eBook:

The Definitive Guide to

CLOUD SECURITY
The Definitive Guide to Cloud Security

Brought to you by
Brought to you by
Table of Contents

Chapter 1: Introduction Cloud Adoption and Risk Today Page 1

Chapter 2: Cloud Visibility Page 4

Chapter 3: Cloud Compliance Page 7

Chapter 4: Cloud Threat Prevention Page 11

Chapter 5: Cloud Data Security Page 16

Chapter 6: Shadow IT Page 21

Chapter 7: CRM Page 25

Chapter 8: File-Sharing and Collaboration Page 28

Chapter 9: What is a CASB? Page 33

Chapter 10: Quantifying the Value of a Cloud Access Security Broker Page 36

Chapter 11: Conclusion - Parting Guidance on Evaluating CASB Vendors Page 39

CHAPTER 1
Introduction Cloud Adoption and Risk Today

KEY STAT: 60% OF CIOS ARE MAKING THE CLOUD THEIR #1 PRIORITY THIS YEAR

The cloud (SaaS, PaaS, and IaaS) is transforming business for the better, making
employees more productive and businesses more agile. As the cloud market
matures, analysts and market researchers are discovering hard data supporting
the benefits of the cloud for enterprises. The latest numbers from Vanson Bourne
Research show that the cloud is providing organizations with a 21% reduction in
product time to market, a 17% reduction in IT maintenance costs, a 15% reduction
in IT spend, and an 18% increase in employee productivity.1 With these types of
metrics in hand, its no surprise that 60% of CIOs state that the cloud is their #1
priority this year.2

However, this enthusiasm for cloud adoption is tempered by security, compliance,

and governance concerns. Analyst firm IDC shows that security and privacy
remain the top inhibitors of cloud adoption.3 Given the seemingly endless supply
of headlines on data breaches, its understandable, if not expected, that security
of data in the cloud is now a board-level concern for 61% of organizations,
according to a recent study by the Cloud Security Alliance (CSA).

1
http://venturebeat.com/2012/08/07/google-cfo-cloud-study/
2
http://www.businessinsider.com/infographic-its-not-easy-to-be-a-cio-2012-2#!HqX9i
3
http://www.opendatacenteralliance.org/docs/1264.pdf

PAGE 1 | CHAPTER 1 | INTRODUCTION CLOUD ADOPTION AND RISK TODAY

The phenomenon of employees self-enabled cloud services (those procured and
managed outside of ITs purview), often referred to as Shadow IT, complicates
the situation for IT and IT Security teams. Even if organizations are taking a
60% of CIOs state
deliberate approach to cloud and adopting cloud services strategically while that the cloud is
implementing the required security, compliance, and governance controls around their #1 priority
them, employees are likely not acting with the same consideration when they sign this year.
up for new cloud services on their own. In fact, with up to 90% of cloud activity
driven by individuals and small teams, the average company now uses 897 cloud
services, up 43% over the last year.4
Vanson Bourne Research

Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014

4
Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014.

PAGE 2 | CHAPTER 1 | INTRODUCTION CLOUD ADOPTION AND RISK TODAY

With cloud adoption at an all-time high and damaging headlines catalyzing
conversations around data security, enterprise IT is looking for ways to partner with
the business to manage the move to the cloud. Increasingly, these enterprises are
In 2015, roughly
turning to analyst and industry thought leaders to help them navigate this new 10% of overall IT
and evolving security landscape. security enterprise
capabilities will
Neil MacDonald, Craig Lawson, Peter Firstbrook, and Sid Deshpande of Gartner
have been particularly adept in providing the market with a usable framework
be delivered as a
for managing cloud security. Their framework organizes around four pillars of cloud service.
functionality: Visibility, Compliance, Threat Prevention, and Data Security. In this
eBook, we will dive into the details of each pillar, providing relevant and related
data points for consideration, and describe how forward-leaning IT teams are
Gartner
managing cloud security using this framework.

PAGE 3 | CHAPTER 1 | INTRODUCTION CLOUD ADOPTION AND RISK TODAY

CHAPTER 2
Cloud Visibility

KEY STAT: 72% OF COMPANIES DONT KNOW THE SCOPE OF

SHADOW IT AT THEIR ORGANIZATION BUT WANT TO KNOW

Cloud services are incredibly easy to adopt, with most requiring only an email or a
credit card to sign up. The result is that individual users and business units often
begin using cloud services without any involvement from IT. The benefit is that
users and business units are able to readily and rapidly adopt services that drive
productivity and agility for the business. The downside is that IT often has little to
no visibility into the full scope of IT services employees are using. Without visibility,
it becomes very difficult for IT to manage both cost expenditure and risk in the cloud.

With regards to visibility, Gartner says that enterprises must protect their sensitive
data for various commercial and legal reasons. Regardless of whether the cloud
services in use are shadow IT or sanctioned IT, businesses need visibility into which
services employees are using, what data is stored in them and shared from them,
any anomalies in usage behavior that indicate a compromised account, and who is
using each service and from which devices and geographies.

Enterprises must also ensure that they dont cross a perceived ethical of legal
privacy boundary when monitoring the use of cloud services. For example, the
same methods that can be used to monitor sanctioned cloud services, could also
be used to monitor personal Facebook or Instagram accounts. Requirements for
privacy may vary greatly in different verticals and geographies.

PAGE 4 | CHAPTER 2 | CLOUD VISIBILITY

Enterprises must also integrate their cloud visibility into existing systems, such
as Security Information and Event Management (SIEM) products for continuous
30% of IT
monitoring and event management.5
Security teams
The average employee uses 27 different cloud services at work6, including six list concerns over
collaboration services, four social media services, and three file-sharing services. compromised
Many of the services used in the office are consumer grade services and accounts and
security is not a given, so understanding which services employees are using, insider threats as
what type of data is uploaded and shared through the services, and what a top challenge
security capabilities the services have is a must.
holding back
cloud projects.

