eBook:

The Definitive Guide to

CLOUD SECURITY
The Definitive Guide to Cloud Security

Brought to you by
Brought to you by

Table of Contents
Chapter 1: Introduction Cloud Adoption and Risk Today

Page 1

Chapter 2: Cloud Visibility

Page 4

Chapter 3: Cloud Compliance

Page 7

Chapter 4: Cloud Threat Prevention

Page 11

Chapter 5: Cloud Data Security

Page 16

Chapter 6: Shadow IT

Page 21

Chapter 7: CRM

Page 25

Chapter 8: File-Sharing and Collaboration

Page 28

Chapter 9: What is a CASB?

Page 33

Chapter 10: Quantifying the Value of a Cloud Access Security Broker

Page 36

Chapter 11: Conclusion - Parting Guidance on Evaluating CASB Vendors

Page 39

CHAPTER 1

Introduction Cloud Adoption and Risk Today

KEY STAT: 60% OF CIOS ARE MAKING THE CLOUD THEIR #1 PRIORITY THIS YEAR

The cloud (SaaS, PaaS, and IaaS) is transforming business for the better, making
employees more productive and businesses more agile. As the cloud market
matures, analysts and market researchers are discovering hard data supporting
the benefits of the cloud for enterprises. The latest numbers from Vanson Bourne
Research show that the cloud is providing organizations with a 21% reduction in
product time to market, a 17% reduction in IT maintenance costs, a 15% reduction
in IT spend, and an 18% increase in employee productivity.1 With these types of
metrics in hand, its no surprise that 60% of CIOs state that the cloud is their #1
priority this year.2
However, this enthusiasm for cloud adoption is tempered by security, compliance,
and governance concerns. Analyst firm IDC shows that security and privacy
remain the top inhibitors of cloud adoption.3 Given the seemingly endless supply
of headlines on data breaches, its understandable, if not expected, that security
of data in the cloud is now a board-level concern for 61% of organizations,
according to a recent study by the Cloud Security Alliance (CSA).

http://venturebeat.com/2012/08/07/google-cfo-cloud-study/

http://www.businessinsider.com/infographic-its-not-easy-to-be-a-cio-2012-2#!HqX9i

http://www.opendatacenteralliance.org/docs/1264.pdf

PAGE 1

| CHAPTER 1 | INTRODUCTION CLOUD ADOPTION AND RISK TODAY

The phenomenon of employees self-enabled cloud services (those procured and

managed outside of ITs purview), often referred to as Shadow IT, complicates
the situation for IT and IT Security teams. Even if organizations are taking a
deliberate approach to cloud and adopting cloud services strategically while
implementing the required security, compliance, and governance controls around
them, employees are likely not acting with the same consideration when they sign
up for new cloud services on their own. In fact, with up to 90% of cloud activity
driven by individuals and small teams, the average company now uses 897 cloud
services, up 43% over the last year.4

Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014

4

Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014.

PAGE 2

| CHAPTER 1 | INTRODUCTION CLOUD ADOPTION AND RISK TODAY

60% of CIOs state

that the cloud is
their #1 priority
this year.
Vanson Bourne Research

With cloud adoption at an all-time high and damaging headlines catalyzing

conversations around data security, enterprise IT is looking for ways to partner with
the business to manage the move to the cloud. Increasingly, these enterprises are
turning to analyst and industry thought leaders to help them navigate this new
and evolving security landscape.
Neil MacDonald, Craig Lawson, Peter Firstbrook, and Sid Deshpande of Gartner
have been particularly adept in providing the market with a usable framework
for managing cloud security. Their framework organizes around four pillars of
functionality: Visibility, Compliance, Threat Prevention, and Data Security. In this
eBook, we will dive into the details of each pillar, providing relevant and related
data points for consideration, and describe how forward-leaning IT teams are
managing cloud security using this framework.

PAGE 3

| CHAPTER 1 | INTRODUCTION CLOUD ADOPTION AND RISK TODAY

In 2015, roughly
10% of overall IT
security enterprise
capabilities will
be delivered as a
cloud service.
Gartner

CHAPTER 2

Cloud Visibility
KEY STAT: 72% OF COMPANIES DONT KNOW THE SCOPE OF
SHADOW IT AT THEIR ORGANIZATION BUT WANT TO KNOW

Cloud services are incredibly easy to adopt, with most requiring only an email or a
credit card to sign up. The result is that individual users and business units often
begin using cloud services without any involvement from IT. The benefit is that
users and business units are able to readily and rapidly adopt services that drive
productivity and agility for the business. The downside is that IT often has little to
no visibility into the full scope of IT services employees are using. Without visibility,
it becomes very difficult for IT to manage both cost expenditure and risk in the cloud.
With regards to visibility, Gartner says that enterprises must protect their sensitive
data for various commercial and legal reasons. Regardless of whether the cloud
services in use are shadow IT or sanctioned IT, businesses need visibility into which
services employees are using, what data is stored in them and shared from them,
any anomalies in usage behavior that indicate a compromised account, and who is
using each service and from which devices and geographies.
Enterprises must also ensure that they dont cross a perceived ethical of legal
privacy boundary when monitoring the use of cloud services. For example, the
same methods that can be used to monitor sanctioned cloud services, could also
be used to monitor personal Facebook or Instagram accounts. Requirements for
privacy may vary greatly in different verticals and geographies.

PAGE 4

| CHAPTER 2 | CLOUD VISIBILITY

Enterprises must also integrate their cloud visibility into existing systems, such
as Security Information and Event Management (SIEM) products for continuous
monitoring and event management.5
The average employee uses 27 different cloud services at work6, including six
collaboration services, four social media services, and three file-sharing services.
Many of the services used in the office are consumer grade services and
security is not a given, so understanding which services employees are using,
what type of data is uploaded and shared through the services, and what
security capabilities the services have is a must.

