As IT executives and business leaders finally get their arms around analyses of the business opportunities versus the security risks of cloud adoption, the industry is increasingly quantifying the friction between the two. We’ve put together some numbers to show perception over some of the hot-button issues, as well as current progress toward smoothing the way for secure cloud transformations.
Quantifying the perceptions around cloud security practices.
Security Still Trumps All Other Concerns
According to a recent Informationweek Reports survey, security and data resiliency issues make up four of the top 10 concerns held by IT over cloud adoption. And sitting atop that list is the concern of security defects in the cloud technology itself.
IT pros seem to be split nearly right down the middle as to whether using cloud services increases the risk of a data breach. Approximately 51% say sending data to the cloud increases or significantly increases that risk.
Meanwhile, even more line of business leaders are confident in the security of the cloud. In fact, more than a third even believe it actually improves security, according to a survey of nearly 600 Harvard Business Review readers.
Raising The Stakes On Breach Risk
However, the use of the cloud does raise the stakes for breach impact. According to a recent Ponemon Institute report, the use of SaaS increases the financial impact of a breach by a factor of 1.5 times a normal breach of data from on-premises infrastructure.
The added impact of potential risk from a cloud breach is further exacerbated by lackluster cloud encryption practices. The percentage of organizations that use encryption to secure sensitive data in the cloud hovers at only about 1/3 worldwide.
And the truth is that most security organizations still struggle to extend corporate data governance policies to the public cloud, and they have a hard time maintaining visibility into security policy across a hybrid cloud infrastructure.
That’s probably why they can’t seem to enforce cloud policies very well. According to a report by Skyhigh Networks, there’s a perception gap in how well companies are blocking unauthorized use and uploading to cloud apps compared to their intended policy enforcement actions.
How Big Of A Shadow IT Problem Do You Really Have?
A survey conducted by the Cloud Security Alliance on behalf of Netskope also found that IT departments may be underestimating the number of cloud apps used across the business. More than half of these departments believe the business is running 10 or fewer cloud service apps. Meanwhile, compared to data from Skyhigh Networks, the average number is closer to 800.
Many of the struggles IT faces in the cloud can be summed up here, according to a Ponemon Institute study: Just 9% of IT security organizations are always involved in decisions regarding cloud procurement. Worse, 47% are rarely or never involved.
Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.
This week, Protiviti and ISACA issued results of the fourth annual IT Audit Benchmarking Study. The organizations surveyed 1,330 IT audit leaders across the globe, including chief audit executives, IT audit vice presidents and directors, who answered questions in five categories:
Today’s Top Technology Challenges
IT Audit in Relation to the Internal Audit Department
Assessing IT Risks
Audit Plan
Skills and Capabilities
The survey found that, although organizations have made strides in establishing best practices for the IT audit function, many are struggling to keep pace with global IT risks amid rapidly changing technology environments.
“Concerns over cybersecurity, industry disruptors and regulatory compliance have moved many organizations, and audit committees in particular, to become more engaged in the IT audit function,” said David Brand, a Protiviti managing director and the firm’s global IT audit leader. “We see some positive trends in our results, notably in the number of designated IT audit directors and their regular attendance at audit committee meetings. However, we also see significant gaps to be addressed, including the frequency with which IT audit risk assessments are conducted.”
Top Technology Challenges
The survey also revealed the top 10 technology challenges that respondents say their organizations face today:
IT security and privacy/cybersecurity
Resource/staffing/skills challenges
Emerging technology and infrastructure changes: transformation, innovation, disruption
Regulatory compliance
Budgets and controlling costs
IT governance and risk management
Big data and analytics
Vendor, third-party and outsourcing risks
Cloud computing/ virtualization
Bridging IT and the business
Establishing Organizationwide Support for IT Audit
The IT Audit Benchmarking Study found that more than half of the largest public companies surveyed have a designated IT audit director or equivalent position within their organizations, and 48 percent reported that these individuals regularly attend audit committee meetings – a number that has doubled over the past three years. Additionally, respondents indicated that their audit committees have increased their involvement in the IT risk assessment process, with 20 percent reporting significant involvement as compared to 14 percent in 2013.
The increased resources and attention to IT audit is a positive sign that companies of all sizes around the world are recognizing the significant benefits of this critical function.
Small Gains in IT Audit Risk Assessments
The ISACA/Protiviti survey also reveals a modest uptick in the number of organizations that update their IT audit risk assessment on a continual basis. However, this number still remains low—around 15 percent—for even the largest companies.
Additional Highlights
Other research findings of note include:
Globally, respondents cited COBIT as the most accepted industry framework on which the IT audit risk assessment is based, followed by COSO, ISO and SOGP. In practice, organizations may utilize a combination of these frameworks to complete their risk assessments.
