A survey of over 2,000 security professionals has found only 42% of organisations have policies in place that restrict or monitor the use of unsanctioned cloud applications. This figure is despite the fact that 53% of respondents said unauthorised apps are their biggest cloud security threat. The survey, undertaken by BitGlass Inc looked at the evolution of cloud security.
More and more organisations are transitioning to Office 365, many use cloud storage and sharing (OneDrive, Dropbox); and accounts and CRM are increasingly cloud based (Xero, KashFlow, Dynamics, SalesForce). It is fair to say that Cloud services have a firm foothold in any business. One of the problems with applications shifting “outside” of the firewall is the inability for many organisations to control access in a granular manner and furthermore, to monitor access.
User access, auditing and similar mechanisms are features of many cloud applications – but that is only useful (and available) for applications under your control. If you permit your staff to access these approved hosted applications, are you inadvertently permitting them access to unsanctioned applications (i.e. Dropbox, OneDrive) – and more importantly, why is this an issue? One of the growing concerns with many organisations is the insider threat (ones originating from your staff), data protection obligations and data loss/data theft. These data loss events are often deliberate (disgruntled employee) or accidental – but both have consequences. The consequences are heightened with the forthcoming GDPR (General Data Protection Regulation) – which impact the UK, EU and the Isle of Man.
There are many vectors for data loss; USB drives, photocopying, printing and the obvious one – using the internet. A common conduit for stealing or taking data out of the workplace (often innocently) is to use cloud services (e.g. file storage, webmail, etc). The problem for many organisations is, whilst they need to permit web access for their staff to use legitimate, sanctioned cloud applications – how can a business control access to unauthorised applications?
There are dozens of solutions that can control applications on the desktop; Windows Group Policy, Windows Permissions and Application Whitelisting to name a few – these are however ineffective through a web browser. Other organisations try to control data loss through web proxy solutions using rudimentary URL filters – these often lack accuracy and in many cases rely on crude wildcard *.domain policies. These policies often block “known” services, but that list is growing by the day, this approach is akin to having a list of “bank robbers” – when often you don’t know who the bank robber is until after the event..
A more controlled and accurate mechanism is to employ a Next Generation Firewall (NGFW) with Layer-7/Application awareness. Using a combination of threat intelligence, application signatures and application databases, a NGFW will allow you to define granular “cloud policies” that explicitly allow sanctioned applications and deny everything else. You could opt to allow web access, but block “cloud storage”, allow Office365 but block OneDrive and Dropbox.
Firewall policies have now moved beyond rudimentary IP and domain restrictions, and a level of additional intelligence is required to support this transition, both in the device and the expertise required to craft the policies. A secondary function of NGFWs is to alert you when a user attempts to use an unsanctioned cloud application (e.g. uploading a confidential file) – this could be an indication of compromise or an innocent attempt to “bring work home”.
In summary – the use of cloud applications is seeing an unprecedented increase, and it is a trend that should be encouraged – however it is vital this access is monitored and controlled. If you would like to learn more about how Manx Technology Group can help you monitor and control “cloud” access in your organisation, please get in touch.