Cloud Security Alliance

Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014

5
Mind The SaaS Security Gaps: G00263947. Craig Lawson, Sid Deshpande. 2014
6
Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014

PAGE 5 | CHAPTER 2 | CLOUD VISIBILITY

KEY QUESTIONS IT SECURITY SHOULD BE ABLE TO ANSWER
RELATED TO CLOUD VISIBILITY:

Which services are employees and business units using

1 overall and in each category (e.g. file sharing, social 7 Which services house sensitive or confidential
data today?
media, collaboration)?

2 Which services are gaining in popularity and should 8 What are the security capabilities of the services storing
be evaluated for enterprise-wide adoption? sensitive data?

Which data is available to external collaborators outside

3 What is the risk level of each service in use? 9 of the company?

How effective are my firewalls and proxies at identifying

4 cloud services and enforcing acceptable cloud use policies? 10 Which partners cloud services are employees accessing,
and whats the risk of these partners?

Which redundant services are employees using,

5 and are they introducing additional cost and risk or 11 Which external collaborators are granted access to our
companys services?
inhibiting collaboration?

6 How do I quantify the risk from the use of cloud services 12 How do I track and log all user and admin actions for
and compare it to peers in my industry? compliance and investigations?

PAGE 6 | CHAPTER 2 | CLOUD VISIBILITY

 CHAPTER 3
Cloud Compliance

KEY STAT: 37% OF EMPLOYEES UPLOADED AT LEAST ONE FILE TO A FILE-SHARING

CLOUD SERVICE THAT CONTAINED SENSITIVE OR CONFIDENTIAL DATA LAST QUARTER

Todays enterprises have deployed cloud services to support CRM, ERP, HR,
Collaboration, and Backup operations. Applications like Salesforce, ServiceNow,
Workday, Box, and Office 365, support mission-critical business functions, and because
of this they often house sensitive or confidential information, such as customer data,
financial data, employee data, IP, or security infrastructure data. Locating this type of
data in the cloud is not a rare event; in fact, it is now commonplace.

For example, 22% of files uploaded to file-sharing services contain sensitive or

confidential data, including: PII (personally identifiable information) such as social
security number, date of birth, or address; payment information, such as credit card
numbers or bank account numbers; and PHI (protected health information) such as
medical record number or health plan beneficiary number.

Furthermore, 37% of employees uploaded at least one file to a file-sharing cloud

service that contained sensitive or confidential data over the course of a business
quarter.7 In order to drive compliance, IT leaders are looking for ways to identify
enterprise-ready cloud services that support various use cases, locate where
sensitive data is housed, audit how sensitive data is handled, and protect sensitive
data from loss. With regards to compliance, Gartner says that compliance will
always be a core security deliverable.

7
Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014

PAGE 7 | CHAPTER 3 | CLOUD COMPLIANCE

 Compliance
will always be
a core security
deliverable.

Gartner

Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014

They indicate that, with regards to SaaS applications, compliance-supporting

activities should cover:

Answering the who, what, when, why, Enabling integration within the enterprise
and where questions with provable data by supporting log generation that can be
for various compliance regimes. used with existing SIEMs.

Providing assistance with out-of-the-box Guiding the organization to specific

compliance reporting for major cloud services that satisfy both functional
compliance standards. requirements of the users and the
compliance and risk requirements of the
Auditing user behavior across cloud business. This is especially important given
applications, regardless of the device (e.g. the thousands of options available in the
PC or mobile) or method of access (e.g. cloud today.8
browser or mobile app).
8
Mind The SaaS Security Gaps: G00263947. Craig Lawson, Sid Deshpande. 2014

PAGE 8 | CHAPTER 3 | CLOUD COMPLIANCE

As Gartner references, there are over 10,000 cloud applications today, all with
varying degrees of security, compliance, and governance capabilities. Despite this
diversity of offerings, companies across industries must ensure compliance with
80% or cloud
PCI DSS, HIPAA, HITECH, GLBA, SOX, CIPA, FISMA, FERPA, and other regulations. governance
In order to do so they must ensure the protection of various types of personal committees
information, including: include IT
Security.
Name Bank account numbers

Address Professional certificate or license number

Birthdate License plate number Cloud Security Alliance

Telephone or fax number URLs or IP address

Email address Finger and voice prints

Social security number Full face photographs

Medical record number Any unique identifying number

Health plan number

While the cloud provider is responsible for the security of their product, compliance
is based on a shared responsibility model, whereby the enterprise using the cloud
service must also take measures to maintain the privacy of employee and
customer data. Within the enterprise, users, IT/Security, and Audit/Compliance all
share responsibility for compliance.

PAGE 9 | CHAPTER 3 | CLOUD COMPLIANCE

KEY QUESTIONS IT SECURITY SHOULD BE ABLE TO ANSWER
RELATED TO CLOUD COMPLIANCE:

1 Which applications house sensitive data subject to 6 Which administrators have behavioral anomalies that
regulatory compliance? indicate excessive privilege access?

2 What are the security capabilities of the services 7 When is sensitive data uploaded to the cloud, and what
housing sensitive data? action should be taken (allow, block, quarantine, encrypt)?

How do we leverage previous resource investments and

3 What are the legal terms of the services housing 8 extend existing on-premise data loss prevention policies
sensitive data?
to the cloud?

4 Which employees are accessing sensitive data, 9 How do we implement a closed workflow to review,
and how are they using or sharing it? remediate compliance violations, and educate violators?

5 Which employees are uploading sensitive data to 10 Is sensitive data kept in a specific country or region to
high-risk services? comply with international data residency requirements?