Across every region and size of respondent organization, lack of resources ranks as the top reason why companies are using outside resources to augment their IT audit skills – and in fact, the percentages are very consistent. These findings are also in line with the top technology challenges outlined above.
It is hard to imagine a world in which we didn’t use the Internet at work. 15 years ago, it was a luxury. Today, Internet use at work is mission-critical. We’ve evolved from casually getting online to search for basic information about a company to doing such critical things as accessing webmail, posting to and monitoring social media and transferring and storing files in the cloud.
Unfettered Internet access at work has empowered us to defy geographical and time constraints to communicate with colleagues, vendors and customers located around the globe, develop content and code, and share real-time 24 x 7. It also allows us to shop, gamble, chat with friends, check bank balances and pay bills at work and generally “cyber loaf” on the company network, to the tune of US $178 billion in lost productivity annually, according to U.S. security company Websense. According to IDC, 30 to 40% of Internet access is now spent on non-work related browsing, and 60% of all online purchases are made during working hours.
The prevalence of smartphones and social media and our evolution into an “always on” society have further blurred the lines between personal and professional lives, bringing our privacy into question and leaving lawmakers dumbfounded as to how to govern personal privacy in light of these changes.
Absent legislation that helps companies navigate this new reality, in an effort to curb employees’ increasing amount of personal time they spend online at work, some companies have implemented monitoring systems that leave employees feeling watched and mistrusted, without really solving the problem of protecting the company network.
The good news is that incorporating individual protection into your risk management strategy can actually make your organizationMORE secure. By championing employee privacy, you can empower individuals to become personally accountable for their decisions online and engage them in protecting the organization. You can achieve this by separating personal and work assets and providing employees a private portal to conduct their personal online business at work. By isolating personal browsing from the corporate network, employees can surf and communicate freely and securely, while corporate assets are shielded from employee activity.
The problem with signature based security tools is you are vulnerable until the signature is released and distributed. Palo Alto Networks takes a different approach with Traps, so Network World Editor in Chief John Dix tracked down Palo Alto VP of Product Marketing Scott Gainey for an inside look at how Traps works.
Palo Alto VP of Product Marketing Scott GaineyPalo Alto Networks VP of Product Marketing Scott Gainey
You recently unveiled a new endpoint protection product called Traps. Tell us what that’s about.
If I’m outside of my corporate network operating on an unsecured Wi-Fi network my system is at risk. A simple drive-by-download of embedded malicious content in, say, an iFrame could easily bypass existing anti-virus software, leaving nothing that could protect me from being infected. This is one of many examples that leave endpoints vulnerable. So a complete security architecture has to be able to protect its users regardless of where they may be working, whether they’re on-network or off-network, and that’s one use case that led us down this path of investing in endpoint protection.
Another one is that we see a lot of highly targeted attacks that are utilizing a threat that’s never been seen before and has been designed in such a way that it’s able to evade detection at the network security level. It could be based on a new zero-day vulnerability the attacker will use against a high-value target. Because this is based on an unknown vulnerability it’s missed by IPS/IDS. Our approach is effective at learning from these new attacks and routing new defenses back to the infrastructure so if that type of threat is used again it will be blocked. But if the attacker only uses it once then other areas of defense must kick in to protect an organization.
So those use cases are why we made the investment in Cyvera, and the release of Traps is our first official release of this technology and includes some integration into WildFire, which is our sandboxing technology.
The classic endpoint protection companies that offer antivirus-based protection rely on signatures for defense, which requires prior knowledge of the threat in order to block it. So these vendors have large teams of people who are constantly churning out signatures based on new threats they observe in the wild.
The challenge we saw with that approach is you’re always several steps behind the attacker community. There’s literally millions of forms of new malware that get generated each year. On a daily basis we see an average of over 20,000 new forms of malware. So companies with AV-based solutions have to build signatures against all of those new forms, then distribute those signatures out to all the endpoints. It’s an impossible situation to stay on top of.
Similarly, technologies like discreet intrusion prevention or intrusion detection systems require prior knowledge to protect against vulnerabilities. So if it’s an unknown zero-day based vulnerability, IPS or IDS isn’t as effective. It can only block what it knows.
So when we were looking at making an investment we spent a lot of time in our due diligence looking at the approaches that others use. There are a lot of companies jockeying for the space, knowing the traditional approaches are ineffective.
And we saw two common approaches we didn’t like as far as the new technology goes. The first was container-based tools that are basically designed to wrap a protective barrier around processes so if the process turns out to be malicious in nature the container detects it and shuts it down. But a lot of attackers have figured out how to disable those containers, and they impose a significant amount of resource overhead. So from an efficacy and operational perspective it wasn’t a very viable option.
