Forward Thinking Security Solutions
PRE
VENTIA
Skyhigh Best Practi ces and Use cases.
Table of Contents
Discover Your Cloud
1. Identi fy all cloud services in use & evaluate risk 2. Encourage use of low-risk services:
3. Consolidate subscripti ons and reduce costs:
4. Ensure global and regional enforcement of cloud service policies: 5. Reduce misuse of cloud access excepti ons:
6. Prevent tracking services that enable “watering hole” att acks: 7. Evaluate the ROI of private cloud investments:
8. Track progress regularly
Analyze Your Cloud
9. Identi fy anomalous behaviors indicati ve of malicious acti vity: 10. Prevent the loss of IP through code sharing:
11. Locate compromised users: 12. Eliminate source-code backdoors:
13. Enable ongoing monitoring of cloud services:
Secure Your Cloud
14. Encrypt data going to key services
15. Enable regulatory compliant use of cloud services:
Discover Your Cloud
1. Identi fy all cloud services in use & evaluate risk
Flying blind is never a good idea, so before you begin taking steps to reduce risk, you need to understand what risk you are currently exposed to. This is a two-step process. The fi rst step in the process is to identi fy every cloud service in use at your organizati on. Relying on a proxy of fi rewall alone will make this an arduous (manual) and incomplete task as they classify the most popular services but overlook thousands of other services. Instead, reference your log traffi c against a cloud registry that has a minimum 3,000 services in order to gain a complete view of your enterprise’s cloud usage.
Note that most CIOs expect 25-40 services in their environment, but fi nd an average of 300-400 services, most existi ng in the “Shadow IT” bucket. Also note that this discovery of cloud exposure must be a conti nuous acti vity because the velocity of new cloud service introducti on and use is only increasing; a one-ti me snapshot will rapidly get stale.
The second step in the process is to understand the risk of the various cloud services in use. Not all cloud services are risky, so it’s important to get an objecti ve understanding of the risk level for every service. Given the sheer volume of services, evaluati ng each one is an impossible task so leverage a cloud registry that classifi es services based on a thorough set of criteria. Since every business has a diff erent risk profi le, make sure the registry’s risk rati ngs are easily customizable. The risk assessment of services should also be a conti nuous acti vity; for example a password breach at a cloud service should increase the risk of that service unti l the breach is addressed.
Real-World Use Case: The CIO at a Fortune 500 technology company had approved 90 diff erent cloud
services to be used by their employees. They deployed Skyhigh’s Cloud Services Manager and, using CloudRegistryTM and Cloud Usage Analyti cs, discovered that their employees were acti vely using 360 cloud services. 3 months later , that number grew to 420, and it was 500 4 months aft er that. Most recently, the number of cloud services identi fi ed was 908.
Using Skyhigh’s CloudRiskTM, the customer was able to immediately view a detailed risk assessment, based on 30 diff erent data, user/device, service, business, and legal risk att ributes, for every service in use at their organizati on. They adjusted the risk criteria to match their parti cular sensiti vity to IP data leakage and then used the risk rati ngs to bucket the highest risk services into a group requiring immediate acti on. They also used the risk assessments to discover safe services in parti cular categories and to guide and expedite vendor assessments of new services.
2. Encourage use of low-risk services:
Using Skyhigh, customers evaluate their employees’ use of cloud services by category and risk. They can quickly identi fy all services in a category and the risk rati ngs of each. With this informati on, customers will select the best service(s) for each category and encourage employees to use those low risk services to reduce risk.
Real-World Use Case: Skyhigh identi fi ed 42 diff erent cloud storage services in use across various
organizati ons within an enterprise. Many of these services were purchased via individual licenses and 12 of these services were rated as high-risk by Skyhigh and 23 were medium risk. Aft er looking at the risk rati ngs, the customer was able to encourage employees to use low risk services such as Box, Hightail, and Egnyte. IT was able to accomplish its objecti ves of reducing risk for the organizati on and also off er employees choice of cloud services.
3. Consolidate subscripti ons and reduce costs:
Using Skyhigh, customers evaluate the precise uti lizati on of key cloud services supporti ng business groups. Oft en ti mes, organizati ons purchase blocks of cloud service licenses, but a certain percentage of those licenses go unuti lized. By quanti fying the exact uti lizati on, customers can opti mize the number of subscripti ons, which results in cost savings. The uti lizati on stati sti cs also helps companies consolidate individual and group licenses of growing services into enterprise licenses, which can also result in signifi cant cost savings.