PAGE 10 | CHAPTER 3 | CLOUD COMPLIANCE

CHAPTER 4
Cloud Threat Prevention

KEY STAT: 17% OF COMPANIES REPORTED AN INSIDER THREAT LAST YEAR,

BUT 85% OF COMPANIES EXPERIENCED ONE

Cloud services, like on-premise systems, can be the target of attacks aimed at
stealing corporate data or damaging the business. Attacks typically leverage the
cloud in one of two ways: they use cloud services as sources of sensitive data to
steal, or they use cloud services to exfiltrate stolen data.

Some enterprise-ready cloud services have security capabilities that exceed

those of the enterprise data center, but that does not necessarily protect them
from insider threats or compromised identities. In fact, compromised identities
and insider threat are the two main drivers of the first threat vector (cloud
services as the source of data to steal), and they are far more common than
most IT professionals realize.

PAGE 11 | CHAPTER 4 | CLOUD THREAT PREVENTION

According to the Cloud Security Alliance, 17% of companies reported an
insider threat last year, but in fact 85% of companies experienced one.9 This
discrepancy exists because so many attacks go under the radar today.
30% of IT
Further, 92% of companies have at least one corporate cloud service login Security teams
credential available for sale on the darknet today.10 list concerns over
compromised
accounts and
insider threats as
a top challenge
holding back
cloud projects.

Cloud Security Alliance

Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014

9
Skyhigh Networks Cloud Adoption and Risk Report: Q3 2014
10
Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014

PAGE 12 | CHAPTER 4 | CLOUD THREAT PREVENTION

In order to prevent against insider threats, organizations can employ machine
learning to identify anomalous behavior that indicates a threat in progress.
Triggers are often large or repeated downloads of sensitive data or excessive
31% of companies
privileged user access. Insider threats could be aimed at stealing enterprise data are not sure if
from the cloud, such as IP from a file sharing service or security infrastructure from they experienced
an IT management service, but the most common insider threat seems to be the an insider threat
theft of customer sales data from CRM services, perpetrated by sales reps or sales
operations managers who plan to leave the company. Additionally, malware
incident last year.
attacks are also now targeting cloud services. Last years much publicized Dyre
malware would monitor browser activity to steal credentials for cloud services that
housed valuable corporate data. Cloud Security Alliance

Attackers also increasingly look upon cloud services as a clever way to exfiltrate
data under the radar. With the average company using almost 900 cloud services
today and IT often not having visibility into their usage, attackers know that
unmanaged cloud services can be a fertile territory for malicious behavior and
frequently use popular and seemingly harmless services to execute their operations.

For example, malware employed by a foreign national government recently used

YouTube to exfiltrate stolen intellectual property. The attackers created VAR
segments, inserted the stolen data into mpg4 files, and then uploaded them onto
YouTube. The videos would play within YouTube, but once downloaded the VAR
segments could be unpacked providing the attackers with the stolen data. In
another startling example, malware leveraged a Twitter account to exfiltrate
stolen data, 140 characters at a time, over a sequence of 86,000 tweets. While
these attacks are almost amusingly clever, they serve as a serious reminder that
threat prevention must be a core focus of any cloud security project.

PAGE 13 | CHAPTER 4 | CLOUD THREAT PREVENTION

With regards to threat detection, Gartner says that, in on-premise applications
that were protected by network/host security and access management, Security
could control all application access from authorized users from defined locations
Malware
while also inspecting for malicious content, regardless of the network channel or leveraged Twitter
protocol. However, in todays Internet Age, with billions of users accessing the to exfiltrate
Internet via browsers, enterprise cloud applications are now accessible to anyone stolen data,
with an internet connection. Because of this fundamental change, new controls are
required in order to protect enterprise data. Particularly, new controls are needed
140 characters
for cloud service to manage events such as: at a time, over
a sequence of
Access from known suspicious countries, Access directly to cloud services that 86,000 tweets.
locations, devices, locations, or unusual bypasses security controls.
access times or data volumes.
Access via outdated operating systems or
Access from compromised cloud browsers that are no longer supported and
service accounts. are thus more vulnerable to attacks.11

Access from canceled accounts or from

accounts that have remained idle for
excessive periods of time.

11
Mind The SaaS Security Gaps: G00263947. Craig Lawson, Sid Deshpande. 2014

PAGE 14 | CHAPTER 4 | CLOUD THREAT PREVENTION

KEY QUESTIONS SECURITY SHOULD BE ABLE TO ANSWER
RELATED TO CLOUD THREAT DETECTION:

What does normal behavior for any given service Which cloud services have behavioral anomalies
1 look like? 6 that indicate insider threat?

How does a users role affect their normal cloud service Which cloud services have behavioral anomalies that
2 usage patterns? 7 indicate malware at work?

Which cloud services have behavioral anomalies that

How do I monitor and baseline usage across the indicate an account is compromised?
3 enterprise for both local and remote employees? 8

Which users are accessing large volumes of Which cloud services in use are rated as high-risk and
4 sensitive data? 9 have an anonymous use policy?

Which administrators are accessing large volumes

5 of sensitive data?

PAGE 15 | CHAPTER 4 | CLOUD THREAT PREVENTION

CHAPTER 5
Cloud Data Security

KEY STAT: ONLY 17% OF CLOUD SERVICES PROVIDE MULTI-FACTOR AUTHENTICATION,

ONLY 5% ARE ISO 27001 CERTIFIED, AND ONLY 11% ENCRYPT DATA AT REST.

As many a CIO and CISO will tell you - IT Security, today, is all about protecting
data, not data centers and this is largely product of cloud. When considering
data security, it can be helpful to examine both the security of the service the
data lives in and the security of the devices that have access to the data.

