Cloud Security: The Next Frontier

Date:   Thursday , September 05, 2013

Headquartered in Mountain View, California Cirroscope is a provider of a security platform that monitors provisioned cloud applications. The company develops CirroShields, including BoxShield and SalesforceShield to name a few.

As more and more businesses move petabytes of data to the cloud, security becomes an important conversation. With mounting pressures to go “all cloud”, IT organizations have a serious task ahead of them. This task involves providing an ever-increasing number of cloud-based applications to their employees while maintaining visibility and control across provisioned applications.

A few years back all the data resided on-premise, making it relatively easy to govern and control. With the move to the cloud, understanding the data stored in these applications and who has access to it, has become the million-dollar question. Although cloud applications spend significant resources securing their own infrastructure, they pay no attention to securing the weakest link: the end users of their systems. Most cloud applications have no security policy engine and do not deliver actionable security alerts.

Cloud applications make it very easy to share data outside the organization. On average, for a given business using SaaS based file collaboration services, five percent of all their files and folders can be accessed by a public link by anyone on the Internet. Imagine if one of those files accidentally contained sensitive information or even proprietary source code. It could be devastating for the company.

Recently a security company discovered more than 126 billion customer files stored in an online storage service, that were publicly accessible. They analyzed 40,000 files, and found that most of the analyzed files had confidential data ranging from customer credit card numbers to social security numbers. These kinds of accidental exposures are bound to increase as more and more businesses adopt cloud.

Mobile adoption and trends like Bring Your Own Device (BYOD) simply increases the attack surface of this problem. Although there is a lot of focus on securing mobile devices, securing the cloud is equally important. Mobile is just another way to access the cloud.
The problem is further exacerbated by cloud-to-cloud integrations. Many cloud applications tie-in with each other and it becomes challenging to understand if a private file on Salesforce is publicly accessible on Box. For IT organizations understanding the effective state of their data across all cloud applications becomes crucial.

Furthermore, the cloud is a huge goldmine for targeted attackers. As more data makes its way to the cloud, infiltrating cloud-based accounts becomes a natural choice for attackers. Accounts that can be taken over via phished emails, or man in the browser attacks become a big problem. Although mechanisms like two factor authentication (2FA) help, we routinely see Trojans like Zeus and Spyeye bypassing 2FA.

Data being in the cloud also allows insider theft to happen more easily. Many users of a popular CRM application have lost all their sales leads to rogue sales people who downloaded these leads and then quit the company on the very next day. Many CRM applications allow partners and customers to access their data, making data access governance a top priority.

Although some CRM applications allow data to be locked down based on role based access control, maintaining data access and sharing rules can be an extremely complex task, almost always leaving data open to users who should not have access to it, even within the same organization.
Identifying what type of data is stored in these applications also becomes extremely vital. For example a user may accidentally upload files that violate regulations like HIPAA or contain credit card information to the cloud. Some users may also unintentionally store sensitive material like private revenue projections or legal documents in a public folder. Such violations are a big barrier to widespread adoption of cloud applications.
Even though some cloud applications do encrypt files at rest, it is inconsequential if the file is shared with external collaborators or has a public link. There are solutions emerging that encrypt the files at the proxy layer or endpoint before the data is stored in the cloud. However such solutions break many use cases for cloud applications including sharing and third party applications.

Additionally, most cloud applications have published web APIs and are promoting third party application ecosystems on their platforms. Once installed, these third party applications (such as Docusign, CloudOn) gain full access to the company’s data. Very little attention is paid to the security controls of these third party applications. For an attacker it becomes the route of least resistance. In theory, since the third party application’s infrastructure would be less ‘guarded’ than the cloud applications, it becomes an easier target. Once the attacker successfully infiltrates the third party application, they gain access to all the company data. The number of APIs is increasing, and malicious entities will exploit these APIs in order to gain access to enterprise data in the cloud.

Many emerging solutions are attempting to solve some of these problems. However, in security there are different use cases and no single solution caters to all. Theoretically one can look at data from three distinct vantage points: the endpoint, the network or the cloud.
The endpoint and network solutions are more difficult to deploy and have partial view of the data. For example they do not have access to historical data and also cannot answer data access questions like who has access to what data. They are a single point of failure and in addition are really difficult to scale. To top it off, piecing together events on the wire is incredibly hard and prone to breaking.
For most companies cloud security begins with knowing what data is stored in these applications, followed by understanding who has access to what data and finally getting visibility into the activity of their users in these cloud applications.

The next few years are going to be extremely interesting as more organizations adopt the cloud. I expect the next generation of security problems to originate from the cloud!