30% of IT
Security teams
list concerns over
compromised
accounts and
insider threats as
a top challenge
holding back
cloud projects.
Cloud Security Alliance

Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014

5

Mind The SaaS Security Gaps: G00263947. Craig Lawson, Sid Deshpande. 2014

Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014

PAGE 5

| CHAPTER 2 | CLOUD VISIBILITY

KEY QUESTIONS IT SECURITY SHOULD BE ABLE TO ANSWER

RELATED TO CLOUD VISIBILITY:

Which services are employees and business units using

overall and in each category (e.g. file sharing, social
media, collaboration)?

Which services house sensitive or confidential

data today?

Which services are gaining in popularity and should

be evaluated for enterprise-wide adoption?

What are the security capabilities of the services storing

sensitive data?

What is the risk level of each service in use?

Which data is available to external collaborators outside

of the company?

How effective are my firewalls and proxies at identifying

cloud services and enforcing acceptable cloud use policies?

Which redundant services are employees using,

and are they introducing additional cost and risk or
inhibiting collaboration?

How do I quantify the risk from the use of cloud services

and compare it to peers in my industry?

PAGE 6

| CHAPTER 2 | CLOUD VISIBILITY

10

11

12

Which partners cloud services are employees accessing,

and whats the risk of these partners?

Which external collaborators are granted access to our

companys services?

How do I track and log all user and admin actions for
compliance and investigations?

CHAPTER 3

Cloud Compliance
KEY STAT: 37% OF EMPLOYEES UPLOADED AT LEAST ONE FILE TO A FILE-SHARING
CLOUD SERVICE THAT CONTAINED SENSITIVE OR CONFIDENTIAL DATA LAST QUARTER
Todays enterprises have deployed cloud services to support CRM, ERP, HR,
Collaboration, and Backup operations. Applications like Salesforce, ServiceNow,
Workday, Box, and Office 365, support mission-critical business functions, and because
of this they often house sensitive or confidential information, such as customer data,
financial data, employee data, IP, or security infrastructure data. Locating this type of
data in the cloud is not a rare event; in fact, it is now commonplace.
For example, 22% of files uploaded to file-sharing services contain sensitive or
confidential data, including: PII (personally identifiable information) such as social
security number, date of birth, or address; payment information, such as credit card
numbers or bank account numbers; and PHI (protected health information) such as
medical record number or health plan beneficiary number.
Furthermore, 37% of employees uploaded at least one file to a file-sharing cloud
service that contained sensitive or confidential data over the course of a business
quarter.7 In order to drive compliance, IT leaders are looking for ways to identify
enterprise-ready cloud services that support various use cases, locate where
sensitive data is housed, audit how sensitive data is handled, and protect sensitive
data from loss. With regards to compliance, Gartner says that compliance will
always be a core security deliverable.
7

Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014

PAGE 7

| CHAPTER 3 | CLOUD COMPLIANCE

Compliance
will always be
a core security
deliverable.
Gartner

Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014

They indicate that, with regards to SaaS applications, compliance-supporting

activities should cover:

Answering the who, what, when, why,

and where questions with provable data
for various compliance regimes.

Enabling integration within the enterprise

by supporting log generation that can be
used with existing SIEMs.

Providing assistance with out-of-the-box

compliance reporting for major
compliance standards.

Auditing user behavior across cloud

applications, regardless of the device (e.g.
PC or mobile) or method of access (e.g.
browser or mobile app).

Guiding the organization to specific

cloud services that satisfy both functional
requirements of the users and the
compliance and risk requirements of the
business. This is especially important given
the thousands of options available in the
cloud today.8

Mind The SaaS Security Gaps: G00263947. Craig Lawson, Sid Deshpande. 2014

PAGE 8

| CHAPTER 3 | CLOUD COMPLIANCE

As Gartner references, there are over 10,000 cloud applications today, all with
varying degrees of security, compliance, and governance capabilities. Despite this
diversity of offerings, companies across industries must ensure compliance with
PCI DSS, HIPAA, HITECH, GLBA, SOX, CIPA, FISMA, FERPA, and other regulations.
In order to do so they must ensure the protection of various types of personal
information, including:

Name

Bank account numbers

Address

Professional certificate or license number

Birthdate

License plate number

Telephone or fax number

URLs or IP address

Email address

Finger and voice prints

Social security number

Full face photographs

Medical record number

Any unique identifying number

Health plan number

While the cloud provider is responsible for the security of their product, compliance
is based on a shared responsibility model, whereby the enterprise using the cloud
service must also take measures to maintain the privacy of employee and
customer data. Within the enterprise, users, IT/Security, and Audit/Compliance all
share responsibility for compliance.

PAGE 9

| CHAPTER 3 | CLOUD COMPLIANCE

80% or cloud
governance
committees
include IT
Security.

Cloud Security Alliance

KEY QUESTIONS IT SECURITY SHOULD BE ABLE TO ANSWER

RELATED TO CLOUD COMPLIANCE:

Which applications house sensitive data subject to

regulatory compliance?

Which administrators have behavioral anomalies that

indicate excessive privilege access?

What are the security capabilities of the services

housing sensitive data?

When is sensitive data uploaded to the cloud, and what

action should be taken (allow, block, quarantine, encrypt)?

What are the legal terms of the services housing

sensitive data?

How do we leverage previous resource investments and

extend existing on-premise data loss prevention policies
to the cloud?

Which employees are accessing sensitive data,

and how are they using or sharing it?

How do we implement a closed workflow to review,

remediate compliance violations, and educate violators?

Which employees are uploading sensitive data to

high-risk services?

10

Is sensitive data kept in a specific country or region to

comply with international data residency requirements?