Some cloud services have security capabilities that far exceed most corporate
data centers. However, with over 10,000 cloud services available today, there is a
large variation in the security capabilities offered. The good news is that an
increasing number of cloud services are investing in security, but a larger number
still do not offer even basic security features. Only 17% of cloud services provide
multi-factor authentication, only 5% are ISO 27001 certified and only 11% encrypt
data at rest. For this reason, it is important to look at the risk of services
individually and enable risk-based policies on acceptable usage.12

In services with high levels of built-in security, users and their devices can often
be the weakest link. Users frequently lose devices or leave them in insecure
locations and are prone to lose passwords as well. 12% of employees have at
least one corporate identity (username and password) for a cloud service that
has been compromised for sale on the darknet (online black markets) today.13

12, 13
Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014

PAGE 16 | CHAPTER 5 | CLOUD DATA SECURITY

A study by Joseph Bonneau at the University of Cambridge showed that 31% of
passwords are re-used in multiple places. The implication here is that, for 31% of
compromised identities, an attacker could not only gain access to all the data in
that cloud service, but potentially all the data in the other cloud services in use by
that person as well. Considering that the average person uses three different cloud
file-sharing services, and 37% of users upload sensitive data to cloud file-sharing
services, the impact of one compromised account can be immense.

Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014

PAGE 17 | CHAPTER 5 | CLOUD DATA SECURITY

Enterprises can improve the security of their data by employing access control
policies for cloud services that take into account the context of the user, data,
device, and location. For example, an executive may be able to view and
Enterprises must
download important financial data to her laptop when in the office, but may be avoid proprietary
restricted to viewing only when on her mobile device in a foreign country. algorithms
in favor of
Additionally, enterprises can take extra steps to ensure the security of their data
by employing encryption and tokenization and controlling their own keys.
encryption
Encryption can be tricky, and several considerations must be made when algorithms that
evaluating encryption options. are both peer-
and academia-
First, enterprises must avoid proprietary algorithms in favor of encryption
algorithms that are both peer- and academia-reviewed to ensure that they are up
reviewed to
to modern cryptographic standards. ensure that they
are up to modern
Second, enterprises must also verify that the algorithms used can support the cryptographic
required functionality of their application since there is a trade-off between the
security of an algorithms and the functionality that it can support. To better
standards.
understand the specific tradeoffs, read The Cloud Encryption Handbook:
Encryption Schemes and Their Relative Strengths and Weaknesses. Finally, to
maximize data security, enterprises must own their own encryption keys. By taking
ownership of their keys, they prevent a malicious insider at a cloud service or an
inquiring government agency from gaining access to their data.

PAGE 18 | CHAPTER 5 | CLOUD DATA SECURITY

With regards to data security, Gartner says that data is mission-critical to the
enterprise and that securing that data is the primary goal of any IT Security
organization. Therefore, if the enterprise is moving its data into cloud services,
73% of IT Security
IT Security must: teams list security
of their data in
Ensure that sensitive data is encrypted Prevent data from being lost within cloud the cloud as a top
using known good algorithms or tokenized
before entering the cloud service via a
services when the owner is de-provisioned.
challenge holding
configurable data security policy. Ensure functionality within cloud services is
maintained when data within those services
back cloud
Ensure that robust authentication is encrypted or tokenized so that the value projects.
procedures are defined and enforced, of the services can be fully realized.
including central credential store usage,
certificates, and multi-factor authentication. Ensure that data loss prevention and
e-discovery are available for cloud
Support encryption key management via a services, just as they are for on-premise Cloud Security Alliance
hardware security module (HSM). systems today.14

Ensure that only the authorized users and

groups have access to enterprise data.

14
Mind The SaaS Security Gaps: G00263947. Craig Lawson, Sid Deshpande. 2014

PAGE 19 | CHAPTER 5 | CLOUD DATA SECURITY

KEY QUESTIONS SECURITY SHOULD BE ABLE TO ANSWER
RELATED TO CLOUD DATA SECURITY:

Which cloud services encrypt data at rest and provide How do we encrypt data while maintaining required
1 multi-factor authentication? 6 functionality within cloud services?

What are the compliance certifications of the services How do we encrypt data while controlling our own
2 employees are using? 7 encryption keys?

Which of our cloud services undergo regular How do we employ tokenization to ensure data
3 penetration testing? 8 privacy in addition to security?

Which of our cloud services has been compromised How do we enforce access policies based on user,
4 in the last week, month, year? 9 device, and location?

Which data should be encrypted in which

5 cloud services?

PAGE 20 | CHAPTER 5 | CLOUD DATA SECURITY

CHAPTER 6
Shadow IT

KEY STAT: THE AVERAGE EMPLOYEE USES 27 DIFFERENT CLOUD SERVICES.

ON AVERAGE, IT IS AWARE OF 3 OF THEM.

Shadow IT refers to information technology that is managed outside of, and

without the knowledge of, the IT department. At one time Shadow IT was limited
to unapproved Excel macros and boxes of software employees purchased at office
supply stores. It has grown exponentially in recent years, with advisory firm CEB
estimating that 40% of all IT spending at a company occurs outside the IT department.15

This rapid growth is partly driven by the quality of consumer applications in

the cloud such as file-sharing apps, social media platforms, and collaboration
tools, but its also increasingly driven by lines of business deploying enterprise-
class SaaS applications. In many ways Shadow IT is helping to make
businesses more competitive and employees more productive.

When employees and departments deploy SaaS applications, it can also reduce
the burden on IT help desks to take calls. However, while IT is no longer
responsible for the physical infrastructure or even managing the application, its still
responsible for ensuring security and compliance for the corporate data employees
upload to cloud services. Instead of seeing Shadow IT as a threat, Ralph Loura,
CIO of HP Enterprise, sees it as an opportunity to leverage employees to identify
the applications they want to use so IT can enable the ones that have gained
traction and are enterprise-ready.

