The Razor's Edge: Enabling Cloud While Mitigating the Risk of a Cloud Data Breach
•Télécharger en tant que PPTX, PDF•
0 j'aime•1,840 vues
Shadow IT. It's not a new term and certainly not a new challenge. But with only blunt-force solutions like saying "no" or blocking cloud services at the firewall, IT has not been able to do much to address the challenge. This is all changing. Business and IT leaders alike see real value in cloud services and want to take a lean-forward approach to enabling them. The reality, though, is that cloud services are not without their risks, and the risk of a data breach increases when the cloud is involved. Hear from Netskope about the risks, economic impact, and multiplier effect of a cloud data breach, and how forward-looking organizations are walking the razor’s edge to mitigate these risks while enabling the cloud.
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
En vedette
En vedette (20)
Similaire à The Razor's Edge: Enabling Cloud While Mitigating the Risk of a Cloud Data Breach
Similaire à The Razor's Edge: Enabling Cloud While Mitigating the Risk of a Cloud Data Breach (20)
Plus de Netskope
Plus de Netskope (14)
Dernier
Dernier (20)
The Razor's Edge: Enabling Cloud While Mitigating the Risk of a Cloud Data Breach
- 1. The Razor’s Edge: Enabling cloud while mitigating the risk of a cloud data breach
- 2. Cloud App Explosion 2 Driven by individual and line of business adoption of cloud and mobile. 2011 2016 $21.2B $92.8B SaaSRevenue Forrester
- 3. 3 There are 5,000 enterprise apps today (and growing).
- 4. People love their cloud apps, and for good reason Anywhere Access CollaborationProductivity 4
- 5. 5 But this means sleepless nights for IT But how bad is it?
- 6. 6
- 7. The following are contributors to the cloud multiplier effect 7 Cloud app adoption Mobile and consumerization Ease and speed of data sharing
- 8. 8 Increase use and increase probability If your organization had 100 cloud apps and added 25 more in a 12-month period, you would increase your probability (and expected economic impact) of a data breach by 75%
- 9. We looked at 2 data breach types 9 Loss or theft of 100,000 customer records Theft of high-value information
- 10. Baseline cost of a data breach 10 $20.1M $11.8M
- 11. Survey respondents said… 11.8% 25.4% probability of this happening in current environment
- 12. The probability adjusted estimated economic impact 11.8% of $20.1 = $2.37M 25.4% of $11.8 = $2.99M
- 13. Effects of cloud on the probability of theft or loss of 100,000 or more customer records 13 Use of cloud services (SaaS) Backup and storage of sensitive and/or confidential information Increase use of cloud by 50% in 12 months
- 14. 14 Use of cloud services (SaaS) Backup and storage of sensitive and/or confidential information Increase use of cloud by 50% in 12 months Effects of cloud on the probability of theft of high-value information
- 15. 15 124% increase in probability of a data breach Increase BYOD access of cloud services
- 16. Invisible to IT 16 36% of business-critical apps are in the cloud. IT isn’t aware of nearly half of them. 30% of business information resides in the cloud. IT doesn't have visibility into more than one third of it.
- 17. People love their cloud apps, and for good reason 17 Love doesn’t have to be blind
- 18. 18 MEASURE: Discover the cloud apps running in your enterprise
- 19. 19 MEASURE: Discover the cloud apps running in your enterprise • 3rd party tools like Netskope can analyze firewall logs (and others) for this information • Resist the urge to immediately blacklist unsanctioned apps
- 20. 20 User Location Device Time Activity App Content Risk w/Whom ANALYZE: Understand the context of usage at a deeper level
- 22. 22 ACT: Plot a course of action based on risk, usage criticality
- 23. 23 ACT: Plot a course of action based on risk, usage criticality • Use an objective criteria for assessing app. The Cloud Controls Matrix from CSA is good start, and vendors have taken this to a whole new level. • After risk, look at usage, including the nature of the content. This will help triage policy enforcement next steps, especially when hundreds of apps are in play. • Risky usage can be more important than app risk.
