If You’re Moving to the Cloud, Don’t Settle for Half Measures

Rarely a week passes anymore without further reminders that cloud computing is rapidly transforming the enterprise. And as more organizations recognize the financial and operational benefits of moving their digital data and on-premises workloads to the cloud, the momentum will continue unabated in what is shaping up to be a remarkable tech transition.

So, what’s not to like?

No doubt that it all looks great on the surface. But as a security guy, I’m sensitive to the wider ramifications of adopting a new technology or process on a business’s defenses. And one byproduct of the cloud’s unchecked growth is that companies aren’t paying enough attention to some awfully big threats.

As a result, they’re leaving themselves increasingly vulnerable to attacks from clever cyber criminals eager to steal enterprise data and other valuable intellectual property. Let’s take a closer look at some of the potential trouble spots.

A World of Trouble

Many of the cloud apps used by employees aren’t even vetted by their organizations. Many departments now bypass IT and provision what they want on their own. This phenomenon of Shadow IT creates all kind of new security risks - not the least being that more apps than ever are outside of IT’s physical control, leaving the company blind about what data is getting exposed when employees bypass the traditional security stack securing sanctioned cloud applications (e.g. the ones that IT and Security have approved). In a digital business - and increasingly all businesses are turning into digital organizations - you’re heading for serious trouble if sensitive data starts flowing into unsanctioned cloud apps.

As their cloud and web traffic soars, organizations find they are facing a new challenge – a surge in encrypted traffic.  Nearly 80% of internet traffic is now encrypted using some form of SSL/TLS encryption.  Encryption is usually a fine thing, helping to secure information and protect privacy.  But there is a dark side (no pun intended). Encryption can make a lot of your existing network security stack, the stack that you depend on to prevent threats and secure your information – blind.  Cyber criminals realize this as well, which is why Gartner expects nearly 50% of malware attacks this year to use some form of encryption to hide themselves. You need to deal with that challenge. If traffic isn’t inspected properly the bad guys will use encryption to bypass security, get on to your users’ devices and cause a world of trouble.

Cyber criminals are coming up with more and more advanced threats – some don’t even require users to download a document or click on a malicious URL to put their organizations at risk. These advanced attacks take advantage of vulnerabilities that exist in web browsers or poor coding techniques on websites themselves that allow cyber criminals to deliver malware to anybody who happens to browse these sites. 

Companies wind up paying a hidden performance tax as the price for enabling an increasingly mobile workforce. Their employees have cut the tether that once kept them chained to their desks and now can work wherever - all that’s required is a connection to the cloud. So, what’s the problem?  

Well, consider what this means in practice. The cloud has become the “Great Disseminator” of your data. Users demand direct access to the cloud apps they need to do their jobs. But the most efficient path to those apps – a straight line - isn’t the line that is typically followed.  Most organizations invest a lot of coin to first backhaul all of this remote branch traffic to their corporate data centers for deep and thorough inspection. And that’s understandable; Internet traffic is the riskiest from a threat prevention and data leakage perspective and IT and security require that it to pass through the security stack in place back at headquarters.  

But this is also a super-inefficient way to go about securing data and, depending on your architecture, can exact a big performance penalty.  And once you do the math and calculate how much you are spending backhauling this ever-increasing amount of internet traffic, you’ll understand why the T1/MPLS charges are growing so quickly.

Thinking About a Solution

As the cloud transforms IT, it’s creating myriad network challenges around security and data. So, as you take stock of your cloud security situation, make sure to factor these considerations into any assessment:

• You want top-shelf threat prevention and information security inspection technologies that can quickly scan traffic – even encrypted traffic going back and forth to the internet.  Your stack needs to fully inspect traffic before it gives it the green light to pass.  Unlike Next Generation Firewalls (NGFWs), secure web gateway proxies are designed to do this, and are designed to inspect encrypted traffic at scale, so they should play a role in your cloud and internet defenses.
• Make sure your inspection approach has multiple layers that are proven to be more effective than the competition (e.g. insist on test results).  You want a defense in depth approach, such as combining multiple anti-virus scanning with sandboxing, that will identify the highest amount of threats while keeping false positives to a minimum.
• Don’t get caught in a trap where you have less effective security and compliance policies protecting your remote users as compared to your HQ workers.  You need to be able enforce consistent security and compliance policies for all users, regardless of their location or what device they use.  And you should be able to manage it all in one policy dashboard that allows you to define security and compliance policies once and push them to your entire stack – in the cloud and on-premise.
• No more “backhauling.” Security should get enforced as traffic is going direct to the internet.  If your cloud-security provider has architected their network properly to work with cloud applications like Office 365, your users will get better performance and security and you will get a significantly lower monthly backhauling bill!
• To meet data compliance and information security requirements, you need to know what information is going out to the web and the cloud. For example, if data is getting sent to Box, does that violate the company’s compliance polices? If there’s sensitive IP, does it need additional protection like encryption?  If so, then you need to be able to enforce access rights, establishing rules governing who in the company is authorized to view those encrypted documents.
• Leverage Cloud Access Security Broker (CASB) capabilities that will help identify what cloud apps employees use. You need to view attribute data on these clouds, such as the types of certifications their datacenters have or if they enforce mult-factor authentication for access, so you can assess their relative risk to your business. Then you need tools that let you manage cloud application access so you can shut down access to non-compliant clouds and enforce security policies, such as scanning downloads for malware, on the clouds that you choose to leave in place.
• Lastly, you should have a way to get alerts when something suspicious occurs in any cloud accounts. For example, advanced CASB tools can leverage User Behavior Analytics (UBA) to spot behavior patterns that are indicative of compromised cloud application account credentials. Lights should start flashing when an intruder gets their hands on an employee’s Salesforce.com account and starts exfiltrating your company’s entire pipeline information to their Box account!  

Without the proper tools, many of you are likely playing it ultra-conservatively, blocking a lot of web traffic that turns out to be harmless. No harm in being cautious, though it doubtless will leave many employees upset since they cannot get to the websites they need to do their jobs.

More recently, though, new technologies have emerged that eliminate needing to make these “either-or” decisions.

For example, web isolation lets administrators send certain types of traffic down a path where the browser session is executed in a virtual isolation chamber, away from any endpoints, transmitting only safe rendering information to a user’s browsers.  That way you can still allow employee access to sites you otherwise might have blocked (and avoid further nastygrams.) More importantly, though, you’re assured that no website winds up delivering Zero-Day malware to the organization.

What I’ve described in this blog involves a lot of capabilities that all need to work together well. That is why getting them in a fully integrated cloud platform makes perfect sense.

All of it - a full cloud network security stack including Secure Web Gateway proxy, Data Loss Prevention, Advanced Threat Prevention, CASB, and Web Isolation - envelopes your data, apps and users with security wherever they go.  Protection from advanced threats, compliance for sensitive information, and controls enabling secure and compliant cloud application use – all from a resilient, high performance global cloud service. This is what will secure you and your users going forward.  

So – go ahead and go all in on the cloud.  Just make sure you remember to do it for your security stack as well!

If you found this information interesting, you may also enjoy:

• https://www.symantec.com/products/web-security-service
• https://www.symantec.com/content/dam/symantec/docs/solution-briefs/web-security-service-bring-control-to-the-chaos-of-the-cloud-en.pdf