With over 400 enterprises using McAfee to secure and enable cloud services for their employees, we’ve had the opportunity to work with some amazing IT Security teams that are innovating and creating new processes and approaches cloud security in real-world, real-time scenarios. With them, we’ve developed a set of cloud security and enablement best practices that our customer success managers advise all of our clients on. The goal of all of these practices is to enable the use of cloud services for employees in a way that maintains the required level of data security and compliance for the enterprise.
The cloud has created a paradigm shift in the way that we store, access, and share information. Because the use of cloud services is relatively new to some organizations, while being old news to others, we find that customers exist across all points on the cloud maturity spectrum. In this series of top 10 real-world cloud security best practices, I’ll start by sharing the most basic and widely applicable best practices and will move on to the more involved and complex practices as we work through the list. So, to kick us off, with a nod to Liverpool football’s slogan “You’ll Never Walk Alone”, we start the list with “Never Block Alone”
Step 1: Identify high-risk services
Upon logging into McAfee MVISION Cloud (formerly Skyhigh Networks) for the first time, customers often find a number of high-risk cloud services in use. Services may be considered high-risk for various reasons, including but not exclusive to: they don’t encrypt data in transit or at rest, they permit anonymous use, they claim IP-ownership of your data, or they are hosted in an ITAR restricted country.
Step 2: Understand usage of high-risk services
In the screenshot above, you’ll see that this customer has 77 high-risk services in use across their company. To better understand the usage of high-risk services, we’ll have customers drill into the report of all high-risk services and look at a few key metrics. For example, what function does the services perform, how many users does the services have, how frequently are they accessing the service, how much data are they uploading to and downloading from the service, and how much of the traffic is currently allowed and blocked by my firewalls and proxies.
Many customers are surprised that their firewalls and proxies are not currently blocking the use of these services because, for example, they had previously created policies to block unsanctioned file-sharing services. However, even the latest generation firewalls and proxies do not detect or misclassify most cloud services, rendering the customer’s perimeter policies ineffective. Additionally, customers often find “proxy leakage” where they are partially blocking a service they intend to fully block because their perimeter is controlled by a patchwork of different egress devices, some of which are not configured properly. Or, exceptions are mishandled, and access is unintentionally granted to users outside of policy.
Step 3: Determine your policy
Once the customer has a full understanding of their high-risk service usage, we advise them to develop a policy, determining acceptable use by category, risk level, and even the specific service. Policies can be both coarse (e.g. block all high-risk file sharing, collaboration, and IT development services) or granular (e.g. block all uploads to only the high-risk file-sharing services that permit anonymous use).
Step 4: Enforce your policy (but never block alone)
Once you’ve set your policy, it’s time to enforce it. The best practice here is to use McAfee’s API integration with firewalls and proxies, which enables closed-loop remediation. In other words, we advise customers to create either coarse or granular acceptable use policies within McAfee, and then the enforcement of the policies occurs automatically via the customer’s existing firewalls and proxies. Using McAfee’s analytics, customers then monitor traffic to ensure that policies are being enforced consistently and that “proxy leakage” is non-existent.
It’s important to consider the policy from the users perspective as well. The vast majority of employees that use high-risk services do so because they are oblivious to the risks of the service, not because they are doing something malicious. So, blocking services that used to be accessible is likely to generate employee ire and corresponding calls to the IT help-desk. Rather than simply blocking high-risk services, we always advise customers to employ coaching in order to 1) educate employees on the risks of the service they are attempting to use 2) inform them of the acceptable use policy, and 3) provide a sanctioned, enterprise-ready alternative.
Above is a sample of a typical coaching message that accomplishes the three goals listed above. The messages are automatically served as pop-up windows via McAfee’s integration with firewalls and proxies when users attempt to access high-risk services out of policy. You’ll notice an “Acknowledge and Proceed” option in the message. We advise customers that it’s often best to provide this option for the first month or two so that employees can pull data they’ve previously stored in the service out and move it to the IT sanctioned alternative.
Does this work in practice?
Does this process work in practice in actual real-world scenarios? Yes, it definitely does. McAfee customers that have employed this best practice have seen a 97% reduction in data sent to high-risk cloud services and a 19% increase in their IT-satisfaction index. More often than not, users are happy to work within policy as long as you educate them effectively on the policy and the reasons for it and provide a safe and functional alternative. As McAfee customer Brian Lillie, CIO of Equinix says, “We have gone from CIO to CI-NO. I want to become the Chief Enabler for my business – McAfee lets me do that!” By employing this best practice you too can go from CI-NO to Chief Enablement Officer.
About the Author
Categories: Cloud Security