- 24. ACT: Plot a course of action based on risk, usage criticality ANALYZE: Understand the context of app usage at a deeper level MEASURE: Discover the cloud apps running in your enterprise
- 25. 25 The real face of shadow IT is you and me. Ultimately, this is simply unmanaged risk.
- 26. Allow is the new block (allow is new block green light slide) 26 S M
Notes de l'éditeur
- Cloud computing is one of the most dramatic workplace shifts we’ve seen in decades. When we think about cloud app growth, it’s often about individuals’ usage of apps like Box and Dropbox. The reality is every line of business is adopting cloud apps, whether for HR, finance, supply chain, or business intelligence. Mobile, the other major crossover we’re seeing – with mobile devices and access surpassing that of PCs in virtually every measure – has fueled this shift. Cloud is no longer a question – it’s the way we do business.
- There are nearly 5000 enterprise apps today. This is up from 3,000 6 months ago and we’re adding somewhere in the range of 100-150 of these apps per month on average. These are the most common apps and some apps you’ve never even heard of. I talk to customers who a year ago were trying to get their heads around deployments of apps we’ve all heard of like Evernote and HipChat… today these customers are calling me about apps like Trello and Seamless. These things aren’t just grow up in numbers, they’re growing out in category redundancy – we’ll talk about that in a minute. But why is this happening? How has it come to be? The answer is closer to you than you think. Reach into your pocket and pull out your phone. Take out that tablet. Grab 1 of the 3 devices we all carry around with us everyday… We love these devices and we love these apps!
- And why wouldn’t it be? In nearly every survey, people cite “business agility” as the primary driver for cloud adoption – even more so than cost. People want to be productive now, not after the software rollout next spring. They want to access apps from any of their devices (we now count an average of 3.5 devices per knowledge worker). And they want to collaborate with colleagues and business partners in a seamless, frictionless way. Beyond paving the way for productivity gains, this shift has also created a new opportunity for IT – to become an enabler and innovator in facilitating the use of these apps.
- All of this is troubling to IT departments. When we talk to CIOs and CISOs there’s just a lot of uncertainty and anxiety about the quickly changing environment and pace of change. We’ve seen this before with other trends like mobile.
- We wanted to find out the effect this was having on the perceived vulnerability and how cloud might effect the estimated economic impact of a data breach. We asked the Ponemon Institute to conduct a study. They surveyed more than 600 IT and security professionals, all of whom had knowledge of their use of cloud services. 61% of whom report to the CIO
- IT considers the following to be contributors to the cloud multiplier effect Cloud app adoption Mobile and consumerization Ease and speed of data sharing
- According to survey respondents, if you increase use of cloud services, you increase the probability of a data breach. By 3.1x actually, depending on the scenario involved. So, for example, if you organization had 100 cloud apps and added 25 more in a 12-month period, you would increase your probability of a data breach by 75%
- We examined 2 types of data breaches Loss or theft of 100,000 or more customer records Theft of high-value information such as intellectual property In the study of data breaches over the years these are commonly used methods of examination
- Leveraging previously calculated amounts from actual data breaches we know that the baseline cost of a data breach is $20.1 million for the loss or theft of 100,000 or more customer records and $11.8 million for the theft of high-value information. This comes from the Ponemon Institute’s study of the Cost of a Data Breach conducted with IBM in May of 2014.
- This survey considered respondents answers and determined that their estimated baseline probability of a data breach of these two types was 11.8% and 25.4% respectively. This is, essentially, how they feel about their current environment, absent any changes. This is not “before cloud” and doesn’t consider how much they are, or are not, using the cloud today. It’s simply their “current state”.
