by

companies that implemented Skyhigh to manage their cloud adoption and risk.
Summarizing the key findings, we see that organizations increased their use of
low-risk cloud services by 83%, decreased their use of high-risk services by 50%,
and decreased the volume of data sent to high-risk file-sharing services by 97%.
In total, organizations that managed their Shadow IT and Sanctioned IT with
Skyhighs CASB reduced their overall cloud risk score by 59%.22
Attribute
Before
After
Improvement
16%
8%
50%
31GB
6.7GB
79%
1.3
78%
16GB
.5GB
97%
Active Tracking Services
32
87.5%
Low-Risk Service %
12%
22%
83%
Enterprise CloudRisk Score
6.4
3.8
59%
High-Risk Service %
Monthly Data Sent to High-Risk Services
High-Risk File Sharing Services
Monthly Data Sent to High-Risk File Sharing Services
How 200 Organizations Flipped Shadow IT from Concern to Opportunity

22
How 200 Enterprises Flipped Shadow IT from Concern to Opportunity. Jim Reavis, Brandon Cook. 2014
PAGE 38
Organizations
using a CASB
decreased the
volume of data
sent to highrisk file-sharing
services by 97%.
CHAPTER 11
Conclusion - Parting Guidance

on Evaluating CASB Vendors
When evaluating different CASB vendors, there are several factors IT leaders
must consider. In addition to understanding whether the capabilities offered
match the business requirements, IT leaders must determine whether the
deployment model fits with their organization. For example, organization should
consider whether they want their CASB to be cloud-based or if they prefer to
manage all of the infrastructure and maintenance of an on-premise solution
themselves.
Additionally, organizations should consider whether they are looking for a
frictionless approach requiring no agents or if they would prefer a solution
that installs agents or PAC files on users work and personal devices. Finally,
organizations should consider whether the CASB vendor has supported other
companies in similar verticals and of similar size.
Many CASB vendors are emerging and have not yet deployed their solution at
scale. This may be acceptable to a smaller organization, but this is likely to be an
area of concern for a larger enterprise. To get started, Gartner offers a
framework for evaluating CASB vendors organized around the types of cloud
services the enterprise is aiming to enable. This framework is provided below for
your reference:
PAGE 39
| CHAPTER 11 | CONCLUSION - PARTING GUIDANCE ON EVALUATING CASB VENDORS
SHADOW IT:
Ask CASB vendors to generate a cloud visibility report with your data during
the proof-of-value process.
Analyze the categories and individual cloud services in use, and identify the risk
associated with the service and its usage.
Create a corporate policy about which cloud services to block orallow, and
then determine the depth of security controls and API integrations the CASB
vendor can enforce for your permitted cloud services.
Select only those CASB vendors whose solution fits with your company vision
on cloud and mobility.
EXISTING SANCTIONED IT SERVICES:
Analyze the redirection methods offered by various CASB vendors, and

determine if they align with your enterprises mobile device policy (i.e.
managed devices vs. bring your own device [BYOD]).
Evaluate only the CASB vendors that are the least disruptive to
your current environment.
Evaluate CASB vendors that can extend common security capabilities to

multiple cloud services from a single management console.
PAGE 40
61% of enterprises
say that cloud
security is now
a board level
concern.
NEW SANCTIONED IT SERVICES:
Include CASB and identity management products when budgeting for new
cloud services and account for them in enterprise architecture discussions
Evaluate your current infrastructure architecture program to identify spending

that could be re-directed to CASB for use with cloud services that are planned
or in use already. This is an architecture change that will be necessary if you
plan to move to cloud services in the future.23
23
If you would like to get a FREE personalized assessment

of all cloud services in use by your employees, including:
All IaaS, PaaS, and SaaS cloud services in use

An objective rating of enterprise readiness for each service
Potential data leaks, security breaches, and non-compliance
Consolidation opportunities for unused licenses
Please email freeassessment@skyhighnetworks.com
PAGE 41

Ebook Definitive Guide To Cloud Security

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ebook Definitive Guide To Cloud Security

Uploaded by

Copyright:

Available Formats

eBook:

The Definitive Guide to

Chapter 2: Cloud Visibility

Chapter 3: Cloud Compliance

Chapter 4: Cloud Threat Prevention

Chapter 5: Cloud Data Security

Chapter 8: File-Sharing and Collaboration

Chapter 9: What is a CASB?

Chapter 10: Quantifying the Value of a Cloud Access Security Broker

Chapter 11: Conclusion - Parting Guidance on Evaluating CASB Vendors

Introduction Cloud Adoption and Risk Today

| CHAPTER 1 | INTRODUCTION CLOUD ADOPTION AND RISK TODAY

The phenomenon of employees self-enabled cloud services (those procured and

Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014

Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014.

| CHAPTER 1 | INTRODUCTION CLOUD ADOPTION AND RISK TODAY

60% of CIOs state

With cloud adoption at an all-time high and damaging headlines catalyzing

| CHAPTER 1 | INTRODUCTION CLOUD ADOPTION AND RISK TODAY

| CHAPTER 2 | CLOUD VISIBILITY

Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014

Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014

| CHAPTER 2 | CLOUD VISIBILITY

KEY QUESTIONS IT SECURITY SHOULD BE ABLE TO ANSWER

Which services are employees and business units using

Which services house sensitive or confidential

Which services are gaining in popularity and should

What are the security capabilities of the services storing

What is the risk level of each service in use?

Which data is available to external collaborators outside

How effective are my firewalls and proxies at identifying

Which redundant services are employees using,

How do I quantify the risk from the use of cloud services

| CHAPTER 2 | CLOUD VISIBILITY

Which partners cloud services are employees accessing,

Which external collaborators are granted access to our

Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014

| CHAPTER 3 | CLOUD COMPLIANCE

Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014

They indicate that, with regards to SaaS applications, compliance-supporting

Answering the who, what, when, why,

Enabling integration within the enterprise

Providing assistance with out-of-the-box

Auditing user behavior across cloud

Guiding the organization to specific

| CHAPTER 3 | CLOUD COMPLIANCE

Bank account numbers

Professional certificate or license number

License plate number

Telephone or fax number

Finger and voice prints

Social security number

Full face photographs

Medical record number

Any unique identifying number

Health plan number

| CHAPTER 3 | CLOUD COMPLIANCE

Cloud Security Alliance

KEY QUESTIONS IT SECURITY SHOULD BE ABLE TO ANSWER

Which applications house sensitive data subject to

Which administrators have behavioral anomalies that

What are the security capabilities of the services