Enterprises that move to the cloud enjoy clear benefits – namely redundancy, cost savings and easy integrations – but the challenges and security risks that come with hosting applications in the cloud are numerous as well. Among CTOs and CISOs there is unease with the lack of visibility; worry about the potential for data exfiltration by internal or external threat actors; and concerns about compliance. The issues don’t end there. We also find that rather than truly integrating security and compliance in the cloud, security often remains an afterthought, with organizations bolting-on traditional on-premise security controls in a piecemeal fashion. Companies need a more proactive and comprehensive approach in order to achieve the right levels of control implementation, coverage, and maturity across all areas critical to effective cloud security.
This is the first in a series of articles setting forth our views on how enterprises can more effectively protect information in the cloud. The following best practices and insights are informed by our experiences protecting Fortune 100 enterprises from data breach and should be top of mind as companies seek to enhance their information security posture in the cloud.
One of the most important considerations for companies moving to the cloud is deployment and validation of data loss prevention (DLP) capabilities. For any Software-as-a-Service (SaaS) solution – including Office 365, Amazon Web Services, Salesforce, or Workday – one of the first steps toward effective DLP is establishing data labeling practices. Ineffective data labeling practices make protection against exfiltration risks almost impossible because DLP solutions rely on regular expressions, or pattern-based searches, to identify and protect against data loss. We advise companies to treat unlabeled documents with the utmost sensitivity and block them from leaving the enterprise by creating stringent DLP policies. This can be achieved via auto-quarantine of files that violate these policies.
Organizations that maintain sensitive data need to evaluate host-based sensitive data discovery solutions and/or network-based DLP provided by cloud access security broker (CASB) solutions. CASBs provide the ability to inspect all client-to-server traffic in cloud environments to reveal threats or malicious files hidden in Transport Layer Security (TLS) encrypted communications. CASBs also enable system admins to detect unauthorized network calls made from the cloud to malicious command-and-control (C2) servers. The auditing capability provided by CASB tools can be easily integrated with on-premise enterprise layered defenses. This integration provides a single pane view of the entire enterprise threat protection capability.
Large global companies need to effectively protect sensitive data from exfiltration but may lack a complete understanding of the footprint of their various cloud solutions. This makes it all but impossible to achieve the DLP coverage necessary to fully protect the enterprise. Companies can achieve greater visibility into their cloud footprint through effective identity and access management practices such as single sign-on and granular authorization. These controls help companies ensure that sensitive traffic traversing their various cloud solutions is inspected by CASB proxies.
Recent security breaches have underlined the risks associated with failure to enforce granular authorization for access to files containing sensitive information. It is critical that companies effectively restrict access to members of authorized groups. When organizations are implementing security policies, system administrators also need to take into consideration enforcement of CRUD (“Create, Read, Update and Delete”) and download capabilities for each group within an organization. Along with this, conditional access must be enforced for contingent staff to ensure access is restricted to devices approved by the organization.