Real-World Use Case: One hi-tech customer had a 30,000 user license for Salesforce.com, which cost
them approximately $25M per year. Using Skyhigh, they identi fi ed approximately 27,000 acti ve Salesforce users who used the service multi ple days every week. They also identi fi ed ~2,000 users who were using Salesforce on average of once a month. They then renegoti ated their license, reducing the volume by 2,000 users, and delivered millions of dollars in cost savings to the company.
4. Ensure global and regional enforcement of cloud service policies:
Using Skyhigh, customers evaluate global cloud service policies enforced by their regional egress devices. Customers typically have cloud service policies that require consistent enforcement across all geographies, but they rely on several diff erent types of egress devices forming their edge to enforce the policies. Using Skyhigh, they can look at policy enforcement globally to determine whether their cloud services policies are enforced consistently across regions, reducing the risk of privacy and compliance violati ons and reducing the security risk to the organizati on.
Real-World Use Case: A multi nati onal customer had expanded internati onally through M+A and diff erent
fi rewall and proxy technologies around the edge. In Asia they primarily relied upon Bluecoat proxies, while in North America and Europe they employed Palo Alto Networks Firewalls. Using Skyhigh, they discovered vastly diff erent levels of policy enforcement across their regional devices, and were able to easily create device-specifi c scripts that created consistent enforcement of their global cloud policies.
5. Reduce misuse of cloud access excepti ons:
Organizati ons will commonly grant policy excepti ons to certain groups and individuals that have legiti mate business case for using parti cular services. For example, marketi ng may need to use specifi c social media services, while other divisions do not need access to any social media service. However, since egress devices typically block categories of services, those groups or individuals that are granted access to specifi c services also have access to all other services within that category. With Skyhigh, companies can ensure that employees are only using specifi c services approved in the excepti on, avoiding unnecessary risk while sti ll supporti ng legiti mate business use of benefi cial services.
Real-World Use Case: Oft en ti mes, excepti ons must be made for business units or executi ves. One
healthcare customer had a policy restricti ng all use of cloud storage services, but their CIO was asked to make a policy excepti on for executi ves to use Mozy, an online back-up service. However, in order to grant access to this service, he had to open up the enti re personal fi le storage category for these users within their fi rewalls. Using Skyhigh he discovered that the executi ve use of cloud storage had crept beyond Mozy, and they were now using 3 other services - Dropbox, YouSendIt, and Carbonite. The CIO was able to identi fy the users, communicate the risks of using these services outside of policy, and quickly bring cloud usage back into policy.
6. Prevent tracking services that enable “watering hole” att acks:
Using Skyhigh, customers can protect themselves from att ackers that use the increasingly popular “watering hole” technique. Using this technique, att ackers will leverage tracking services, such as KISSmetrics, to discover popular sites used by employees of a parti cular company they are targeti ng. Then they will target employees of that company by planti ng malware in links on those frequently visited sites. With Skyhigh, customers block those tracking sites, which provide no value to the enterprise but make them vulnerable to watering hole att acks.
Real-World Use Case: A technology customer became aware of the watering hole technique and used
Skyhigh to discover tracking services that could be used to enable the technique against their company. Skyhigh showed them 8 diff erent tracking services, including KISSmetrics and AddThis that were providing data on their employees’ browsing histories. They then used Skyhigh to generate egress device scripts that blocked those services, preventi ng att ackers from conducti ng watering hole att acks on their organizati on.
7. Evaluate the ROI of private cloud investments:
Using Skyhigh, customers are able to accurately evaluate the ROI of private cloud investments. Many organizati ons create private clouds for specifi c use cases that require additi onal security and compliance. However, it can very diffi cult to evaluate the uti lity of private clouds without the visibility into the use of other public cloud services, such as Amazon Web Services (AWS). With Skyhigh, customers can acti vely track and compare public vs. private cloud usage to inform accurate ROI calculati ons.
Real-World Use Case: A fi nancial services customer wanted to encourage the use of a private cloud
they had created for developers and discourage the use of AWS. They saw increased use of their private cloud, but could not determine if usage of AWS was decreasing or not. Using Skyhigh, they were able to determine that developer usage of AWS was actually increasing as well. They used the data from Skyhigh to conduct an ROI analysis at that point. They also used Skyhigh to identi fy the users of AWS and informed them of the private cloud opti on, which led to increased private cloud adopti on and decreased use of AWS, increasing the ROI of their project. Using Skyhigh they were able to track the evolving private vs. public cloud usage stati sti cs so they could recalculate the private cloud ROI quarterly.