- So, if you consider their estimated probability today you get a probability adjusted estimate of the economic impact. 11.8% times $20.1 million gets you to $2.37 million for the loss or theft of 100,000 or more customer records. 25.4% times $11.8 million gets you to $2.99 million for the theft of high-value information Of course IF a data breach of one of these types were to happen to them then the actual cost would be different, but this gives us a baseline from which to work.
- The baseline established previously is important for estimating the economic impact that comes from increasing use of cloud in the enterprise. For instance, if you increase the use of SaaS by 50% in a 12 month period, you increase the probability of the loss or theft of 100,000 or more customer records by 2.6 times. When you factor in the probability adjusted economic impact, the cost goes up from $2.37 million to $6.08 million.
- Similarly, the baseline established previously is important for estimating the economic impact that comes from increasing use of cloud in the enterprise. So, if you increase the use of cloud-based backup and storage for your sensitive or confidential information, you increase the probability of theft of high-value information by 1.6 times. When you factor in the probability adjusted economic impact, the cost goes up from $2.99 million to $4.93 million.
- Survey respondents indicate that IT is still skittish about BYOD and that increasing access of cloud apps from personally owned mobile devices increases the probability of a data breach by 124 percent
- Visibility into the use of cloud services is a big component of the challenges and why we think that the perceptions reflected in this study are resulting in the cloud multiplier effect. When business critical apps are in the cloud and IT can’t see half of them, this is naturally going to lead to uncertainty about security and the perception that cloud will lead to an increased probability of a data breach.
- Love doesn’t have to be blind. So, let’s start to talk about some solutions and how we find our way out of this morass. Here are a few things IT can do to get a better handle on things
- Step 1: Let’s rip off our blind folds. Seeing is believing and knowing definitively the number of cloud apps people are using in your enterprise is the first step.
- Your firewall alone isn’t going to be able to tell you this. You need a tool that’s tuned to see the 5000+ apps in existence that traverse your firewall or web gateway. And to be honest, that’s just the beginning. The portion of apps that will never touch a perimeter device is growing, so consider how you discover in real-time, beyond the network and in remote and mobile situations Once you discover, take a moment and resist the urge to blacklist apps. You’ll find that many of these apps are actually considered business critical today.
- Context is critical and you’d be surprised how deep an understanding you can get
- Understand App risk Who is using the service and where they’re using it from Understand the devices that are being used to access these apps Understand the content and if it’s sensitive or not Get to know the types of activities that people are conducting in these apps. In the case of sharing, understand who they are sharing with.
- Act: With all the information you’ve gathered, you can start to come up with a plan and start making decisions.
- When doing this, don’t think that you alone must assess every app. There are companies out there that will provide this information for you and some of them are leveraging the Cloud Controls Matrix from CSA. This matrix provides guidance for people in plain English and I think they’ve done a good job at capturing the criteria that should be used to evaluate cloud services. The usage/popularity of apps can really help guide your triage. If a particularly risky app is being used by 300 people, you need to be a lot more thoughtful about your next steps than if it’s 1 or 2 people. Unless of course that 1 person is the CEO… and then you’ve got another problem on your hands. :) And remember that Context Matters. The usage of an app can be risky and this is another pivot point you should consider in your triage. Coming at it from an activity point of view can be helpful. Saying “I want to look at sharing first, regardless of app risk”
- Here, in summary. I think it’s a good starting point and I hope you think so to. Because ultimately …. <click>
- Here’s the real face of shadow IT. A lot of the time it’s not at all sinister. They’re people like you and me, getting their jobs done and trying to do a better job of that all the time. And for IT, let’s just face it. It’s just a risk that has gone unmanaged and for quite some time now. So let’s do something about it… But during that, let’s remember not to repeat the heavy-handed sins of the past instead, remember a simple mantra >
- Allow is the new block. This is something that Netskope talks about a lot and I think it’s a good way to think about it. Thank you very much for your time and attention today -- I hope you enjoy the rest of the meeting and find me after if you have any questions.