PREVENTIA Forward Thinking Security Solutions Skyhigh Best Practices and Use cases. Table of Contents Discover Your Cloud 1. Identify all cloud services in use & evaluate risk 2. Encourage use of low-risk services: 3. Consolidate subscriptions and reduce costs: 4. Ensure global and regional enforcement of cloud service policies: 5. Reduce misuse of cloud access exceptions: 6. Prevent tracking services that enable watering hole attacks: 7. Evaluate the ROI of private cloud investments: 8. Track progress regularly Analyze Your Cloud 9. Identify anomalous behaviors indicative of malicious activity: 10. Prevent the loss of IP through code sharing: 11. Locate compromised users: 12. Eliminate source-code backdoors: 13. Enable ongoing monitoring of cloud services: Secure Your Cloud 14. Encrypt data going to key services 15. Enable regulatory compliant use of cloud services:
Discover Your Cloud 1. Identify all cloud services in use & evaluate risk Flying blind is never a good idea, so before you begin taking steps to reduce risk, you need to understand what risk you are currently exposed to. This is a two-step process. The first step in the process is to identify every cloud service in use at your organization. Relying on a proxy of firewall alone will make this an arduous (manual) and incomplete task as they classify the most popular services but overlook thousands of other services. Instead, reference your log traffic against a cloud registry that has a minimum 3,000 services in order to gain a complete view of your enterprise s cloud usage. Note that most CIOs expect 25-40 services in their environment, but find an average of 300-400 services, most existing in the Shadow IT bucket. Also note that this discovery of cloud exposure must be a continuous activity because the velocity of new cloud service introduction and use is only increasing; a one-time snapshot will rapidly get stale. The second step in the process is to understand the risk of the various cloud services in use. Not all cloud services are risky, so it s important to get an objective understanding of the risk level for every service. Given the sheer volume of services, evaluating each one is an impossible task so leverage a cloud registry that classifies services based on a thorough set of criteria. Since every business has a different risk profile, make sure the registry s risk ratings are easily customizable. The risk assessment of services should also be a continuous activity; for example a password breach at a cloud service should increase the risk of that service until the breach is addressed. Real-World Use Case: The CIO at a Fortune 500 technology company had approved 90 different cloud services to be used by their employees. They deployed Skyhigh s Cloud Services Manager and, using CloudRegistryTM and Cloud Usage Analytics, discovered that their employees were actively using 360 cloud services. 3 months later, that number grew to 420, and it was 500 4 months after that. Most recently, the number of cloud services identified was 908. Using Skyhigh s CloudRiskTM, the customer was able to immediately view a detailed risk assessment, based on 30 different data, user/device, service, business, and legal risk attributes, for every service in use at their organization. They adjusted the risk criteria to match their particular sensitivity to IP data leakage and then used the risk ratings to bucket the highest risk services into a group requiring immediate action. They also used the risk assessments to discover safe services in particular categories and to guide and expedite vendor assessments of new services.
2. Encourage use of low-risk services: Using Skyhigh, customers evaluate their employees use of cloud services by category and risk. They can quickly identify all services in a category and the risk ratings of each. With this information, customers will select the best service(s) for each category and encourage employees to use those low risk services to reduce risk. Real-World Use Case: Skyhigh identified 42 different cloud storage services in use across various organizations within an enterprise. Many of these services were purchased via individual licenses and 12 of these services were rated as high-risk by Skyhigh and 23 were medium risk. After looking at the risk ratings, the customer was able to encourage employees to use low risk services such as Box, Hightail, and Egnyte. IT was able to accomplish its objectives of reducing risk for the organization and also offer employees choice of cloud services. 3. Consolidate subscriptions and reduce costs: Using Skyhigh, customers evaluate the precise utilization of key cloud services supporting business groups. Often times, organizations purchase blocks of cloud service licenses, but a certain percentage of those licenses go unutilized. By quantifying the exact utilization, customers can optimize the number of subscriptions, which results in cost savings. The utilization statistics also helps companies consolidate individual and group licenses of growing services into enterprise licenses, which can also result in significant cost savings. Real-World Use Case: One hi-tech customer had a 30,000 user license for Salesforce.com, which cost them approximately $25M per year. Using Skyhigh, they identified approximately 27,000 active Salesforce users who used the service multiple days every week. They also identified ~2,000 users who were using Salesforce on average of once a month. They then renegotiated their license, reducing the volume by 2,000 users, and delivered millions of dollars in cost savings to the company.