15
http://www.forbes.com/sites/tomgroenfeldt/2013/12/02/40-percent-of-it-spending-is-outside-cio-control/

PAGE 21 | CHAPTER 6 | SHADOW IT

According to Loura, We embrace the idea of this shallow exploration of new
technologies, new tools, and new processes by our users. To the degree that they
discover these applications or services that make their jobs easier, make them
We embrace
more efficient at selling or better at running a supply chain or better at sourcing the idea of
talent, then everybody wins. Promoting low-risk services that have reached a this shallow
tipping point starts with understanding what cloud services employees use, how exploration of
they use them, and their associated risk.
new technologies,
new tools, and
new processes
by our users.

Ralph Loura,
CIO, Enterprise Group,
HP

Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014

PAGE 22 | CHAPTER 6 | SHADOW IT

When IT examines the use of cloud services across the organization, they
generally find Shadow IT is 10 times more prevalent than they initially assumed,
with the average organization today using 897 different cloud services.16 Often IT
Last quarter, the
departments discover many services in use that they have never heard of before. average company
After auditing the risk of each service and its security controls, IT teams can make uploaded 86.5 GB
informed choices about what services to promote or enable. This is more than to high-risk cloud
just an exercise in risk management. The average company uses nearly 30
different file-sharing services, and using this many different services can impede
services.
collaboration between employees. Standardizing on enterprise licenses for 2-3
services not only improves collaboration, but also reduces cost. Below are key
questions related to shadow IT that IT Security should be able to answer: Q2 Cloud Adoption
and Risk Report
VISIBILITY THREAT DETECTION
Which users and business units are using Are there behavioral anomalies that
which cloud services, and what is the risk indicate an insider threat?
of each of the services in use?
Are there behavioral anomalies that
How effective are my firewalls and proxies indicate a security breach from malware
at enforcing my cloud security policies? or a compromised identity?

COMPLIANCE DATA SECURITY

Where is sensitive data being stored
today, and what certifications do services
storing sensitive data have?
Which data loss prevention policies for
which services do I need to implement
to ensure compliance with industry
regulations moving forward?
Which data in which services can users
access from various devices?
Do I need to encrypt or tokenize
data to protect confidential or
sensitive information?

16
Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014

PAGE 23 | CHAPTER 6 | SHADOW IT

19 KEY REQUIREMENTS FOR ENABLING SECURE SHADOW IT USAGE:

Log-based visibility into all users, services (SaaS, PaaS, Ability to leverage policies from on-premise DLP
1 IaaS), and data transfers 11 systems and extend them to cloud services

On-premise tokenization of log data for security Ability to quantify cloud risk, compare it to benchmarks
2 and privacy 12 from peers in the industry, and track it over time

Comprehensive cloud registry covering a minimum Anomaly detection across all services to identify
3 of 10,000 cloud services 13 insider threats or security breaches

Detailed risk assessments provided for all cloud Ability to identify unmatched uploads for further
4 services 14 investigations

Usage analytics to identify redundant services and popular

5 and growing services primed for enterprise adoption 15 Integration with SIEMs for incident response remediation

Ability to audit the effectiveness of firewall and proxies Darknet intelligence to identify stolen credentials
6 at enforcing policies 16 of employees

User reputation analysis based on correlated activities

7 Closed-loop remediation with firewalls and proxies 17 across cloud services

Ability to coach employees using integration with

8 firewalls and proxies 18 Function-preserving encryption for data security

Customizable reporting with automatic periodic

9 reporting capabilities 19 Frictionless deployment that doesnt impact end users

10 Vertical-specific, pre-built DLP policy templates

PAGE 24 | CHAPTER 6 | SHADOW IT

CHAPTER 7
CRM

KEY STAT: 4% OF FIELDS IN CRM APPLICATIONS CONTAIN SENSITIVE OR CONFIDENTIAL

FINANCIAL DATA, PII, OR PHI

Customer Relationship Management (CRM) platforms, such as Salesforce, provide

business-critical functionality for Sales, Sales Operations, Customer Service, and
Marketing. In order to support these business units, CRM services frequently contain
sensitive or confidential customer information including PII, financial data, or PHI.

While popular CRM platforms such as Salesforce have industry-leading security

capabilities, organizations must ensure that their valuable data is protected and
that the use of their CRM service is in compliance with industry regulations such as
PCI DSS, HIPAA, HITECH, GLBA, SOX, CIPA, FISMA, and FERPA.

PAGE 25 | CHAPTER 7 | CRM

Enterprises must not rely solely on the security capabilities of the CRM service
itself, as users may not always be using cloud products in ways that meet your
security, compliance, and governance requirements. For example, users may
CRM is expected
be storing sensitive data such as payment card data and protected health to grow to a $36.5
data in Salesforce as part of their normal workflow outside of policy, putting billion market
the organization at risk of compliance violations. Or, consider the example of a worldwide within
salesperson that downloads all the companys opportunities before leaving to join
a competitor. Below are key questions related to CRM services that IT Security
the next three
should be able to answer: years.

VISIBILITY THREAT DETECTION

How many instances of Salesforce, or
other CRM applications, are we running?
Which users and groups are using
which products, and where is sensitive
data stored?
Gartner
Are there behavior anomalies, such as a
salesperson downloading more data than
usual, that indicate an insider threat?
Are there behavioral anomalies, such as
a salesperson logging in from Boston
and Bangkok within the same hour, that
indicate a compromised identity?

COMPLIANCE DATA SECURITY

Which types of sensitive data are Which devices and geographies are
uploaded into our CRM service in employees accessing CRM services from?
customer fields or comments sections
and where is it being stored? How can I encrypt or tokenize data while
maintaining important functionalities like
Are we in compliance with PCI DSS, search, sort and order?
HIPAA, HITECH, GLBA, SOX, CIPA, FISMA,
FERPA, and international data residency
requirements?

