Beyond Encryption:

5 KEYS TO PROTECTING CORPORATE DATA IN THE CLOUD

Brought to you by

INTRODUCTION
With companies moving more applications and data to the cloud, the ability to protect corporate data wherever it lives or travels is essential. The cloud remains top of mind for CIOs and executives worldwide occupying the top spot on CIO priority lists according to a 2013 survey by Morgan Stanley. This is no surprise as organizations in every industry are increasingly turning to the cloud to take advantage of its greater agility, faster time to value, lower total cost of ownership, and greater productivity. Even though there are clear-cut drivers for adopting cloud solutions, risks exist as well. With cyber attacks, malicious insiders, and government intrusion in mind, security remains the primary concern that is holding back cloud projects for 42% of IT teams. 1
42% of IT teams say security concerns are holding back cloud projects.

A LESSON LEARNED FROM THE BANKING INDUSTRY

In order to enable the adoption of cloud services across their organizations, IT and Security departments are developing strategies for securing their key cloud services Salesforce, Office 365, ServiceNow, NetSuite, Jive, Box, and many more. In doing so, leading IT departments have taken a page out of the banking security handbook and developed a layered security approach to protect their valuable corporate data in the cloud. When protecting valuable assets, namely cash, banks do not rely on a vault alone. Instead, they implement 5 key protection layers. These include: 1. Bank vault to house and protect the money 2. Access policy to dictate who can access the vault, when, and what identication is required 3. Surveillance cameras to record all activity 4. Security guards to prevent thieves from entering and/or leaving the premises 5. Armored transport to deliver money securely from one location to another

Morgan Stanley 2013 CIO Survey | PAGE 2

Beyond Encryption: The 5 Keys to Protecting Corporate Data in the Cloud

Innovative IT and Security departments are using a similar layered approach in order to secure their corporate data in the cloud by implementing these 5 key protection layers: 1. Encryption to protect both structured and unstructured data 2. Contextual access control to enforce access policies based on user, device, and location 3. Application auditing to capture all usage metrics and provide a detailed audit trail 4. Data loss prevention (DLP) to ensure compliance with regulatory and governance policies 5. Cloud-to-cloud control to ensure consistent policy enforcement as data moves between clouds

VAULT

ENCRYPTION

VAULT ACCESS POLICY

CONTEXTUAL ACCESS CONTROL

GUARDS

DLP

SURVEILLANCE

APPLICATION AUDITING

ARMORED TRANSPORT

CLOUD-TO-CLOUD CONTROL

IT and Security teams are implementing a layered security approach to protect their cloud data similar to the one used by banks to protect their assets

1. ENCRYPTION
Just as a bank uses its vault to protect assets, security groups use encryption to protect their valuable data in the cloud. In fact, when faced with the risk of security breaches in the cloud, the rst thing many IT security professionals think is we need to encrypt this

Beyond Encryption: The 5 Keys to Protecting Corporate Data in the Cloud

PAGE 3

data. The motivations for encrypting data in the cloud can include: a. Protecting data in the event of a security breach b. Preventing cloud services from secretly sharing data with the government in response to a blind subpoena c. Eliminating breach notication requirements for regulations such as HIPAA because the data is not decipherable by a third party There are three important points to consider with cloud data encryption. First, organizations should make sure the encryption provider shares the vetted by the academic community. Second, encryption needs to support both structured and unstructured data. documents. Structured data can include specic elds in critical applications like Salesforce. For both its essential to preserve the format of the data and maintain key end user functionality like searching and sorting. Lastly, this end user functionality should require no change in end-user behavior. This means that the
Requiring users to download a third party application for search creates friction and impedes adoption, motivating users to nd a way around it.

encryption scheme with them and that the encryption methodology has been

Unstructured data includes items like Microsoft Office les, PDFs and other

end-user functionality such as search must remain within the native application and not require a third-party application. Requiring users to download a third users to nd a way around it. Users must also remember that while encryption is an important rst step, it is not the only thing organizations need to do to secure their data in the cloud. party application for search creates friction and impedes adoption, motivating

2. CONTEXTUAL ACCESS CONTROL

Just as a bank uses a vault access policy to dictate who can enter the vault and when, enterprises use cloud access security policies to dictate who can access data from what device and where (geographic location). There are three areas of context that should be used to enforce corporate policies in the cloud:

Beyond Encryption: The 5 Keys to Protecting Corporate Data in the Cloud

PAGE 4

a. Identity user information federated with an LDAP directory like Active Directory and single sign-on vendors like Okta and Ping Identity. This allows you to control access to certain types users or departments. b. Device device type, operating system, and even OS version can be used to control cloud access similar to allowed devices on the network. c. Location as companies expand their presence globally, geographic location can be used to limit access from specic countries

3. APPLICATION AUDITING
Just as a bank uses surveillance cameras to record all activity and provide a detailed audit trail, security organizations leverage application auditing in order to review cloud service activity. In the event there is a potential breach or the organization needs to demonstrate compliance, IT needs to produce a detailed audit trail of user actions within enterprise applications. The cloud is no different. Organizations should consider applying the same security policies to cloud services they do with on-premise applications. Taking auditing a step further, organizations also employ real-time identication and alerting of anomalous use so they can take the appropriate action when a breach occurs. There are several considerations when auditing cloud usage: a. The ability to capture all usage whether it originates over the corporate network, directly to the cloud from a mobile device, or cloud-to-cloud, where a cloud application accesses data in another cloud service via an API. b. Thresholds for detecting anomalous usage should be tied to typical usage by each user and application to automatically determine what is atypical. c. If anomalous usage is detected, IT teams need to be alerted and also need to be able to drill down and examine the exact record or object that was involved.

4. DATA LOSS PREVENTION

In the same way a bank uses guards to prevent thieves from entering the bank, security teams leverage DLP to ensure that specic data are not sent to the cloud unprotected. Some examples of data you may be concerned about moving to the cloud include personally identiable information (PII) like social security numbers or protected health information (PHI) like patient records. There are many regulations that govern personal

Beyond Encryption: The 5 Keys to Protecting Corporate Data in the Cloud

PAGE 5

information including PCI, HIPAA, and HITECH along with region-specic regulations like the EU Data Protection Directive. When it comes to implementing DLP, organizations want exibility in a few different areas: a. Inline or offline (or both): Inline DLP can identify in real-time when PII and PHI data such as Social Security Numbers are being uploaded to the cloud. An example of offline DLP is scanning documents previously uploaded to a le sharing and collaboration service for policy violations. b. What action to take: Depending on your companys compliance stance and industry the preferred action could include a combination of blocking the data, alerting administrators, or encrypting the data before it is uploaded to the cloud. c. Integration with on-premise DLP solutions: Integration allows you to extend your on-premise DLP policies to cloud services without reinventing them.

5. ENFORCE CLOUD-TO-CLOUD POLICIES

Just as banks use armored transport to securely move assets from one vault to another, companies leverage cloud-to-cloud control to ensure consistent enforcement of security policies across cloud services. Cloud services are
Tip: ensure policies are consistently applied as data moves mobile-tocloud, on-premise-to-cloud, and cloud-to-cloud.

increasingly integrating and interacting with one another, and as the old adage says, a chain is only as strong as its weakest link. The same concept can be applied to cloud security. Organizations must ensure that there is consistent enforcement of corporate policies as data moves mobile-tocloud, on-premise-to-cloud, and even cloud-to-cloud.

Key elements to consider when ensuring that policies are consistently applied as data moves between cloud services: a. Understand how data is transferred in and out of a cloud provider via web browser, mobile app, or API. It is common for one or more of these access methods to operate unmanaged by corporate policies. b. Identify cloud providers who enable exible approaches to intermediation, across cloud providers. enabling the addition of enhanced security via greater visibility and monitoring

Beyond Encryption: The 5 Keys to Protecting Corporate Data in the Cloud

PAGE 6

c. Select an architectural approach (cloud, on-premise, hybrid) that sits inline with cloud services to dynamically control content across multiple cloud sharing channels.

CONCLUSION
The adoption of cloud services will continue to grow. IT and security teams have a unique opportunity to drive productivity and business agility by enabling users to embrace cloud services while delivering the security and compliance measures required by the business. As they do so, IT teams must keep three critical considerations in mind. They must think beyond encryption and consider the other critically important requirements to protect their corporate data in the cloud. They must think beyond cloud service provider-specic security frameworks and deploy one consistent security framework that can be applied across all cloud services. And nally, they must do so without requiring any change in user behavior as friction invites users to circumvent security protocols.

To gain visibility and control over the cloud contact Skyhigh Networks today

1.866.727.8383 Skyhighnetworks.com
| PAGE 7

Beyond Encryption: The 5 Keys to Protecting Corporate Data in the Cloud