PAGE 10

| CHAPTER 3 | CLOUD COMPLIANCE

CHAPTER 4

Cloud Threat Prevention

KEY STAT: 17% OF COMPANIES REPORTED AN INSIDER THREAT LAST YEAR,
BUT 85% OF COMPANIES EXPERIENCED ONE

Cloud services, like on-premise systems, can be the target of attacks aimed at
stealing corporate data or damaging the business. Attacks typically leverage the
cloud in one of two ways: they use cloud services as sources of sensitive data to
steal, or they use cloud services to exfiltrate stolen data.
Some enterprise-ready cloud services have security capabilities that exceed
those of the enterprise data center, but that does not necessarily protect them
from insider threats or compromised identities. In fact, compromised identities
and insider threat are the two main drivers of the first threat vector (cloud
services as the source of data to steal), and they are far more common than
most IT professionals realize.

PAGE 11

| CHAPTER 4 | CLOUD THREAT PREVENTION

According to the Cloud Security Alliance, 17% of companies reported an

insider threat last year, but in fact 85% of companies experienced one.9 This
discrepancy exists because so many attacks go under the radar today.
Further, 92% of companies have at least one corporate cloud service login
credential available for sale on the darknet today.10

30% of IT
Security teams
list concerns over
compromised
accounts and
insider threats as
a top challenge
holding back
cloud projects.
Cloud Security Alliance

Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014

9

Skyhigh Networks Cloud Adoption and Risk Report: Q3 2014

10

Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014

PAGE 12

| CHAPTER 4 | CLOUD THREAT PREVENTION

In order to prevent against insider threats, organizations can employ machine

learning to identify anomalous behavior that indicates a threat in progress.
Triggers are often large or repeated downloads of sensitive data or excessive
privileged user access. Insider threats could be aimed at stealing enterprise data
from the cloud, such as IP from a file sharing service or security infrastructure from
an IT management service, but the most common insider threat seems to be the
theft of customer sales data from CRM services, perpetrated by sales reps or sales
operations managers who plan to leave the company. Additionally, malware
attacks are also now targeting cloud services. Last years much publicized Dyre
malware would monitor browser activity to steal credentials for cloud services that
housed valuable corporate data.
Attackers also increasingly look upon cloud services as a clever way to exfiltrate
data under the radar. With the average company using almost 900 cloud services
today and IT often not having visibility into their usage, attackers know that
unmanaged cloud services can be a fertile territory for malicious behavior and
frequently use popular and seemingly harmless services to execute their operations.
For example, malware employed by a foreign national government recently used
YouTube to exfiltrate stolen intellectual property. The attackers created VAR
segments, inserted the stolen data into mpg4 files, and then uploaded them onto
YouTube. The videos would play within YouTube, but once downloaded the VAR
segments could be unpacked providing the attackers with the stolen data. In
another startling example, malware leveraged a Twitter account to exfiltrate
stolen data, 140 characters at a time, over a sequence of 86,000 tweets. While
these attacks are almost amusingly clever, they serve as a serious reminder that
threat prevention must be a core focus of any cloud security project.

PAGE 13

| CHAPTER 4 | CLOUD THREAT PREVENTION

31% of companies
are not sure if
they experienced
an insider threat
incident last year.
Cloud Security Alliance

With regards to threat detection, Gartner says that, in on-premise applications

that were protected by network/host security and access management, Security
could control all application access from authorized users from defined locations
while also inspecting for malicious content, regardless of the network channel or
protocol. However, in todays Internet Age, with billions of users accessing the
Internet via browsers, enterprise cloud applications are now accessible to anyone
with an internet connection. Because of this fundamental change, new controls are
required in order to protect enterprise data. Particularly, new controls are needed
for cloud service to manage events such as:

Access from known suspicious countries,

locations, devices, locations, or unusual
access times or data volumes.

Access from compromised cloud

service accounts.

Access from canceled accounts or from

accounts that have remained idle for
excessive periods of time.

11

Access directly to cloud services that

bypasses security controls.

Access via outdated operating systems or

browsers that are no longer supported and
are thus more vulnerable to attacks.11

Mind The SaaS Security Gaps: G00263947. Craig Lawson, Sid Deshpande. 2014

PAGE 14

| CHAPTER 4 | CLOUD THREAT PREVENTION

Malware
leveraged Twitter
to exfiltrate
stolen data,
140 characters
at a time, over
a sequence of
86,000 tweets.

KEY QUESTIONS SECURITY SHOULD BE ABLE TO ANSWER

RELATED TO CLOUD THREAT DETECTION:

What does normal behavior for any given service

look like?

Which cloud services have behavioral anomalies

that indicate insider threat?

How does a users role affect their normal cloud service

usage patterns?

Which cloud services have behavioral anomalies that

indicate malware at work?

How do I monitor and baseline usage across the

enterprise for both local and remote employees?

Which users are accessing large volumes of

sensitive data?

Which administrators are accessing large volumes

of sensitive data?

PAGE 15

| CHAPTER 4 | CLOUD THREAT PREVENTION

Which cloud services have behavioral anomalies that

indicate an account is compromised?

Which cloud services in use are rated as high-risk and

have an anonymous use policy?

CHAPTER 5

Cloud Data Security

KEY STAT: ONLY 17% OF CLOUD SERVICES PROVIDE MULTI-FACTOR AUTHENTICATION,
ONLY 5% ARE ISO 27001 CERTIFIED, AND ONLY 11% ENCRYPT DATA AT REST.