4. Ensure global and regional enforcement of cloud service policies: Using Skyhigh, customers evaluate global cloud service policies enforced by their regional egress devices. Customers typically have cloud service policies that require consistent enforcement across all geographies, but they rely on several different types of egress devices forming their edge to enforce the policies. Using Skyhigh, they can look at policy enforcement globally to determine whether their cloud services policies are enforced consistently across regions, reducing the risk of privacy and compliance violations and reducing the security risk to the organization. Real-World Use Case: A multinational customer had expanded internationally through M+A and different firewall and proxy technologies around the edge. In Asia they primarily relied upon Bluecoat proxies, while in North America and Europe they employed Palo Alto Networks Firewalls. Using Skyhigh, they discovered vastly different levels of policy enforcement across their regional devices, and were able to easily create device-specific scripts that created consistent enforcement of their global cloud policies. 5. Reduce misuse of cloud access exceptions: Organizations will commonly grant policy exceptions to certain groups and individuals that have legitimate business case for using particular services. For example, marketing may need to use specific social media services, while other divisions do not need access to any social media service. However, since egress devices typically block categories of services, those groups or individuals that are granted access to specific services also have access to all other services within that category. With Skyhigh, companies can ensure that employees are only using specific services approved in the exception, avoiding unnecessary risk while still supporting legitimate business use of beneficial services. Real-World Use Case: Often times, exceptions must be made for business units or executives. One healthcare customer had a policy restricting all use of cloud storage services, but their CIO was asked to make a policy exception for executives to use Mozy, an online back-up service. However, in order to grant access to this service, he had to open up the entire personal file storage category for these users within their firewalls. Using Skyhigh he discovered that the executive use of cloud storage had crept beyond Mozy, and they were now using 3 other services - Dropbox, YouSendIt, and Carbonite. The CIO was able to identify the users, communicate the risks of using these services outside of policy, and quickly bring cloud usage back into policy.
6. Prevent tracking services that enable watering hole attacks: Using Skyhigh, customers can protect themselves from attackers that use the increasingly popular watering hole technique. Using this technique, attackers will leverage tracking services, such as KISSmetrics, to discover popular sites used by employees of a particular company they are targeting. Then they will target employees of that company by planting malware in links on those frequently visited sites. With Skyhigh, customers block those tracking sites, which provide no value to the enterprise but make them vulnerable to watering hole attacks. Real-World Use Case: A technology customer became aware of the watering hole technique and used Skyhigh to discover tracking services that could be used to enable the technique against their company. Skyhigh showed them 8 different tracking services, including KISSmetrics and AddThis that were providing data on their employees browsing histories. They then used Skyhigh to generate egress device scripts that blocked those services, preventing attackers from conducting watering hole attacks on their organization. 7. Evaluate the ROI of private cloud investments: Using Skyhigh, customers are able to accurately evaluate the ROI of private cloud investments. Many organizations create private clouds for specific use cases that require additional security and compliance. However, it can very difficult to evaluate the utility of private clouds without the visibility into the use of other public cloud services, such as Amazon Web Services (AWS). With Skyhigh, customers can actively track and compare public vs. private cloud usage to inform accurate ROI calculations. Real-World Use Case: A financial services customer wanted to encourage the use of a private cloud they had created for developers and discourage the use of AWS. They saw increased use of their private cloud, but could not determine if usage of AWS was decreasing or not. Using Skyhigh, they were able to determine that developer usage of AWS was actually increasing as well. They used the data from Skyhigh to conduct an ROI analysis at that point. They also used Skyhigh to identify the users of AWS and informed them of the private cloud option, which led to increased private cloud adoption and decreased use of AWS, increasing the ROI of their project. Using Skyhigh they were able to track the evolving private vs. public cloud usage statistics so they could recalculate the private cloud ROI quarterly.
