It happens in every company. Employees find a cool new online service that makes them more productive. They create free or low-cost accounts on devices they use for work, and get all their friends and colleagues to join up. The new cloud service is great. The interface is a joy to use, it comes with mobile apps, and it spreads like wildfire.
The bad news is that these unauthorized cloud apps and services become part of the organization’s shadow IT, bypassing its IT, compliance, and procurement departments. The app may violate industry regulations or expose the company to significant security risks. Because it’s so entrenched, however, it's too hard to get users to stop using it.
How big a risk are shadow cloud services?
According to a cloud usage report Netskope, Inc., released last month, employees at the average enterprise use 1,022 different cloud services, and more than 90 percent are not enterprise-grade, meaning that they don't offer the management, security, and compliance features that companies need. For example, 67 percent of cloud services do not specify that the customer owns the data in their terms of service, and more than 80 percent do not encrypt data at rest.
A survey of 900 knowledge workers released last month by Harmon.ie found that 48 percent of respondents admitted that they used apps not sanctioned by their IT department, including apps for note-taking, project management, and file sharing.
Optiv Security, Inc., provides cloud risk assessment services where they'll monitor a company's web usage for a certain period of time and then report to the companies about the cloud apps being used. "We find literally thousands of applications being used inside an organization," says John Tuner, the company's senior director for cloud security. "That's often quite a shock to the IT folks. And it is often quite a shock when we detail out not just the thousands of apps, but the usage of those apps, the amount of data that's going back and forth, and the type of data going back and forth."
Trying to shut it all down just forces users underground, and the problem only gets worse — or there's so much push-back from the business units that the effort is abandoned. "In most cases, the productivity benefits are often business priorities of the organization," Tuner says. "If they block it, the team that blocks it will get four or five requests a week to unblock new applications. In many cases, they are overridden by someone above the security department."
"There is a proliferation of cloud-based solutions for almost any problem facing any company in almost any industry," says Alvaro Hoyos, CISO at OneLogin, Inc. "If one of your teams has a pain point, there is likely a solution out there for them."
It's a huge problem and only getting worse, says David Holmes, threat research evangelist at F5 Networks, Inc. "Every little service you can think of is getting cloudified," he says. "It's so easy to whip out your corporate Amex card."
The challenge of identity, security, and data protection in a cloud world
It first starts with user identities. When employees sign up for services on their own, they typically create a new, personal user account. "For a long time, all these cloud applications were relying on their own identification and authentication system based on user name and password," says Francois Lasnier, SVP of authentication at Gemalto. "If you wanted to sign up for Salesforce.com, you had to create an account within Salesforce.com. It was basically putting the identity system within these cloud applications."
Today, the most popular services offer standards-based user provisioning and management, typically using Security Assertion Markup Language (SAML), he says. Another standard gaining adoption is OpenID. "That's helping, because it allows the emergence of access management solutions that really can address most of your cloud adoption hurdles," he says.
When employees sign up for these services, they typically don't ask critical questions. "What are [cloud services] doing about patch hygiene?" McArdle says. "How are they monitoring their own infrastructure? These are questions that an end user is never going to ask, unless they're a cybersecurity professional."
Lack of identity management leads directly to data protection problems. When employees create personal user accounts, the accounts are not automatically decommissioned when they leave a company. If, for example, they set up an account with a file sharing company to exchange documents with other employees or with business partners, that data is now beyond the control of their employers.
"The employee has this data wherever they go, even if they leave the company," says Erik Brown, CTO at GigaTrust Corp. "Great for the employee, a security risk for the company." Plus, there are no controls over who the employees share the data with.
Enterprises originally built their security architectures without having cloud services in mind, says Jim Reavis, CEO at the Cloud Security Alliance. "We've built a somewhat rigid architecture that depends on data flows going through enterprise networks and firewalls and intrusion detection devices and web gateways," he says. "Cloud services — both authorized and unauthorized — require that you understand that you need a virtual view of the world."
For example, a data loss prevention (DLP) system that monitors traditional, on-premises email traffic would be helpless in the face of cloud email systems. In fact, web-based email was the single biggest source of violations of DLP policies, according to Netskope, accounting for 42 percent of violations. Cloud storage services were next, at 30 percent, followed by collaboration tools at 10 percent.
Then there's the compliance issue. According to Netskope, fewer than a quarter of cloud services used by enterprises are compliant with the European Union’s General Data Protection Regulation (GDPR), which goes into effect next spring. Even those rated as high for GDPR readiness still have significant problems. For example, 57 percent do not support encryption of data at rest, and more than 80 percent replicate data in geographically dispersed data centers.
The cloud service malware threat
Insecure, unapproved cloud service providers don't just pose the risk of corporate data being shared outside the enterprise. They can also create a channel for attackers to exploit. A compromised web service could update client software on user machines with a malicious version, since updates often go through without security review.
That's just what happened with a Ukrainian tax software company this summer, says eSentire's McArdle. The infected application then installed the Petya wiper malware. It first attacked Ukrainian banks, energy companies, government agencies, airports, and radiation monitoring equipment within the Chernobyl power plant and then spread to other countries and business sectors.
Some cloud applications are run by small teams, but may be widely used across a particular industry, he says. "You might have a 50-person startup with a cloud service hosted on AWS," he says. "Attacking that single cloud service becomes extremely valuable. This isn't just a theoretical. This is already happening. The bad guys have imaginations. They're evil innovators and the creativity they employ in their attacks is not to be underestimated."
Attackers can also take advantage of cloud-based systems in other ways, as well. McAfee surveyed 1,000 IT professionals ahead of this year's RSA conference, and 52 percent said that they had tracked a malware incident back to a cloud application such as Dropbox. Overall, 65 percent said that unsanctioned cloud applications interfere with security.
How to secure cloud access
The most common method that companies use to get a handle on cloud sprawl is via cloud access security brokers (CASBs) and single sign-on (SSO) systems. Skyhigh, Netskope, Forcepoint, Okta and other cloud access security brokers allow companies to manage user accounts and access to many of the most popular cloud business applications. IBM, Microsoft, VMware and Cisco also offer CASB solutions. Most also include some form of single sign-on or user portals where employees can easily access all their web services.
Users benefit from have a single, centralized sign-on for all their cloud services, so that they do not have to remember hundreds of different passwords — or, worse, use the same password everywhere. "Enterprises should employ single sign-on technology that flags when access to sensitive data requires a second step in terms of authentication capabilities, and when a federated login will suffice," says Darrell Long, SVP of product management for CA Security at CA Technologies. "It’s also imperative for enterprises to think through how they manage login data and credentials in the event an employee is no longer with the company. They need to deny any future access while still provisioning a way to review end-to-end management of that identity on a day-to-day basis."
Having a single sign-on system in place can also help reduce the number of unsanctioned apps that employees sign up for, says F5's Holmes. "If you're a new employee and you sign in and you see all the services, you can say, 'Oh, I can see we're supposed to use Box and not use Dropbox,'" he says.
As a result, companies should not wait to deploy a single sign-on solution, he adds. "The faster an organization can deploy and get that working, the more success they're going to have," he says.