Traditional security paradigms of corporations focus significantly on strong perimeter security. Most organizations already realize this is a dated model and are questioning how to adapt to Cloud and BYOD. Many now are reassessing their security approach rather than filling gaps by purchasing new tools. In complex environments, security is typically tackled with a layered approach. The difficulty in this approach is that each layer requires different management tools that are often managed by different teams, so maintaining top-down visibility is difficult. For example, the team responsible for application security (often developers) has very little interaction with the team responsible for DMZ management, resulting in deployment and maintenance challenges. One common gap is the management of file sharing services such as Microsoft OneDrive or Box.com. This was made clear with a recent high profile attack against Apple iCloud in 2014, where sensitive (ahem) data was exposed due to an API related issue with the Find My iPhone service not having any protections against a brute-force password attack. This vulnerability allowed hackers unlimited password guesses and the ability to easily capture iCloud accounts with simple passwords. Apple quickly released a fix but the damage was done. Any corporate data in iCloud was also compromised, albeit without the headlines. Traditional on-premises monitoring tools cannot prevent this scenario.
Another security gap is in managing external service providers who require connectivity to your internal network. In this scenario, individuals outside of your company’s direct control present more attack surfaces, and seemingly innocuous points of entry are used as jump-off points to attain privileged access to internal resources. This is similar to the attack on Target in 2013, where an HVAC vendor’s account was used to gain entry and attain control of their Point-Of-Sale systems to steal credit card information. One study commissioned by Cyberark states that 80-100% of attacks rely upon elevated accounts. This is a staggering statistic, as securing such accounts is easier said than done.
IT departments often address security gaps by purchasing new tools, as is the case with the new breed of products that Gartner refers to as Cloud Access Security Brokers (CASB). These products aim to centrally manage Cloud service providers, however, many are new to market and subject to acquisitions. There is a lot of uncertainty in the CASB space, and we suggest due diligence before purchasing such products.
The traditional layers of security have fundamentally changed. The Application Layer is now outside the Perimeter, and therefore existing tools provide no protection to sensitive data. IT departments traditionally make assumptions that the data is secured by the outside layers, but often this no longer applies. It is increasingly important to tackle Data Security head-on. A better approach, for now, may be to assess new strategies around your IT governance and security policies. Consider the following:
- Institute a top-down security model that can be applied in a distributed fashion. Security should be everybody’s job, not just the security team’s.
- Implement a customer-driven architecture to engage the business and better understand industry drivers and business processes. IT Security should be engaged, even up to executive level, to meet both business and security objectives
- Simultaneously, institute an inside-out data-centric security model to align both business and IT requirements
- Review your data security policies to ensure they are scalable and standardized across your organization
- Institute a common set of controls, particularly for Cloud applications, to attain some level of visibility. CASB tools or your existing SIEM strategy may help.