As many a CIO and CISO will tell you - IT Security, today, is all about protecting
data, not data centers and this is largely product of cloud. When considering
data security, it can be helpful to examine both the security of the service the
data lives in and the security of the devices that have access to the data.
Some cloud services have security capabilities that far exceed most corporate
data centers. However, with over 10,000 cloud services available today, there is a
large variation in the security capabilities offered. The good news is that an
increasing number of cloud services are investing in security, but a larger number
still do not offer even basic security features. Only 17% of cloud services provide
multi-factor authentication, only 5% are ISO 27001 certified and only 11% encrypt
data at rest. For this reason, it is important to look at the risk of services
individually and enable risk-based policies on acceptable usage.12
In services with high levels of built-in security, users and their devices can often
be the weakest link. Users frequently lose devices or leave them in insecure
locations and are prone to lose passwords as well. 12% of employees have at
least one corporate identity (username and password) for a cloud service that
has been compromised for sale on the darknet (online black markets) today.13
12, 13

Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014

PAGE 16

| CHAPTER 5 | CLOUD DATA SECURITY

A study by Joseph Bonneau at the University of Cambridge showed that 31% of

passwords are re-used in multiple places. The implication here is that, for 31% of
compromised identities, an attacker could not only gain access to all the data in
that cloud service, but potentially all the data in the other cloud services in use by
that person as well. Considering that the average person uses three different cloud
file-sharing services, and 37% of users upload sensitive data to cloud file-sharing
services, the impact of one compromised account can be immense.

Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014

PAGE 17

| CHAPTER 5 | CLOUD DATA SECURITY

Enterprises can improve the security of their data by employing access control
policies for cloud services that take into account the context of the user, data,
device, and location. For example, an executive may be able to view and
download important financial data to her laptop when in the office, but may be
restricted to viewing only when on her mobile device in a foreign country.
Additionally, enterprises can take extra steps to ensure the security of their data
by employing encryption and tokenization and controlling their own keys.
Encryption can be tricky, and several considerations must be made when
evaluating encryption options.
First, enterprises must avoid proprietary algorithms in favor of encryption
algorithms that are both peer- and academia-reviewed to ensure that they are up
to modern cryptographic standards.
Second, enterprises must also verify that the algorithms used can support the
required functionality of their application since there is a trade-off between the
security of an algorithms and the functionality that it can support. To better
understand the specific tradeoffs, read The Cloud Encryption Handbook:
Encryption Schemes and Their Relative Strengths and Weaknesses. Finally, to
maximize data security, enterprises must own their own encryption keys. By taking
ownership of their keys, they prevent a malicious insider at a cloud service or an
inquiring government agency from gaining access to their data.

PAGE 18

| CHAPTER 5 | CLOUD DATA SECURITY

Enterprises must
avoid proprietary
algorithms
in favor of
encryption
algorithms that
are both peerand academiareviewed to
ensure that they
are up to modern
cryptographic
standards.

With regards to data security, Gartner says that data is mission-critical to the
enterprise and that securing that data is the primary goal of any IT Security
organization. Therefore, if the enterprise is moving its data into cloud services,
IT Security must:

Ensure that sensitive data is encrypted

using known good algorithms or tokenized
before entering the cloud service via a
configurable data security policy.
Ensure that robust authentication
procedures are defined and enforced,
including central credential store usage,
certificates, and multi-factor authentication.

Support encryption key management via a

hardware security module (HSM).

Ensure that only the authorized users and

groups have access to enterprise data.

14

Prevent data from being lost within cloud

services when the owner is de-provisioned.

Ensure functionality within cloud services is

maintained when data within those services
is encrypted or tokenized so that the value
of the services can be fully realized.

Ensure that data loss prevention and

e-discovery are available for cloud
services, just as they are for on-premise
systems today.14

Mind The SaaS Security Gaps: G00263947. Craig Lawson, Sid Deshpande. 2014

PAGE 19

| CHAPTER 5 | CLOUD DATA SECURITY

73% of IT Security
teams list security
of their data in
the cloud as a top
challenge holding
back cloud
projects.
Cloud Security Alliance

KEY QUESTIONS SECURITY SHOULD BE ABLE TO ANSWER

RELATED TO CLOUD DATA SECURITY:

Which cloud services encrypt data at rest and provide

multi-factor authentication?

How do we encrypt data while maintaining required

functionality within cloud services?

What are the compliance certifications of the services

employees are using?

How do we encrypt data while controlling our own

encryption keys?

Which of our cloud services undergo regular

penetration testing?

How do we employ tokenization to ensure data

privacy in addition to security?

Which of our cloud services has been compromised

in the last week, month, year?

How do we enforce access policies based on user,

device, and location?

Which data should be encrypted in which

cloud services?

PAGE 20

| CHAPTER 5 | CLOUD DATA SECURITY

CHAPTER 6

Shadow IT
KEY STAT: THE AVERAGE EMPLOYEE USES 27 DIFFERENT CLOUD SERVICES.
ON AVERAGE, IT IS AWARE OF 3 OF THEM.
Shadow IT refers to information technology that is managed outside of, and
without the knowledge of, the IT department. At one time Shadow IT was limited
to unapproved Excel macros and boxes of software employees purchased at office
supply stores. It has grown exponentially in recent years, with advisory firm CEB
estimating that 40% of all IT spending at a company occurs outside the IT department.15
This rapid growth is partly driven by the quality of consumer applications in
the cloud such as file-sharing apps, social media platforms, and collaboration
tools, but its also increasingly driven by lines of business deploying enterpriseclass SaaS applications. In many ways Shadow IT is helping to make
businesses more competitive and employees more productive.
When employees and departments deploy SaaS applications, it can also reduce
the burden on IT help desks to take calls. However, while IT is no longer
responsible for the physical infrastructure or even managing the application, its still
responsible for ensuring security and compliance for the corporate data employees
upload to cloud services. Instead of seeing Shadow IT as a threat, Ralph Loura,
CIO of HP Enterprise, sees it as an opportunity to leverage employees to identify
the applications they want to use so IT can enable the ones that have gained
traction and are enterprise-ready.
15

http://www.forbes.com/sites/tomgroenfeldt/2013/12/02/40-percent-of-it-spending-is-outside-cio-control/

PAGE 21

| CHAPTER 6 | SHADOW IT

According to Loura, We embrace the idea of this shallow exploration of new

technologies, new tools, and new processes by our users. To the degree that they
discover these applications or services that make their jobs easier, make them
more efficient at selling or better at running a supply chain or better at sourcing
talent, then everybody wins. Promoting low-risk services that have reached a
tipping point starts with understanding what cloud services employees use, how
they use them, and their associated risk.