Then the other approach that concerned us was tools focused on post-attack detection or remediation. You would deploy those to try and identify and isolate systems that were affected and then begin the cleanup process. If people are investing in that as their answer to highly targeted attacks, then they’re effectively waving a white flag, saying I can’t prevent these attacks so I might as well invest money in trying to at least detect them quickly.
We vehemently disagree with that premise. We do think that attacks, no matter how sophisticated, can be prevented. There is no silver bullet in this battle but network security will absolutely continue to play a big role in preventing attacks. But there are some holes that you have to shore up and that’s why we brought Traps to market.
Traps is a technology that, thus far, with the trials that we’ve done with different customers, has proven to be 100% effective against even the most highly targeted, zero-day based attacks.
How does it work?
What we liked about the technology is it’s not focused on the individual threat. Traps really doesn’t care whether it’s known or unknown malware. Traps doesn’t really care about the vulnerability itself. What Traps focuses on is the underlying techniques that an attacker must execute in order to exploit a vulnerability on an endpoint.
Let’s say an attacker found some sort of weakness in a piece of software and intended to use that to exploit the system. The attacker would have to go through a series of well-defined steps to make that happen. It may be three steps, it may be five steps. It depends on the nature of the exploit, but they would have to go through a sequence of steps. With Traps, what we’ve done is built a series blocks against each and every one of those available techniques so the second an attacker tries to employ one they run into a block and their attack is thwarted and the process is shut down. Today there are around two dozen techniques at an attackers disposal.
So let’s say there was a weakness in an Adobe PDF file and someone has initiated an exploit to try and take advantage of that weakness. As they go through the steps of that exploit, they would run into one of our exploit prevention modules within Traps and, as soon as they do, our product will shut down that process and alert the user that an attack was prevented and then also alert the admin. Then we collect a package of forensics, including memory state, etc., and provide it to the admin so they know the details of the attack, what user they were going after, what file they were using, etc.
And it is client based?
Right. Traps is a very thin client that lives on the endpoint itself. One of our criteria was this couldn’t be some big, heavy, resource-intensive type of technology. It literally consumes only 5MB of memory and about a tenth of one percent on average of CPU utilization. And it basically sits on that endpoint and anytime a new process is opened we inject what we call prevention modules into that process. So the second an attacker tries to utilize one of these known techniques they will run into one of our prevention modules and the attack is prevented.
How can you possibly account for all the different approaches that a vulnerability exploit would attempt?
Right now there are a total of 24 techniques that attackers have at their disposal to try and exploit a system, so we have that covered. These techniques are pretty hard science. It’s rare if you see two or three new techniques emerge within a year’s period of time. In fact, in the release that we announced we added three new prevention modules against three new techniques that emerged and those are the first techniques that we’ve seen in two years.
The vast majority of the techniques come out of academia. Someone in academia will be studying different processes, then publish a paper and attackers get a hold of that and, voila, they’ve got a new technique at their disposal. So we’ve been working very closely with academia to make sure that, as these things are being researched, we’re also building prevention modules against them so that when they publish their paper we also have modules built against those new techniques.
I suspect it will probably be another eight to twelve months or so before we see another one of these techniques emerge. They don’t happen that often.
I presume the tool is operating system dependent.
Correct. We support Windows XP, Windows 7 and Windows 8 on the workstation side, and on the server side it’s Windows Server 2003, 2008 and 2012. It sits well below the application stack so it’s independent of the applications themselves. So we support any kind of application that works on top of a Microsoft Windows environment.
In fact, I was talking to an oil and gas company and, while the prevention characteristics of this are very enticing, this guy was excited about the fact we support XP because he had tens of thousands of systems that were still running Windows XP and Microsoft isn’t patching XP anymore. So he was looking at this as a way to extend the lifespan of his Windows XP systems, which is a nice aftereffect. We’re seeing Windows in ATMs, point-of-sale systems, etc.
So that’s the exploit side, what about malware-based attacks?
Right. On the malware side it works similar, only we’ve added a couple of other steps. When it comes to malware-based attacks the process is slightly different. Malware of course doesn’t require a vulnerability exploit in order to run on an endpoint. Often it’s our employees who initiate this process by opening a malicious file attachment in email, clicking on a link that takes that person to a malicious URL or domain, downloading a malicious file from a USB stick, etc.
Traps malware prevention is accomplished in three steps. First, Traps allows admins to create a series of policies on the endpoint that significantly limits the risk of employees inadvertently downloading malware. These are simple policies like – do not allow a user to execute a .exe file sent over email, or from a removable storage device. By establishing the correct policies up front an organizations can reduce the options available for an attacker to get malware to an endpoint.