8. Track progress regularly Managing the risk of cloud services is not a point in time exercise. You will need to continually monitor the use of cloud services since new services hit the market daily and your employees will constantly seek the latest tools to help them do their jobs. In order to drive a successful and quantifiable risk management program you will need to determine which metrics to track and develop a methodology for gathering the data on a regular basis. You should utilize a cloud services management platform that automates this process so you can avoid countless hours mining through raw data. You should also develop cloud service usage goals that have executive endorsement. For example, number of encrypted services in use, percentage of traffic reaching blocked sites, number of Shadow IT services in use, and percentage of high risk services as compared to total services. Real World Use Case: A large financial services organization deployed the Skyhgih Cloud Services Manager across their entire organization and set specific goals for their cloud services risk management work. These goals were: number of encrypted services in use = 15 (all key services), percentage of traffic reaching blocked sites = < 2%, number of Shadow IT services in use = < 15, and percentage of high risk services as compared to total services = < 2% Using Skyhigh s CloudRegistryTM and Cloud Usage Analytics, they were able to easily obtain the data required in order to track these metrics. Because of the service s automation, it took 1 security admin less than 15 minutes each week to gather the data. Within 4 months they were able to hit their defined cloud service goals. By leveraging Skyhigh s real time capabilities and by treating the cloud services risk management as a continual process, they have been able to achieve their goals threshold metrics every week since, effectively reducing their cloud services risk in a meaningful and demonstrable manner.
Analyze Your Cloud 9. Identify anomalous behaviors indicative of malicious activity: Often times, perfectly safe and secure cloud services can be the source of a data leak if an internal employee is acting maliciously or if malware is at work. Unfortunately, no proxy, firewall, or SIEM can alert the organization of malicious use of a legitimate service. With Skyhigh, companies can quickly identify and investigate anomalous behavior, such as repeated attempts to access blocked services or high volume data uploads that are 3 standard deviations from the norm. Real World Use Case: A Skyhigh financial services customer was alerted when an anomalous social media behavior occurred in which a particular IP address had over 10,000 tweets for that day. They compared the volume to the company s corporate twitter account, which had less than 10,000 tweets ever. Upon further investigation, the company discovered that the IP address had been compromised by malware and was being used to exfiltrate data from the organization 140 characters at a time. 10. Prevent the loss of IP through code sharing: Code sharing services, such as SourceForge, Github, and Codehaus present a significant IP risk to organizations. Using Skyhigh companies can identify which code sharing services are being used, understand the IP risk due to such use, identify the specific service users, and track the specific files uploaded to these repositories. With this information, companies can be immediately notified when any intellectual property is shared, intentionally or unintentionally, via risky code sharing services. Real-World Use Case: SourceForge, a prevalent open source code-sharing repository is a popular site for developers to download open source code. However, if they use the site to upload and share code with other developers, the code immediately becomes part of the public domain based on the service s terms in conditions. This can represent a serious loss of IP, so one technology customer uses Skyhigh to identify all users downloading code from SourceForge and inform them of this risk and the company policy to never upload code to the service.
11. Locate compromised users: Using Skyhigh, customers locate users and devices that have been compromised by malware. Malicious parties increasingly use open-source code to insert malware into enterprises. Skyhigh features full forensic capabilities that allow security teams to track malware that has infiltrated the system via cloud downloads. Specifically, Skyhigh users can search their code downloads to identify if the malware has entered the organization and which users have been compromised. Customers also rely on Skyhigh to alert them when a compromise is confirmed. Real-World Use Case: A global manufacturing company relied heavily on SourceForge to acquire code for development projects. In a two-week time period, they downloaded approximately 1,000 files from multiple projects. Weeks later, they discovered that 6 of the projects contained malware. Skyhigh s document signature analysis quickly matched the malware with the files that were downloaded and alerted the company with the list of users that were exposed, reducing the spread of malware. 12. Eliminate source-code backdoors: Using Skyhigh, customers reduce the risk of cloud services by eliminating increasingly source-code backdoor vulnerabilities. Using source-code backdoors, attackers are able to execute malicious code on systems that run the code. With the tremendous amount of data downloaded from code sharing services, it can be incredibly difficult to identify which code contained the backdoor. Skyhigh captures all download and repository information so customers can quickly pin-point the vulnerable code and locate the compromised devices and users. Real-World Use Case: A diversified manufacturing customer downloaded open-source messaging apps from Maven.apache.org. Months later, they saw a notification from Maven that specific packages contained malicious code, creating backdoors for attackers. Using Skyhigh, they were able to quickly identify who had downloaded the code and where it had been implemented. Within one day, they had eliminated the source-code backdoor, mitigating future risk to the enterprise and its customers.