We embrace
the idea of
this shallow
exploration of
new technologies,
new tools, and
new processes
by our users.
Ralph Loura,
CIO, Enterprise Group,
HP

Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014

PAGE 22

| CHAPTER 6 | SHADOW IT

When IT examines the use of cloud services across the organization, they
generally find Shadow IT is 10 times more prevalent than they initially assumed,
with the average organization today using 897 different cloud services.16 Often IT
departments discover many services in use that they have never heard of before.
After auditing the risk of each service and its security controls, IT teams can make
informed choices about what services to promote or enable. This is more than
just an exercise in risk management. The average company uses nearly 30
different file-sharing services, and using this many different services can impede
collaboration between employees. Standardizing on enterprise licenses for 2-3
services not only improves collaboration, but also reduces cost. Below are key
questions related to shadow IT that IT Security should be able to answer:

VISIBILITY

THREAT DETECTION

Which users and business units are using

which cloud services, and what is the risk
of each of the services in use?

Are there behavioral anomalies that

indicate an insider threat?

How effective are my firewalls and proxies

at enforcing my cloud security policies?

Are there behavioral anomalies that

indicate a security breach from malware
or a compromised identity?

COMPLIANCE

DATA SECURITY

Where is sensitive data being stored

today, and what certifications do services
storing sensitive data have?

Which data in which services can users

access from various devices?

Which data loss prevention policies for

which services do I need to implement
to ensure compliance with industry
regulations moving forward?

Do I need to encrypt or tokenize

data to protect confidential or
sensitive information?

16

Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014

PAGE 23

| CHAPTER 6 | SHADOW IT

Last quarter, the

average company
uploaded 86.5 GB
to high-risk cloud
services.
Q2 Cloud Adoption
and Risk Report

19 KEY REQUIREMENTS FOR ENABLING SECURE SHADOW IT USAGE:

Log-based visibility into all users, services (SaaS, PaaS,

IaaS), and data transfers

11

Ability to leverage policies from on-premise DLP

systems and extend them to cloud services

On-premise tokenization of log data for security

and privacy

12

Ability to quantify cloud risk, compare it to benchmarks

from peers in the industry, and track it over time

Comprehensive cloud registry covering a minimum

of 10,000 cloud services

13

Anomaly detection across all services to identify

insider threats or security breaches

Detailed risk assessments provided for all cloud

services

14

Ability to identify unmatched uploads for further

investigations

Usage analytics to identify redundant services and popular

and growing services primed for enterprise adoption

15

Integration with SIEMs for incident response remediation

Ability to audit the effectiveness of firewall and proxies

at enforcing policies

16

Darknet intelligence to identify stolen credentials

of employees

Closed-loop remediation with firewalls and proxies

17

User reputation analysis based on correlated activities

across cloud services

Ability to coach employees using integration with

firewalls and proxies

18

Function-preserving encryption for data security

Customizable reporting with automatic periodic

reporting capabilities

19

Frictionless deployment that doesnt impact end users

10

Vertical-specific, pre-built DLP policy templates

PAGE 24

| CHAPTER 6 | SHADOW IT

CHAPTER 7

CRM

KEY STAT: 4% OF FIELDS IN CRM APPLICATIONS CONTAIN SENSITIVE OR CONFIDENTIAL

FINANCIAL DATA, PII, OR PHI
Customer Relationship Management (CRM) platforms, such as Salesforce, provide
business-critical functionality for Sales, Sales Operations, Customer Service, and
Marketing. In order to support these business units, CRM services frequently contain
sensitive or confidential customer information including PII, financial data, or PHI.
While popular CRM platforms such as Salesforce have industry-leading security
capabilities, organizations must ensure that their valuable data is protected and
that the use of their CRM service is in compliance with industry regulations such as
PCI DSS, HIPAA, HITECH, GLBA, SOX, CIPA, FISMA, and FERPA.

PAGE 25

| CHAPTER 7 | CRM

Enterprises must not rely solely on the security capabilities of the CRM service
itself, as users may not always be using cloud products in ways that meet your
security, compliance, and governance requirements. For example, users may
be storing sensitive data such as payment card data and protected health
data in Salesforce as part of their normal workflow outside of policy, putting
the organization at risk of compliance violations. Or, consider the example of a
salesperson that downloads all the companys opportunities before leaving to join
a competitor. Below are key questions related to CRM services that IT Security
should be able to answer:

VISIBILITY

THREAT DETECTION

How many instances of Salesforce, or

other CRM applications, are we running?

Which users and groups are using

which products, and where is sensitive
data stored?

Are there behavior anomalies, such as a

salesperson downloading more data than
usual, that indicate an insider threat?

Are there behavioral anomalies, such as

a salesperson logging in from Boston
and Bangkok within the same hour, that
indicate a compromised identity?

COMPLIANCE

DATA SECURITY

Which devices and geographies are

employees accessing CRM services from?

How can I encrypt or tokenize data while

maintaining important functionalities like
search, sort and order?

Which types of sensitive data are

uploaded into our CRM service in
customer fields or comments sections
and where is it being stored?
Are we in compliance with PCI DSS,
HIPAA, HITECH, GLBA, SOX, CIPA, FISMA,
FERPA, and international data residency
requirements?