Second, Traps integrates with WildFire to provide an immediate vehicle to verify whether a file is known to be malicious. Every day WildFire inspects millions of files for new forms of malware. This intelligence is made available to Traps so it can verify whether a particular executable is malicious before allowing it to run on an endpoint. And finally, Traps utilizes malware prevention modules on the endpoint to ensure that the malware never executes.
Are competitors doing anything similar?
The only other company who’s kind of taken this approach is Microsoft themselves. There’s a project that Microsoft had been playing with called EMET and they’re the only ones really today that are focused on a technique-based approach. Microsoft has chosen not to productize EMET, but it’s kind of a skunksworks project, if you will. So really only us and Microsoft are the two that are looking at this from a techniques basis. And the EMET project only supports seven exploit techniques today.
What percentage of the problem do you think this addresses? After all, there’s environments other than Windows and there’s the whole mobility threat. How do you add that up?
Today Traps is focused on Windows-based support which constitutes the majority of endpoints. We plan to expand support in the future based on customer needs.
How do you sell this?
It is sold as a subscription service. So you can buy Traps as a one, three or five-year subscription and, as I mentioned, there is a thin client you have to deploy. It can be deployed through a company’s standard distribution software.
So a per-device fee?
Right now we have two price points, one for workstation and one for server. Then it’s on a tiered structure, with different price bands depending on the total number of deployed endpoints.
One more thing I want to mention. You’ll see us referring to Advanced Endpoint Protection, which we’re defining differently than how others might define endpoint protection today. Many definitions largely align with classic anti-virus capabilities. We think to qualify as an Advanced Endpoint Protection solution you have to be able to block all exploits, whether they’re known or unknown. You have to be able to block all malware, both known and unknown. Forensics remains crucial because there’s knowledge and insight that can be gained to protect the rest of the organization. It has to be very scalable and lightweight. If you’re deploying hundreds of thousands of these clients across endpoints as small as a point-of-sale system, this can’t be a big memory and CPU hog.
And finally, it has to be integrated with the cloud and the network. These worlds are going to collide in a very big way. If you can link the network with the endpoint and the endpoint with the network, there is a tremendous advantage across both fronts when it comes to ultimately bolstering security efficacy. They’re going to see things inherently the others can’t see, and if you can bring that together in terms of some type of sharing relationship, then everything becomes strong together.
Dix helped launch Network World in 1986 after chronicling developments in networking and distributed processing first at IDC (1980-1984), then at Computerworld (1985-1986).
Cloud computing offers both unique advantages and challenges to government users. The advantages are well-advertised: Greater efficiency, economy and flexibility that can help agencies meet rapidly changing computing needs quickly and cheaply while being environmentally friendly.
Among the challenges, security is the most commonly-sited concern in moving mission-critical services or sensitive information to the cloud.
To address this, a recently released roadmap from the National Institute of Standards and Technology recommends a plan to ensure cloud offerings meet government security needs while being flexible enough to adapt to the policies and requirements of multiple tenants, including foreign governments. The plan involves periodic assessments of security controls and development of international profiles and standards.
The recommendations are brief and make up a small part of the 140-page document released by NIST in October but categorized as “high priority.”
Security is the first of three high-priority requirements addressed in volume one. Interoperability and portability – the ability of data to be moved from one cloud facility to another—are the others.
The government already has established the Federal Risk and Authorization Management Program (FedRAMP), which became operational in 2012 to ensure that cloud service providers meet a baseline set of federal security requirements, easing the task of certifying and authorizing the systems for government operations. But the NIST roadmap addresses security requirements that extend beyond federal users.
Security in the cloud is complicated by a number of factors. First, it upsets the traditional IT security model that relies on logical and physical system boundaries. “The inherent characteristics of cloud computing make these boundaries more complex and render traditional security mechanisms less effective,” the roadmap says.
Second, a cloud system has to meet not only U.S. government security needs, but also those of other customers sharing the environment, and so security policy must be de-coupled from U.S. government-specific policies. “Mechanisms must be developed to allow differing policies to co-exist and be implemented with a high degree of confidence, irrespective of geographical location and sovereignty.”
Moreover, a comprehensive set of security requirements have not yet been fully established, the roadmap says. “Security controls need to be reexamined in the context of cloud architecture, scale, reliance on networking, outsourcing and shared resources,” the authors write. “For example, multi-tenancy is an inherent cloud characteristic that intuitively raises concern that one consumer may impact the operations or access data of other tenants running on the same cloud.”
NIST says recommended priority action plans for cloud security are:
Continue to identify cloud consumer priority security requirements, on at least a quarterly basis.
Periodically identify and assess the extent to which risk can be mitigated through existing and emerging security controls and guidance. Identify gaps and modify existing controls and monitoring capabilities.
Develop neutral cloud security profiles, technical security attributes and test criteria.
Define an international standards-based conformity assessment system approach.