Controlling cloud-based services is a tricky and sometimes prickly process between IT teams and business managers concerned about worker productivity, but revelations about the extent of surveillance activities conducted by the National Security Agency could shift the focus to mitigating risks, said Rajiv Gupta, founder and CEO of Skyhigh Networks.
Skyhigh Networks' analysis of cloud services used in more than 100 businesses found many of them already failing to block the riskiest services. The analysis was conducted recently on data from more than 3 million users spanning financial services, health-care, high-tech, manufacturing, media and services industries.
Cloud-based services should be audited for the security risks they pose to corporate resources and, once approved, companies can focus on how the data is secured, Gupta said. Data loss prevention, encryption and other security measures should be considered to prevent data from falling into the wrong hands, he said.
"The discourse has been about NSA, but there are a lot of bad actors out there that companies need to worry about," Gupta said.
Low-risk services are blocked 40 percent more than high-risk services, found Skyhigh Networks, Cupertino, Calif. IT teams block some of the most common services, such as Netflix, Foursquare, Apple iCloud, Gmail, Skype and Dropbox, but employees find alternatives that have fewer security controls in place, putting data at risk, Gupta said.
"Today blocking is based on productivity and bandwidth concerns, which should be yesterday's considerations," Gupta said. "They should be asking how a service is impacting security and privacy compliance because that's what should be more important. But the data shows that it is not; many firms are till operating on yesterday's norms."
For example, file storage and sharing service Box is being blocked 35 percent of the time, yet the service is one of the lowest-risk file sharing services available to employees, Gupta said. Meanwhile, other more riskier file sharing sites, which may not be widely known, are often widely available to employees.
When it comes to file sharing, 19 file sharing cloud services are used by an organization on average, Gupta said. If organizations standardized on one or two, security risks would decline and collaboration and productivity would increase, not decrease, he said.
The NSA's domestic surveillance and encryption cracking practices have shaken some cloud services providers, whih fear the news could have a negative impact on business. Some companies interviewed by CRN are reaching out to address customer concerns about data protection and other measures used to protect account credentials and the data stored.
Many companies are unaware of the Web-based services used within their organization and of the best practices that should be followed to protect sensitive data, said Patricia Wright, vice president of consulting services at Chicago-based security consultancy Neohapsis.
Some organizations are still struggling to figure out how to create policies and procedures when it comes to using cloud-based services and then enforcing them, Wright said.
"Some organizations tell us they're thinking about the cloud but in many cases the decision is out of their control and a business unit has already decided to use [another] service," she said. "Typically, we always recommend to the client to classify their data appropriately and apply appropriate risk and asset rules."
Companies seeking engagements range from those with an immature understanding of the cloud to ones that already have moved their entire IT infrastructure or service components over to the cloud and are now concerned about better securing it, Wright said. Businesses need help securing single SaaS-based applications all the way to full-on infrastructure projects where additional security is needed.
High-profile data breaches at LinkedIn, Evernote and other social networking and smaller file sharing services have highlighted the slow pace those firms have taken to bolster security internally, said Carson Sweet, CEO and co-founder of CloudPassage, San Francisco. Those companies have since rolled out two-factor authentication and taken some internal measures to bolster security, Sweet said.
Facebook, Twitter and others, meanwhile, have mixed IT security response team activity with automated fraud monitoring systems, he said.
"Some services have a sense that users don't care, but many of them reuse the same password for multiple accounts and some of those credentials are very likely connected to business resources," Sweet said.
Revelations about the NSA surveillance program will not cause businesses to turn away from cloud services because they have become a fundamental part of employee workflow, said Justin Kallhoff, CEO of Lincoln, Neb.-based channel provider Infogressive. Employee productivity would suffer if there were a pull-back, Kallhoff said.
"The NSA news has done a great thing in getting people to pay more attention to security and how they use and store sensitive data," Kallhoff said.
PUBLISHED SEPT. 30, 2013