PAGE 26

| CHAPTER 7 | CRM

CRM is expected
to grow to a $36.5
billion market
worldwide within
the next three
years.
Gartner

17 KEY REQUIREMENTS FOR ENABLING SECURE AND

COMPLIANT CRM USAGE:

Usage analytics across all CRM services for both

individuals and business units

10

Academia- and peer-reviewed encryption schemes

Ability to substitute sensitive data with randomly

generated tokens (tokenization) to keep data
on-premise and satisfy data residency requirements

Ability to identify redundant CRM services and coach

users over to standardized services

11

Ability to identify all third-party applications accessing

CRM services and their data

12

Ability to manage encryption keys via integration with

key management servers supporting the KMIP protocol

Detailed activity monitoring of all user, admin, and thirdparty application activities including uploads, downloads,
views, edits, and deletes

13

Behavioral modeling of normal user and admin activity

within the CRM services

Ability to identify sensitive data subject to compliance

requirements or security policies

14

Ability to leverage behavioral models and machine

learning to identify usage anomalies indicative of
compromised accounts or insider threat

Ability to enforce DLP policies and support several

actions, including alerting and blocking

15

Integration with SIEMs for incident response remediation

Ability to extend existing on-premise DLP policies from

on-premise systems and provide integration and closedloop remediation

16

Integration with SAML v2 compatible single

sign-on services

Ability to encrypt structured and unstructured data with

standards-based AES or function-preserving encryption
using enterprise-owned encryption keys

17

Ability to deploy in the cloud, on-premise as a

virtual appliance, or in a hybrid architecture

Ability to apply encryption while preserving enduser functions such as search, sort, and format

PAGE 27

| CHAPTER 7 | CRM

CHAPTER 8

File-Sharing and Collaboration

KEY STAT: 22% OF FILES UPLOADED TO FILE-SHARING CLOUD SERVICES CONTAIN
SENSITIVE OR CONFIDENTIAL DATA, INCLUDING PII, PAYMENT INFORMATION, OR PHI
File-sharing and collaboration services like 0ffice 365, Box, Dropbox, Google Drive,
and Jive are incredibly popular. The average company uses 27 file-sharing
services and 45 collaboration services today, which may actually impede
collaboration.17 The security controls of file-sharing and collaboration services can
vary widely, so organizations must also evaluate the services to understand the
risk they present to the organization. Some services claim ownership of your data,
dont encrypt data at rest, or permit anonymous use, making them unsuited for
enterprise use.

17

Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014

PAGE 28

| CHAPTER 8 | FILE-SHARING AND COLLABORATION

The average
company uses
27 different filesharing services,
inhibiting
collaboration and
creating risk.
Q4 2014 Cloud Adoption
and Risk Report

Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014

In addition to the security risk, companies must evaluate the compliance risk
as well. 22% of files uploaded to file-sharing cloud service contain sensitive or
confidential data, including: PII (personally identifiable information) such as social
security number, date of birth, or address; payment information, such as credit card
numbers or bank account numbers; or PHI (protected health information) such
as medical record number or health plan beneficiary number. Organizations must
ensure that their valuable data is protected and that the use of file-sharing and
collaboration services is in compliance with industry regulations such as PCI DSS,
HIPAA, HITECH, GLBA, SOX, CIPA, FISMA, and FERPA.

PAGE 29

| CHAPTER 8 | FILE-SHARING AND COLLABORATION

Additionally, many cloud services offer more than just file syncing across devices;
theyre platforms for collaborating with other people. No matter how secure a
cloud provider is, end users can always use their service in risky ways. Naturally,
users share files with other people at their companies, but files are also frequently
shared via public links, which can be accessed by anyone without restriction.

Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014

PAGE 30

| CHAPTER 8 | FILE-SHARING AND COLLABORATION

Files are
frequently shared
via public links,
which can be
accessed by
anyone without
restriction.

In fact, 11% of all documents shared via file-sharing services were shared outside the
company. The majority of these external collaborators turned out to be business
partners, but 18% of external collaboration requests went to third party email
addresses such as Gmail, Hotmail, and Yahoo! Mail.18 Organizations must ensure
that their governance policies, dictating who has access to services and their data,
are enforced. Below are key questions related to file-sharing and collaboration
that IT Security should be able to answer:

VISIBILITY

THREAT DETECTION

How many file-sharing and collaboration

services are we using, and what is the
risk of each?
Which types of sensitive data are
uploaded into our file-sharing and
collaborations services and where is
it being stored?

Are there behavioral anomalies,

such as excessive downloads of
confidential information, that indicate
an insider threat?
Are there behavioral anomalies, such
as repeated logins from an unusual
geography, that indicate a
compromised identity?

COMPLIANCE

DATA SECURITY

Are we in compliance with PCI DSS,

HIPAA, HITECH, GLBA, SOX, CIPA,
FISMA, FERPA, and international data
residency requirements?

Which devices and geographies are

employees accessing file-sharing and
collaboration services from?

Which data loss prevention policies for

which services do I need to implement
to ensure compliance with industry
regulations moving forward?

How do we see what data is shared

publicly now, and how do we restrict
collaboration to verified business
email accounts?

Are our cloud DLP policies perfectly

aligned with the DLP policies we
enforce on-premise?

18

Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014

PAGE 31

| CHAPTER 8 | FILE-SHARING AND COLLABORATION

18% of external
collaboration
requests went to
third party email
addresses such
as Gmail, Hotmail,
and Yahoo! Mail.
Q4 Cloud Adoption
and Risk Report

18 KEY REQUIREMENTS FOR ENABLING SECURE AND

COMPLIANT FILE-SHARING AND COLLABORATION USAGE:

Usage analytics across all file-sharing and collaboration

services for both individuals and business units

10

Ability to leverage behavioral models and machine

learning to identify usage anomalies indicative of
compromised accounts or insider threat

Ability to identify redundant file-sharing and

collaboration services and coach users over to
standardized low-risk services

Ability to identify all third party application accessing

file-sharing and collaboration services and their data

12

Ability to identify all externally shared data and view

sharing permission details

Detailed activity monitoring of all user, admin, and thirdparty application activities including uploads, downloads,
views, edits, and deletes

13

Ability to enforce external sharing policies based

on domain whitelist/blacklist and content

Ability to identify sensitive data subject to compliance

requirements or security policies

14

Ability to coach users on acceptable use when in violation

of security, compliance, and governance policies

Ability to enforce DLP policies and support several

actions, including alerting, blocking, tombstoning,
and quarantining.