PAGE 26 | CHAPTER 7 | CRM

17 KEY REQUIREMENTS FOR ENABLING SECURE AND
COMPLIANT CRM USAGE:

Usage analytics across all CRM services for both

1 individuals and business units 10 Academia- and peer-reviewed encryption schemes

Ability to substitute sensitive data with randomly

Ability to identify redundant CRM services and coach
2 users over to standardized services 11 generated tokens (tokenization) to keep data
on-premise and satisfy data residency requirements

Ability to identify all third-party applications accessing Ability to manage encryption keys via integration with
3 CRM services and their data 12 key management servers supporting the KMIP protocol

Detailed activity monitoring of all user, admin, and third-

Behavioral modeling of normal user and admin activity
4 party application activities including uploads, downloads, 13 within the CRM services
views, edits, and deletes

Ability to leverage behavioral models and machine

Ability to identify sensitive data subject to compliance
5 requirements or security policies 14 learning to identify usage anomalies indicative of
compromised accounts or insider threat

Ability to enforce DLP policies and support several

6 actions, including alerting and blocking 15 Integration with SIEMs for incident response remediation

Ability to extend existing on-premise DLP policies from

Integration with SAML v2 compatible single
7 on-premise systems and provide integration and closed- 16 sign-on services
loop remediation

Ability to encrypt structured and unstructured data with

Ability to deploy in the cloud, on-premise as a
8 standards-based AES or function-preserving encryption 17 virtual appliance, or in a hybrid architecture
using enterprise-owned encryption keys

Ability to apply encryption while preserving end-

9 user functions such as search, sort, and format

PAGE 27 | CHAPTER 7 | CRM

CHAPTER 8
File-Sharing and Collaboration

KEY STAT: 22% OF FILES UPLOADED TO FILE-SHARING CLOUD SERVICES CONTAIN

SENSITIVE OR CONFIDENTIAL DATA, INCLUDING PII, PAYMENT INFORMATION, OR PHI

File-sharing and collaboration services like 0ffice 365, Box, Dropbox, Google Drive,
and Jive are incredibly popular. The average company uses 27 file-sharing
services and 45 collaboration services today, which may actually impede
collaboration.17 The security controls of file-sharing and collaboration services can
vary widely, so organizations must also evaluate the services to understand the
risk they present to the organization. Some services claim ownership of your data,
dont encrypt data at rest, or permit anonymous use, making them unsuited for
enterprise use.

17
Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014

PAGE 28 | CHAPTER 8 | FILE-SHARING AND COLLABORATION

 The average
company uses
27 different file-
sharing services,
inhibiting
collaboration and
creating risk.

Q4 2014 Cloud Adoption

and Risk Report

Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014

In addition to the security risk, companies must evaluate the compliance risk
as well. 22% of files uploaded to file-sharing cloud service contain sensitive or
confidential data, including: PII (personally identifiable information) such as social
security number, date of birth, or address; payment information, such as credit card
numbers or bank account numbers; or PHI (protected health information) such
as medical record number or health plan beneficiary number. Organizations must
ensure that their valuable data is protected and that the use of file-sharing and
collaboration services is in compliance with industry regulations such as PCI DSS,
HIPAA, HITECH, GLBA, SOX, CIPA, FISMA, and FERPA.

PAGE 29 | CHAPTER 8 | FILE-SHARING AND COLLABORATION

Additionally, many cloud services offer more than just file syncing across devices;
theyre platforms for collaborating with other people. No matter how secure a
cloud provider is, end users can always use their service in risky ways. Naturally,
Files are
users share files with other people at their companies, but files are also frequently frequently shared
shared via public links, which can be accessed by anyone without restriction. via public links,
which can be
accessed by
anyone without
restriction.

Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014

PAGE 30 | CHAPTER 8 | FILE-SHARING AND COLLABORATION

In fact, 11% of all documents shared via file-sharing services were shared outside the
company. The majority of these external collaborators turned out to be business
partners, but 18% of external collaboration requests went to third party email
18% of external
addresses such as Gmail, Hotmail, and Yahoo! Mail.18 Organizations must ensure collaboration
that their governance policies, dictating who has access to services and their data, requests went to
are enforced. Below are key questions related to file-sharing and collaboration third party email
that IT Security should be able to answer:
addresses such
as Gmail, Hotmail,
and Yahoo! Mail.
VISIBILITY THREAT DETECTION
How many file-sharing and collaboration Are there behavioral anomalies,
services are we using, and what is the such as excessive downloads of
risk of each? confidential information, that indicate Q4 Cloud Adoption
an insider threat?
Which types of sensitive data are and Risk Report
uploaded into our file-sharing and Are there behavioral anomalies, such
collaborations services and where is as repeated logins from an unusual
it being stored? geography, that indicate a
compromised identity?

COMPLIANCE DATA SECURITY

Are we in compliance with PCI DSS,
HIPAA, HITECH, GLBA, SOX, CIPA,
FISMA, FERPA, and international data
residency requirements?
Which data loss prevention policies for
which services do I need to implement
to ensure compliance with industry
regulations moving forward?
Which devices and geographies are
employees accessing file-sharing and
collaboration services from?
How do we see what data is shared
publicly now, and how do we restrict
collaboration to verified business
email accounts?

Are our cloud DLP policies perfectly

aligned with the DLP policies we
enforce on-premise?

18
Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014

PAGE 31 | CHAPTER 8 | FILE-SHARING AND COLLABORATION

18 KEY REQUIREMENTS FOR ENABLING SECURE AND
COMPLIANT FILE-SHARING AND COLLABORATION USAGE:

Ability to leverage behavioral models and machine

Usage analytics across all file-sharing and collaboration
1 services for both individuals and business units 10 learning to identify usage anomalies indicative of
compromised accounts or insider threat

Ability to identify redundant file-sharing and

2 collaboration services and coach users over to 11 Integration with SIEMS for incident response remediation
standardized low-risk services

Ability to identify all third party application accessing Ability to identify all externally shared data and view
3 file-sharing and collaboration services and their data 12 sharing permission details

Detailed activity monitoring of all user, admin, and third-

Ability to enforce external sharing policies based
4 party application activities including uploads, downloads, 13 on domain whitelist/blacklist and content
views, edits, and deletes

Ability to identify sensitive data subject to compliance Ability to coach users on acceptable use when in violation
5 requirements or security policies 14 of security, compliance, and governance policies

Ability to enforce DLP policies and support several

Integration with SAML v2 compatible single
6 actions, including alerting, blocking, tombstoning, 15 sign-on services
and quarantining.