8. Track progress regularly
Managing the risk of cloud services is not a point in ti me exercise. You will need to conti nually monitor the use of cloud services since new services hit the market daily and your employees will constantly seek the latest tools to help them do their jobs.
In order to drive a successful and quanti fi able risk management program you will need to determine which metrics to track and develop a methodology for gathering the data on a regular basis.
You should uti lize a cloud services management platf orm that automates this process so you can avoid countless hours mining through raw data. You should also develop cloud service usage goals that have executi ve endorsement. For example, number of encrypted services in use, percentage of traffi c reaching blocked sites, number of Shadow IT services in use, and percentage of high risk services as compared to total services.
Real World Use Case: A large fi nancial services organizati on deployed the Skyhgih Cloud Services Manager
across their enti re organizati on and set specifi c goals for their cloud services risk management work. These goals were: number of encrypted services in use = 15 (all key services), percentage of traffi c reaching blocked sites = < 2%, number of Shadow IT services in use = < 15, and percentage of high risk services as compared to total services = < 2%
Using Skyhigh’s CloudRegistryTM and Cloud Usage Analyti cs, they were able to easily obtain the data required in order to track these metrics. Because of the service’s automati on, it took 1 security admin less than 15 minutes each week to gather the data. Within 4 months they were able to hit their defi ned cloud service goals. By leveraging Skyhigh’s real ti me capabiliti es and by treati ng the cloud services risk management as a conti nual process, they have been able to achieve their goals threshold metrics every week since, eff ecti vely reducing their cloud services risk in a meaningful and demonstrable manner.
Analyze Your Cloud
9. Identi fy anomalous behaviors indicati ve of malicious acti vity:
Oft en ti mes, perfectly safe and secure cloud services can be the source of a data leak if an internal employee is acti ng maliciously or if malware is at work. Unfortunately, no proxy, fi rewall, or SIEM can alert the organizati on of malicious use of a legiti mate service. With Skyhigh, companies can quickly identi fy and investi gate anomalous behavior, such as repeated att empts to access blocked services or high volume data uploads that are 3 standard deviati ons from the norm.
Real World Use Case: A Skyhigh fi nancial services customer was alerted when an anomalous social media
behavior occurred in which a parti cular IP address had over 10,000 tweets for that day. They compared the volume to the company’s corporate twitt er account, which had less than 10,000 tweets ever. Upon further investi gati on, the company discovered that the IP address had been compromised by malware and was being used to exfi ltrate data from the organizati on 140 characters at a ti me.
10. Prevent the loss of IP through code sharing:
Code sharing services, such as SourceForge, Github, and Codehaus present a signifi cant IP risk to organizati ons. Using Skyhigh companies can identi fy which code sharing services are being used, understand the IP risk due to such use, identi fy the specifi c service users, and track the specifi c fi les uploaded to these repositories. With this informati on, companies can be immediately noti fi ed when any intellectual property is shared, intenti onally or unintenti onally, via risky code sharing services.
Real-World Use Case: SourceForge, a prevalent open source code-sharing repository is a popular site for
developers to download open source code. However, if they use the site to upload and share code with other developers, the code immediately becomes part of the public domain based on the service’s terms in conditi ons. This can represent a serious loss of IP, so one technology customer uses Skyhigh to identi fy all users downloading code from SourceForge and inform them of this risk and the company policy to never upload code to the service.
11. Locate compromised users:
Using Skyhigh, customers locate users and devices that have been compromised by malware. Malicious parti es increasingly use open-source code to insert malware into enterprises. Skyhigh features full forensic capabiliti es that allow security teams to track malware that has infi ltrated the system via cloud downloads. Specifi cally, Skyhigh users can search their code downloads to identi fy if the malware has entered the organizati on and which users have been compromised. Customers also rely on Skyhigh to alert them when a compromise is confi rmed.
Real-World Use Case: A global manufacturing company relied heavily on SourceForge to acquire code
for development projects. In a two-week ti me period, they downloaded approximately 1,000 fi les from multi ple projects. Weeks later, they discovered that 6 of the projects contained malware. Skyhigh’s document signature analysis quickly matched the malware with the fi les that were downloaded and alerted the company with the list of users that were exposed, reducing the spread of malware.
12. Eliminate source-code backdoors:
Using Skyhigh, customers reduce the risk of cloud services by eliminati ng increasingly source-code backdoor vulnerabiliti es. Using source-code backdoors, att ackers are able to execute malicious code on systems that run the code. With the tremendous amount of data downloaded from code sharing services, it can be incredibly diffi cult to identi fy which code contained the backdoor. Skyhigh captures all download and repository informati on so customers can quickly pin-point the vulnerable code and locate the compromised devices and users.