15

Integration with SAML v2 compatible single

sign-on services

Out-of-the-box DLP templates for all major verticals

and regulations to help identify sensitive content.

16

Ability to encrypt data with peer- and academia-reviewed

encryption schemes

Ability to extend existing on-premise DLP policies

from on-premise systems and provide integration
and closed-loop remediation

17

Ability to manage encryption keys via integration with

key management servers supporting the KMIP protocol

Behavioral modeling of normal user and admin activity

within the file-sharing and collaboration services

18

Ability to deploy in the cloud, on-premise as a virtual

appliance, or in a hybrid architecture

PAGE 32

| CHAPTER 8 | FILE-SHARING AND COLLABORATION

11

Integration with SIEMS for incident response remediation

CHAPTER 9

What is a CASB?
KEY STAT: NINETY PERCENT OF SAAS ADOPTERS EXPECT SAAS TO CONSTITUTE MORE
THAN 50% OF THEIR SPENDING ON ENTERPRISE APPLICATIONS BY 2018, CREATING
SIGNIFICANT NEED FOR CASB PROVIDERS. (GARTNER)

With cloud adoption accelerating every year, enterprise IT is looking for ways to
partner with the business to enable secure utilization of the cloud. Increasingly,
these enterprises are turning to a new breed of technology, referred to by Gartner
as Cloud Access Security Brokers (CASB), in order to do this.
Gartner analysts Neil MacDonald and Peter Firstbrook first defined the Cloud
Access Security Broker category in May 2012 in their report, The Growing
Importance of Cloud Security Brokers." Other firms, such as Forrester, Securosis,
and 451 Research have defined similar categories, alternatively referring to the
technology as Cloud Security Gateways and Cloud Access Controllers. Since
then, Gartner has elevated the importance of CASB and now lists it as #1 in the
top ten technologies for information security.19

19

http://www.information-age.com/technology/security/123458169/gartners-top-10-security-technologies-2014

PAGE 33

| CHAPTER 9 | WHAT IS A CASB?

Cloud Access Security Brokers are on-premise or cloud-hosted software that

acts as a control point to secure cloud services. They generally offer a range of
capabilities including visibility, encryption, auditing, data loss prevention (DLP),
access control, and anomaly detection. While cloud providers individually offer
some of these capabilities, many organizations are looking for consistent policy
enforcement across cloud providers. Given the limited resources to operationalize
a new security process with existing resources, these capabilities should ideally be
delivered as part of a single solution, offering one control point.
In determining whether your organization needs a CASB, Gartner provides several
questions, shared below. If the answer to one or more of the questions is no,
Gartner recommends that your organization considers investing in a CASB.

Cloud access security brokers (CASBs) are on-premise or cloudbased security policy enforcement points, placed between cloud
service consumers and cloud service providers to combine and
interject enterprise security policies as the cloud-based resources
are accessed. CASBs consolidate multiple types of security policy
enforcement. Example security policies include authentication, single
sign-on, authorization, credential mapping, device profiling, encryption,
tokenization, logging, alerting, malware detection/prevention and so on.

Gartner

PAGE 34

| CHAPTER 9 | WHAT IS A CASB?

10 KEY QUESTIONS FROM GARTNER TO DETERMINE IF YOUR ORGANIZATION NEEDS

A CASB, FROM MIND THE SAAS SECURITY GAPS:

Can I identify all of the cloud services employees are

using and assess the risk of each service?

Which devices and locations are users accessing

cloud services from?

Can I identify which cloud services are housing sensitive

corporate data, and how much data is in each service?

Can I enforce contextual access policies to prevent

specific devices, geographies, or IP addresses from
accessing enterprise cloud services?

Can I identify which users are sharing data, what data

they are sharing, and with whom?

Can I proactively recommend enterprise-ready cloud

services to employees or business units in need of
specific capabilities or categories of cloud services?

Does the data being shared contain sensitive

information such as PII, PHI, or financial data?

Can I detect compromised cloud service accounts

and prevent malicious behavior?

Can I enforce encryption, tokenization, or redaction

to protect sensitive data?

10

Can I offer specific security capabilities such as

encryption or data loss prevention for cloud
services that dont have those capabilities built in?20

A common element of all Cloud Access Security Brokers is they interject security controls by brokering access to a cloud
service. This enables IT to securely enable the use of cloud services within their organizations without compromising
compliance or security. By bundling security functions with a single enforcement point, CASBs also reduce the complexity
of securing data in the cloud.
20

Mind The SaaS Security Gaps: G00263947. Craig Lawson, Sid Deshpande. 2014

PAGE 35

| CHAPTER 9 | WHAT IS A CASB?

CHAPTER 10

Quantifying the Value of a

Cloud Access Security Broker
KEY STAT: ORGANIZATIONS USING SKYHIGH TO MANAGE BOTH SHADOW IT AND
SANCTIONED IT SAVED AN AVERAGE OF $1.5M PER YEAR IN IT COSTS AND REDUCED
THE VOLUME OF DATA SENT TO HIGH-RISK SERVICES BY 97%
A Cloud Access Security Broker can provide value across two axes: cost savings
and risk reduction. Within cost saving there are six primary areas of cost
reduction:
1.

Reduction in manual efforts required to

analyze log data for cloud visibility

2.

