How to Implement an End-to-End Cloud Governance Workflow

By on Mar 16, 2016

As enterprises adopt cloud services, they are often challenged in maintaining governance and enforcing policies on cloud usage. A survey by Cloud Security Alliance (CSA) showed that only 21% of companies created a cloud governance committee responsible for creating and enforcing cloud usage policies and only 16% actually had an acceptable cloud usage policy.

The primary challenge with cloud governance is the limited visibility that IT teams have into cloud services used by employees. Recent McAfee (formerly Skyhigh Networks) research shows that an average company uses over 1,159 cloud services, and most of them are shadow cloud services that IT has not sanctioned. These services are often risky and put company data at risk of unauthorized access. While IT can block such services, it is not enough to plug the security holes, and blocking may actually lead to employees accessing even less reputable services.

Skyhigh Cloud Service Governance Datasheet

Skyhigh Cloud Service Governance

Download the Datasheet to learn how McAfee enables IT departments to streamline the process of analyzing and approving cloud usage requests from employees.

Download Now

Challenges with governance also arise because IT is not able to keep pace with the due diligence requirements for vetting the security capabilities of cloud services before approving them for on-boarding. Supporting this is data from another recent CSA survey showing that IT professionals receive, on average, 10.6 requests each month for new cloud services, and that it takes an IT security team 17.7 days to evaluate the security of a cloud service provider.

Shadow It and Sanctioned IT diagram

Enterprises are increasingly using Cloud Access Security Brokers (CASBs) to address cloud governance challenges. CASBs act as a control point to provide visibility into cloud usage and risk, detect threats from insiders and compromised accounts, and secure data by enforcing data loss prevention policies, encryption and contextual access controls. Using CASBs, enterprises can put in place a governance workflow that enables IT to manage the cloud services used within the company, streamline the onboarding process for new cloud services, and minimize the risk of data loss. Here’s how it works:

Step 1 – Get visibility into existing cloud usage

The first step towards cloud governance is to get visibility into cloud usage within the company. By analyzing web traffic logs and comparing them to their cloud registry, CASBs are able to provide visibility into all cloud services used within the company and their associated risk ratings. CASBs also provide usage information across multiple parameters and allow IT to drill down from service-level metrics to granular user-level and event-level information so they can better understand and remediate potential vulnerabilities. A recent CASB assessment for a Fortune 100 company revealed that the company had a separate 4000-user CRM deployment in one of their business units, even though they had an enterprise Salesforce license.

Filter cloud services by granular attributes

Filter cloud services by granular attributes

As companies assess CASB solutions, they should look for ones with a comprehensive cloud registry so they get maximum visibility. Note that companies should dig into whether a CASB solution is inflating the number of cloud services in their registry by including websites as opposed to cloud services, as this can drive up false positives on cloud usage. Companies should also ensure that before uploading web traffic logs for analysis, the CASB tokenizes sensitive data such as user IDs and IP addresses, to meet basic security and privacy requirements.

Step 2 – Build a cloud risk model

By providing detailed insight into each cloud service, CASBs enable companies to either extend their existing risk model to the cloud or define a cloud risk model based on selected attributes, such as blocking cloud services that are not ISO27001 certified, or those that do not provide encryption at rest, or fall beyond an accepted risk rating. This is possible because CASBs maintain detailed signatures on each cloud service and update them regularly.

To build a robust cloud risk model, companies need to use a CASB that not only has detailed and accurate security and risk attribute data for cloud services, but has also selected the right attributes, verified by an industry authority. Furthermore, the CASB should allow the company to customize the risk score to their requirements by adding new attributes or modifying the weighting associated with existing attributes.

Build a cloud risk model

Step 3 – Apply risk model to existing shadow cloud usage

After defining their risk model, companies can use a CASB to enforce acceptable use policies across all cloud services. The risk scores provided by a CASB allow the IT team to classify their cloud services into categories, such as approved/permitted/denied. In order to block a denied service, CASBs can push a blocking script to an existing proxy or firewall. Also, when employees attempt to access a risky cloud service, CASBs can display “just-in-time” educational messages to coach employees towards an approved alternative service with equivalent functionality.

For certain services which are medium risk, IT may want to enable employees to access data as required, albeit with some restrictions. For example, when marketing teams work with external contractors that want to share files using an unapproved cloud service, the CASB can enforce coarse grained policies, such as blocking uploads or restricting access to “preview-only”.

In order to successfully implement their risk model, companies need to use a CASB that can seamlessly integrate with leading on-premises proxies and firewall solutions such as Check Point, Zscaler, Juniper, Cisco, and Blue Coat. These pre-built integrations help reduce the testing and integration efforts required by the company IT teams.

Step 4 – Develop a cloud service on-boarding process using your CASB

Having implemented their cloud risk model, companies can use CASBs to streamline their on-boarding process for new cloud services. The cloud service signatures contained within a CASB registry help minimize the due diligence required by the IT team. Equinix , a large data center company and McAfee customer, was able to reduce the average time taken to review security attributes for cloud services, from 30 hours to 4 hours.

When employees request approval for a new cloud service, IT can use the CASB cloud registry to view detailed and current security and risk attribute data used to evaluate if the cloud service meets their risk model requirements. If they are not met, then IT can deny the request, and either suggest an existing sanctioned service or use the CASB to find a more secure alternative.

If the cloud service requested by the employee meets the requirements of the risk model, then the company can leverage the CASB vendor to perform a more detailed review, which can include pulling custom attribute information and audit documentation. Using the results of this review, the IT team can either approve the service, deny the service, or approve it only for use by selected teams within the company for a specific use case. The addition of a CASB to the on-boarding process can substantially reduce the time and effort required by the IT team and provide employees with access to more cloud services while maintaining security and governance.

As cloud services become the go-to options for enterprise users, it is increasingly important for companies to deploy a workflow for onboarding and managing these services. CASBs offer enterprises a reliable and scalable method to consistently accomplish both while significantly reducing IT effort. This way, companies can enable agility and employee productivity while adhering to their security requirements and risk posture.

About the Author

McAfee Cloud BU

Learn about cloud threats, the latest cloud security technologies, and the leading approaches for protecting data in cloud services.

Read more posts from McAfee Cloud BU

Categories: Cloud Security

Subscribe to McAfee Securing Tomorrow Blogs