Out-of-the-box DLP templates for all major verticals Ability to encrypt data with peer- and academia-reviewed
7 and regulations to help identify sensitive content. 16 encryption schemes

Ability to extend existing on-premise DLP policies

Ability to manage encryption keys via integration with
8 from on-premise systems and provide integration 17 key management servers supporting the KMIP protocol
and closed-loop remediation

Behavioral modeling of normal user and admin activity Ability to deploy in the cloud, on-premise as a virtual
9 within the file-sharing and collaboration services 18 appliance, or in a hybrid architecture

PAGE 32 | CHAPTER 8 | FILE-SHARING AND COLLABORATION

CHAPTER 9
What is a CASB?

KEY STAT: NINETY PERCENT OF SAAS ADOPTERS EXPECT SAAS TO CONSTITUTE MORE
THAN 50% OF THEIR SPENDING ON ENTERPRISE APPLICATIONS BY 2018, CREATING
SIGNIFICANT NEED FOR CASB PROVIDERS. (GARTNER)

With cloud adoption accelerating every year, enterprise IT is looking for ways to
partner with the business to enable secure utilization of the cloud. Increasingly,
these enterprises are turning to a new breed of technology, referred to by Gartner
as Cloud Access Security Brokers (CASB), in order to do this.

Gartner analysts Neil MacDonald and Peter Firstbrook first defined the Cloud
Access Security Broker category in May 2012 in their report, The Growing
Importance of Cloud Security Brokers." Other firms, such as Forrester, Securosis,
and 451 Research have defined similar categories, alternatively referring to the
technology as Cloud Security Gateways and Cloud Access Controllers. Since
then, Gartner has elevated the importance of CASB and now lists it as #1 in the
top ten technologies for information security.19

19
http://www.information-age.com/technology/security/123458169/gartners-top-10-security-technologies-2014

PAGE 33 | CHAPTER 9 | WHAT IS A CASB?

Cloud Access Security Brokers are on-premise or cloud-hosted software that
acts as a control point to secure cloud services. They generally offer a range of
capabilities including visibility, encryption, auditing, data loss prevention (DLP),
access control, and anomaly detection. While cloud providers individually offer
some of these capabilities, many organizations are looking for consistent policy
enforcement across cloud providers. Given the limited resources to operationalize
a new security process with existing resources, these capabilities should ideally be
delivered as part of a single solution, offering one control point.

In determining whether your organization needs a CASB, Gartner provides several

questions, shared below. If the answer to one or more of the questions is no,
Gartner recommends that your organization considers investing in a CASB.

Cloud access security brokers (CASBs) are on-premise or cloud-

based security policy enforcement points, placed between cloud
service consumers and cloud service providers to combine and
interject enterprise security policies as the cloud-based resources
are accessed. CASBs consolidate multiple types of security policy
enforcement. Example security policies include authentication, single
sign-on, authorization, credential mapping, device profiling, encryption,
tokenization, logging, alerting, malware detection/prevention and so on.

Gartner

PAGE 34 | CHAPTER 9 | WHAT IS A CASB?

10 KEY QUESTIONS FROM GARTNER TO DETERMINE IF YOUR ORGANIZATION NEEDS
A CASB, FROM MIND THE SAAS SECURITY GAPS:

Can I identify all of the cloud services employees are Which devices and locations are users accessing
1 using and assess the risk of each service? 6 cloud services from?

Can I enforce contextual access policies to prevent

Can I identify which cloud services are housing sensitive
2 corporate data, and how much data is in each service? 7 specific devices, geographies, or IP addresses from
accessing enterprise cloud services?

Can I proactively recommend enterprise-ready cloud

Can I identify which users are sharing data, what data
3 they are sharing, and with whom? 8 services to employees or business units in need of
specific capabilities or categories of cloud services?

Does the data being shared contain sensitive Can I detect compromised cloud service accounts
4 information such as PII, PHI, or financial data? 9 and prevent malicious behavior?

Can I offer specific security capabilities such as

Can I enforce encryption, tokenization, or redaction
5 to protect sensitive data? 10 encryption or data loss prevention for cloud
services that dont have those capabilities built in?20

A common element of all Cloud Access Security Brokers is they interject security controls by brokering access to a cloud
service. This enables IT to securely enable the use of cloud services within their organizations without compromising
compliance or security. By bundling security functions with a single enforcement point, CASBs also reduce the complexity
of securing data in the cloud.

20
Mind The SaaS Security Gaps: G00263947. Craig Lawson, Sid Deshpande. 2014

PAGE 35 | CHAPTER 9 | WHAT IS A CASB?