13. Enable ongoing monitoring of cloud services: Using Skyhigh, customers actively monitor the risk level of services in use. When a particular service is compromised, due to a password or other security breach, the customer is alerted, enabling them to notify the users of that service, which reduces the immediate risk posed to their organization. Real-World Use Case: When Evernote, an online collaboration service, was hacked in March 13, Skyhigh s automated alerts notified the healthcare customer that a service used by their organization was compromised. Using Skyhigh, they identified all Evernote users, and IT was able to immediately inform these users about actions they should take to safeguard company-specific content residing in Evernote. Secure Your Cloud 14. Encrypt data going to key services It is prudent to add another layer of security to the most critical cloud services in your organization. The first step is to identify services that are enterprise-critical, blessed, and procured, such as Salesforce, Box, Office365, and Google. Access to those services should require that employees to use their corporate identity and then access to your enterprise s account at the service. For example, their traffic would go to acme.salesforce.com, rather than directly to salesforce.com. This means that you can then control who has access the account, and what happens to the data sent to this service. The best practice is to leverage a reverse proxy to encrypt data sent to these services with your enterprise managed encryption keys. In doing so, you garuntee that even if the provider is compromised, your data will not be. Finally, you will need to ensure that your control is enforced for on-premise to cloud accesses and for mobile to cloud access. This should be done without requiring the traffic from those devices to be back-hauled (through a VPN) into your enterprise edge first to avoid introducing user friction.
Doing this will provide 2 distinct advantages. The first obvious advantage is that even if the service is compromised, your data will not be because you hold the encryption keys. The second advantage is that in this era of limited data privacy, this encryption guards against a blind government subpoena. Microsoft, Google, and Box, for example, often receive subpoenas from the government asking for information for a particular company, with a gag order prohibiting them from alerting that company. By encrypting the data that lives within the cloud, the company can ensure that it is notified of any investigation, as it will need to provide the encryption keys to government investigators. Real World Use Case: An AmLaw 100 law firm wanted to use box to store and share client data but they were worried that their client s confidential data would be sitting in the cloud, and if Box were to be compromised, their client data would be compromised. The law firm decided to go ahead and use Box, but could not risk any chance of exposing client data so they leveraged Skyhigh s CloudFlowTM, a reverse proxy that delivers non-disruptive control of cloud usage through both corporate and personal devices. CloudFlow also leverages military grade 256-bit encryption to ensure that any data in transit or in a cloud service is accessible only with their keys. On doing so, the firm was able to strictly adhere to the compliance guidelines of it s industry, serve the client in the best possible fashion, and leverage a technology that enabled their business practices and workflows.
15. Enable regulatory compliant use of cloud services: Using Skyhigh, customers enable regulatory compliant use of cloud services by reducing the risk of PCI, HIPAA, and HITECH violations. Traditionally, data loss prevention (DLP) solutions aimed at preventing personally identifiable information (PII) from leaving an enterprise were focused on email, storage devices, and printing. Skyhigh enables regulatory compliance by providing DLP services that prevent PII from leaving the enterprise via cloud services. Real-World Use Case: A healthcare customer had implemented DLP solutions that protected personal health information (PHI) from leaving the organization via email, storage devices, and printing. Using Skyhigh s Discovery capabilities, they identified widespread use of cloud storage and collaboration. Services within their organization. They were understandably concerned that they had not protected PHI from going to the cloud. Using Skyhigh, they enabled DLP across their primary cloud storage and collaboration services, enabling them to safely offer these services to their employees while reducing the risk of compliance violations.