Real-World Use Case: A diversifi ed manufacturing customer downloaded open-source messaging apps
from Maven.apache.org. Months later, they saw a noti fi cati on from Maven that specifi c packages contained malicious code, creati ng backdoors for att ackers. Using Skyhigh, they were able to quickly identi fy who had downloaded the code and where it had been implemented. Within one day, they had eliminated the source-code backdoor, miti gati ng future risk to the enterprise and its customers.
13. Enable ongoing monitoring of cloud services:
Using Skyhigh, customers acti vely monitor the risk level of services in use. When a parti cular service is compromised, due to a password or other security breach, the customer is alerted, enabling them to noti fy the users of that service, which reduces the immediate risk posed to their organizati on.
Real-World Use Case: When Evernote, an online collaborati on service, was hacked in March ’13,
Skyhigh’s automated alerts noti fi ed the healthcare customer that a service used by their organizati on was compromised. Using Skyhigh, they identi fi ed all Evernote users, and IT was able to immediately inform these users about acti ons they should take to safeguard company-specifi c content residing in Evernote.
Secure Your Cloud
14. Encrypt data going to key services
It is prudent to add another layer of security to the most criti cal cloud services in your organizati on. The fi rst step is to identi fy services that are enterprise-criti cal, blessed, and procured, such as Salesforce, Box, Offi ce365, and Google. Access to those services should require that employees to use their corporate identi ty and then access to your enterprise’s account at the service. For example, their traffi c would go to acme.salesforce.com, rather than directly to salesforce.com. This means that you can then control who has access the account, and what happens to the data sent to this service.
The best practi ce is to leverage a reverse proxy to encrypt data sent to these services with your enterprise managed encrypti on keys. In doing so, you garuntee that even if the provider is compromised, your data will not be. Finally, you will need to ensure that your control is enforced for on-premise to cloud accesses and for mobile to cloud access. This should be done without requiring the traffi c from those devices to be back-hauled (through a VPN) into your enterprise edge fi rst to avoid introducing user fricti on.
Doing this will provide 2 disti nct advantages. The fi rst obvious advantage is that even if the service is compromised, your data will not be because you hold the encrypti on keys. The second advantage is that in this era of limited data privacy, this encrypti on guards against a blind government subpoena. Microsoft , Google, and Box, for example, oft en receive subpoenas from the government asking for informati on for a parti cular company, with a gag order prohibiti ng them from alerti ng that company. By encrypti ng the data that lives within the cloud, the company can ensure that it is noti fi ed of any investi gati on, as it will need to provide the encrypti on keys to government investi gators.
Real World Use Case: An AmLaw 100 law fi rm wanted to use box to store and share client data but they
were worried that their client’s confi denti al data would be sitti ng in the cloud, and if Box were to be compromised, their client data would be compromised. The law fi rm decided to go ahead and use Box, but could not risk any chance of exposing client data so they leveraged Skyhigh’s CloudFlowTM, a reverse proxy that delivers non-disrupti ve control of cloud usage through both corporate and personal devices.
CloudFlow also leverages military grade 256-bit encrypti on to ensure that any data in transit or in a cloud service is accessible only with their keys. On doing so, the fi rm was able to strictly adhere to the compliance guidelines of it’s industry, serve the client in the best possible fashion, and leverage a technology that enabled their business practi ces and workfl ows.
15. Enable regulatory compliant use of cloud services:
Using Skyhigh, customers enable regulatory compliant use of cloud services by reducing the risk of PCI, HIPAA, and HITECH violati ons. Traditi onally, data loss preventi on (DLP) soluti ons aimed at preventi ng personally identi fi able informati on (PII) from leaving an enterprise were focused on email, storage devices, and printi ng. Skyhigh enables regulatory compliance by providing DLP services that prevent PII from leaving the enterprise via cloud services.
Real-World Use Case: A healthcare customer had implemented DLP soluti ons that protected personal
health informati on (PHI) from leaving the organizati on via email, storage devices, and printi ng. Using Skyhigh’s Discovery capabiliti es, they identi fi ed widespread use of cloud storage and collaborati on. Services within their organizati on. They were understandably concerned that they had not protected PHI from going to the cloud. Using Skyhigh, they enabled DLP across their primary cloud storage and collaborati on services, enabling them to safely off er these services to their employees while reducing the risk of compliance violati ons.