CHAPTER 10
Quantifying the Value of a
Cloud Access Security Broker

KEY STAT: ORGANIZATIONS USING SKYHIGH TO MANAGE BOTH SHADOW IT AND

SANCTIONED IT SAVED AN AVERAGE OF $1.5M PER YEAR IN IT COSTS AND REDUCED
THE VOLUME OF DATA SENT TO HIGH-RISK SERVICES BY 97%

A Cloud Access Security Broker can provide value across two axes: cost savings
and risk reduction. Within cost saving there are six primary areas of cost
reduction:
1. Reduction in manual efforts required to 4. Subscription consolidation
analyze log data for cloud visibility
5. Elimination of orphaned subscriptions
2. Streamlined security assessments for
cloud services 6. Accelerated response to breaches
and vulnerabilities
3. Elimination of unapproved IaaS usage

PAGE 36 | CHAPTER 10 | QUANTIFYING THE VALUE OF A CLOUD ACCESS SECURITY BROKER

Below is a chart depicting the average hard-dollar cost savings across these six categories. Summing the savings, we see that
the average organization saved $1,514,251 annually by managing their shadow IT and sanctioned IT usage with Skyhigh, a
leading cloud access security broker.21

$530,001 $1,514,251
Average Reported Savings in
Each Savings Category

$266,000 $36,800

$186,250

$276,000

$219,200

Average expected cost savings

across ten customers, broken
down by savings category

Quantifying the value of a Cloud Access Security Broker

21
Quantifying the Value of a Cloud Access Security Broker. Skyhigh Networks. 2014

PAGE 37 | CHAPTER 10 | QUANTIFYING THE VALUE OF A CLOUD ACCESS SECURITY BROKER

In addition to cost savings, cloud access security brokers can also mitigate risk in
the enterprise. Risk mitigation from the use of a CASB is typically comprised by
Organizations
the following four factors:
using a CASB
1. Reduction in data lost due to the use 3. Reduction in data lost due to insider threats
decreased the
of high-risk services volume of data
2. Reduction in data lost due to 4. Reduction in risk of a compliance violation sent to high-
security breaches
risk file-sharing
services by 97%.
Below is a table quantifying some of the risk reduction metrics achieved by
companies that implemented Skyhigh to manage their cloud adoption and risk.
Summarizing the key findings, we see that organizations increased their use of
low-risk cloud services by 83%, decreased their use of high-risk services by 50%,
and decreased the volume of data sent to high-risk file-sharing services by 97%.
In total, organizations that managed their Shadow IT and Sanctioned IT with
Skyhighs CASB reduced their overall cloud risk score by 59%.22

Attribute Before After Improvement

High-Risk Service % 16% 8% 50%

Monthly Data Sent to High-Risk Services 31GB 6.7GB 79%

High-Risk File Sharing Services 6 1.3 78%

Monthly Data Sent to High-Risk File Sharing Services 16GB .5GB 97%

Active Tracking Services 32 4 87.5%

Low-Risk Service % 12% 22% 83%

Enterprise CloudRisk Score 6.4 3.8 59%

How 200 Organizations Flipped Shadow IT from Concern to Opportunity

22
How 200 Enterprises Flipped Shadow IT from Concern to Opportunity. Jim Reavis, Brandon Cook. 2014

PAGE 38 | CHAPTER 10 | QUANTIFYING THE VALUE OF A CLOUD ACCESS SECURITY BROKER

CHAPTER 11
Conclusion - Parting Guidance
on Evaluating CASB Vendors

When evaluating different CASB vendors, there are several factors IT leaders
must consider. In addition to understanding whether the capabilities offered
match the business requirements, IT leaders must determine whether the
deployment model fits with their organization. For example, organization should
consider whether they want their CASB to be cloud-based or if they prefer to
manage all of the infrastructure and maintenance of an on-premise solution
themselves.

Additionally, organizations should consider whether they are looking for a

frictionless approach requiring no agents or if they would prefer a solution
that installs agents or PAC files on users work and personal devices. Finally,
organizations should consider whether the CASB vendor has supported other
companies in similar verticals and of similar size.

Many CASB vendors are emerging and have not yet deployed their solution at
scale. This may be acceptable to a smaller organization, but this is likely to be an
area of concern for a larger enterprise. To get started, Gartner offers a
framework for evaluating CASB vendors organized around the types of cloud
services the enterprise is aiming to enable. This framework is provided below for
your reference:

PAGE 39 | CHAPTER 11 | CONCLUSION - PARTING GUIDANCE ON EVALUATING CASB VENDORS

SHADOW IT:
Ask CASB vendors to generate a cloud visibility report with your data during 61% of enterprises
the proof-of-value process. say that cloud
Analyze the categories and individual cloud services in use, and identify the risk security is now
associated with the service and its usage.
a board level
Create a corporate policy about which cloud services to block orallow, and concern.
then determine the depth of security controls and API integrations the CASB
vendor can enforce for your permitted cloud services.
Select only those CASB vendors whose solution fits with your company vision
on cloud and mobility. Cloud Security Alliance

EXISTING SANCTIONED IT SERVICES:

Analyze the redirection methods offered by various CASB vendors, and
determine if they align with your enterprises mobile device policy (i.e.
managed devices vs. bring your own device [BYOD]).
Evaluate only the CASB vendors that are the least disruptive to
your current environment.
Evaluate CASB vendors that can extend common security capabilities to
multiple cloud services from a single management console.

PAGE 40 | CHAPTER 11 | CONCLUSION - PARTING GUIDANCE ON EVALUATING CASB VENDORS

NEW SANCTIONED IT SERVICES:
Include CASB and identity management products when budgeting for new
cloud services and account for them in enterprise architecture discussions
Evaluate your current infrastructure architecture program to identify spending
that could be re-directed to CASB for use with cloud services that are planned
or in use already. This is an architecture change that will be necessary if you
plan to move to cloud services in the future.23

23
Mind The SaaS Security Gaps: G00263947. Craig Lawson, Sid Deshpande. 2014

If you would like to get a FREE personalized assessment

of all cloud services in use by your employees, including:

All IaaS, PaaS, and SaaS cloud services in use

An objective rating of enterprise readiness for each service
Potential data leaks, security breaches, and non-compliance
Consolidation opportunities for unused licenses

Please email freeassessment@skyhighnetworks.com

PAGE 41 | CHAPTER 11 | CONCLUSION - PARTING GUIDANCE ON EVALUATING CASB VENDORS