Streamlined security assessments for

cloud services

3. Elimination of unapproved IaaS usage

PAGE 36

4. Subscription consolidation
5. Elimination of orphaned subscriptions
6. Accelerated response to breaches
and vulnerabilities

| CHAPTER 10 | QUANTIFYING THE VALUE OF A CLOUD ACCESS SECURITY BROKER

Below is a chart depicting the average hard-dollar cost savings across these six categories. Summing the savings, we see that
the average organization saved $1,514,251 annually by managing their shadow IT and sanctioned IT usage with Skyhigh, a
leading cloud access security broker.21

$530,001

Average Reported Savings in

Each Savings Category
$266,000
$186,250
$276,000
$219,200

Average expected cost savings

across ten customers, broken
down by savings category

Quantifying the value of a Cloud Access Security Broker

21

Quantifying the Value of a Cloud Access Security Broker. Skyhigh Networks. 2014

PAGE 37

| CHAPTER 10 | QUANTIFYING THE VALUE OF A CLOUD ACCESS SECURITY BROKER

$36,800

$1,514,251

In addition to cost savings, cloud access security brokers can also mitigate risk in
the enterprise. Risk mitigation from the use of a CASB is typically comprised by
the following four factors:
1.

Reduction in data lost due to the use

of high-risk services

3. Reduction in data lost due to insider threats

2.

Reduction in data lost due to

security breaches

4. Reduction in risk of a compliance violation

Below is a table quantifying some of the risk reduction metrics achieved by

companies that implemented Skyhigh to manage their cloud adoption and risk.
Summarizing the key findings, we see that organizations increased their use of
low-risk cloud services by 83%, decreased their use of high-risk services by 50%,
and decreased the volume of data sent to high-risk file-sharing services by 97%.
In total, organizations that managed their Shadow IT and Sanctioned IT with
Skyhighs CASB reduced their overall cloud risk score by 59%.22

Attribute

Before

After

Improvement

16%

8%

50%

31GB

6.7GB

79%

1.3

78%

16GB

.5GB

97%

Active Tracking Services

32

87.5%

Low-Risk Service %

12%

22%

83%

Enterprise CloudRisk Score

6.4

3.8

59%

High-Risk Service %
Monthly Data Sent to High-Risk Services
High-Risk File Sharing Services
Monthly Data Sent to High-Risk File Sharing Services

How 200 Organizations Flipped Shadow IT from Concern to Opportunity

22

How 200 Enterprises Flipped Shadow IT from Concern to Opportunity. Jim Reavis, Brandon Cook. 2014

PAGE 38

| CHAPTER 10 | QUANTIFYING THE VALUE OF A CLOUD ACCESS SECURITY BROKER

Organizations
using a CASB
decreased the
volume of data
sent to highrisk file-sharing
services by 97%.

CHAPTER 11

Conclusion - Parting Guidance

on Evaluating CASB Vendors

When evaluating different CASB vendors, there are several factors IT leaders
must consider. In addition to understanding whether the capabilities offered
match the business requirements, IT leaders must determine whether the
deployment model fits with their organization. For example, organization should
consider whether they want their CASB to be cloud-based or if they prefer to
manage all of the infrastructure and maintenance of an on-premise solution
themselves.
Additionally, organizations should consider whether they are looking for a
frictionless approach requiring no agents or if they would prefer a solution
that installs agents or PAC files on users work and personal devices. Finally,
organizations should consider whether the CASB vendor has supported other
companies in similar verticals and of similar size.
Many CASB vendors are emerging and have not yet deployed their solution at
scale. This may be acceptable to a smaller organization, but this is likely to be an
area of concern for a larger enterprise. To get started, Gartner offers a
framework for evaluating CASB vendors organized around the types of cloud
services the enterprise is aiming to enable. This framework is provided below for
your reference:

PAGE 39

| CHAPTER 11 | CONCLUSION - PARTING GUIDANCE ON EVALUATING CASB VENDORS

SHADOW IT:

Ask CASB vendors to generate a cloud visibility report with your data during
the proof-of-value process.

Analyze the categories and individual cloud services in use, and identify the risk
associated with the service and its usage.

Create a corporate policy about which cloud services to block orallow, and
then determine the depth of security controls and API integrations the CASB
vendor can enforce for your permitted cloud services.

Select only those CASB vendors whose solution fits with your company vision
on cloud and mobility.

EXISTING SANCTIONED IT SERVICES:

Analyze the redirection methods offered by various CASB vendors, and

determine if they align with your enterprises mobile device policy (i.e.
managed devices vs. bring your own device [BYOD]).

Evaluate only the CASB vendors that are the least disruptive to
your current environment.

Evaluate CASB vendors that can extend common security capabilities to

multiple cloud services from a single management console.

PAGE 40

| CHAPTER 11 | CONCLUSION - PARTING GUIDANCE ON EVALUATING CASB VENDORS

61% of enterprises
say that cloud
security is now
a board level
concern.
Cloud Security Alliance

NEW SANCTIONED IT SERVICES:

Include CASB and identity management products when budgeting for new
cloud services and account for them in enterprise architecture discussions

Evaluate your current infrastructure architecture program to identify spending

that could be re-directed to CASB for use with cloud services that are planned
or in use already. This is an architecture change that will be necessary if you
plan to move to cloud services in the future.23

23

Mind The SaaS Security Gaps: G00263947. Craig Lawson, Sid Deshpande. 2014

If you would like to get a FREE personalized assessment

of all cloud services in use by your employees, including:

All IaaS, PaaS, and SaaS cloud services in use

An objective rating of enterprise readiness for each service
Potential data leaks, security breaches, and non-compliance
Consolidation opportunities for unused licenses

Please email freeassessment@skyhighnetworks.com

PAGE 41

| CHAPTER 11 | CONCLUSION - PARTING GUIDANCE ON EVALUATING CASB VENDORS