Enterprises around the world are adopting the cloud at an increasing pace to provide their employees with services that increase productivity and their customers with new digital experiences that drive business growth.
In the process, sensitive enterprise data is increasingly created, stored, and shared in the cloud and it is therefore exposed to new threats and ways to exfiltrate. So how do you keep track of your data?
In our recent Cloud Adoption and Risk Report, we found that around 40% of enterprise data in the cloud ends up in Collaboration SaaS services such as Office 365, 25% in Business SaaS services such as Salesforce.com, 24% in IaaS/PaaS platforms and around 10% in Shadow IT.
This data drives our innovation engine and has pushed us to extend the cloud security capabilities of MVISION Cloud, our CASB platform, first from Shadow IT to Sanction SaaS services, then to IaaS and PaaS platforms such as AWS, Azure and Google Cloud Platform (GCP).
These insights should also drive customers’ cloud security priorities as they tackle the use cases that lead to highest risk of data leaks. To better understand the cloud security use cases that expose enterprise data to threats and leaks, I recorded the video below where I take you through the day in the life of two employees: Maria, an account executive and Sam, an application developer. I first take a look at how they use cloud to get their job done, then I explain how their actions can put sensitive data in jeopardy. Finally, I review how MVISION Cloud helps enterprises address these use cases and allow employees and developers to take advantage of the cloud while maintaining a strong security posture.
Cloud Security Use Cases Video
Employees Cloud Use Cases
One of the main reasons we use the cloud is to collaborate but, in the process, employees sometimes share sensitive data. Once that data is out of the managed instance of Microsoft Office 365 (O365), for example, it is gone.
MVISION Cloud uses a proprietary implementation of the O365 APIs that we call Lightning Link to connect to O365, then scan and tag the documents that contain confidential information. If a user attempts to share any of those documents. MVISION Cloud blocks the operation in real time and informs IT, as well as the employee. The employee can then take action, for example, removing the confidential information from the document.
This same mechanism is used to protect enterprise data form being stolen. For example, it can prevent employees from uploading to a personal instance of a cloud storage solution such as Box or Dropbox.
Most companies let their employees use personal devices at work. This increases employees’ satisfaction and lowers enterprise’s costs, but it may cause data to leak to unmanaged devices. For example, when an employee syncs their work email to their personal device.
To address this use case, MVISION Cloud uses a reverse proxy that sits in front of cloud services to intercept the authentication path and perform a security device posture check. Based on that, it can block or limit access to enterprise information. For example, a sales rep downloading a presentation from Box to their IT-managed device will do so seamlessly, but will be denied if they try to download customer contacts to another, unmanaged personal device.
A lesser known cloud security use case is when an employee stores confidential information inside text fields in Salesforce or other cloud business applications. This creates a potential compliance problem especially in highly regulated industries such as Finance or Healthcare.
MVISION Cloud connects to Salesforce.com via APIs, scans the information contained inside structured and unstructured fields and generates a complete compliance report. For example, if a customer’s credit card number is written into a “notes” field of their contact, and not encrypted, your company may be in violation of Payment Card Industry (PCI) compliance. MVISION Cloud will detect this immediately and allow you to take corrective action.
Cloud applications are also collaborative with other cloud applications. The Cloud runs on APIs, and APIs made it possible for thousands of applications to be built atop enterprise cloud applications – for example – O365, Salesforce.com, Google, Slack etc. These companion apps get access to your data but may not have the level of security that your company requires.
MVISION Cloud monitors access to your sanctioned business applications by third party applications and allows you to build data protection policies to ensure that enterprise data does not exfiltrate to the risky third-party applications through cloud-to-cloud traffic.
Developer Cloud Security Use Cases
Over the years, developers have created a number of different accounts in AWS, Azure and GCP, to experiment with cloud development. This is what we call account drift, which creates a vulnerability problem with lots of credentials left out there in the wild, subject to be stolen. If a developer leaves your company or simply forgets about an account, sensitive information may be long forgotten, waiting for someone to find credentials and gain access without being noticed.
MVISION Cloud monitors access to a company IaaS/PaaS instances and gives IT an opportunity to bring unmanaged developer’s accounts under control. This limits the exposure to malicious access and misuse of developer accounts containing enterprise data and applications.
There are dozens, if not hundreds, of configuration knobs that a developer can turn to configure an IaaS/PaaS platform, upon which his or her cloud applications run. If not properly set, these configuration knobs can leave the environment in an unsecure state exposing enterprise data to leakage and threats.
MVISION Cloud continuously monitors your IaaS/PaaS configuration to make sure that it is secure at all times, measuring against industry benchmarks for secure configuration such as Center for Internet Security (CIS). When MVSION Cloud detects a problem, it informs the administrators and, in many cases, can automatically fix the misconfiguration.
Public Cloud DLP
Developers use the public cloud to develop custom applications that give their companies a competitive advantage. For example, and insurance company may create an app that allows customers to upload and access their claim documents, all running on the public cloud. If unmonitored, that data may be leaked, causing numerous issues from non-compliance and fines to reputation damage.
MVISION Cloud connects to IaaS/PaaS platforms and scans their storage buckets to identify and tag sensitive data, then allows you to create policies to protect it. The data you need to protect can be blocked from leaving anywhere but the app and approved users, and encrypted at rest and in motion.
Conclusion—New Rules for a New World
The cloud represents a compelling opportunity to streamline and accelerate business, however, as enterprises adopt SaaS, IaaS and PaaS services, their sensitive data is going to be increasingly stored outside of the traditional boundaries of the enterprise network. This new world requires a cloud-native approach to security, one that can be achieved by deploying a Cloud Security Platform such as McAfee MVISION Cloud to regain the visibility and control enterprises need to know their data is safe in the cloud.
About the Author
Categories: Cloud Security