SlideShare a Scribd company logo

Shedding Light on Shadow IT for File Sharing

CipherCloud
CipherCloud

This document discusses the challenges of sharing large files and the rise of shadow IT using cloud file sharing apps. An audit of a major media company found 349 cloud apps in use with IT visibility into very few. These shadow apps often have security issues like lack of SSL encryption. The document recommends companies discover which cloud apps are being used and their risks, standardize on secure enterprise apps, and use tools to extend data loss prevention policies to the cloud to maintain visibility and control over sensitive data as it's used in cloud applications.

1 of 17
© 2014 CipherCloud | All rights reserved. 1© 2014 CipherCloud | All rights reserved. Shedding Light on Shadow IT for File Sharing WillyLeichter GlobalDirector,CloudSecurity
© 2014 CipherCloud | All rights reserved. 2 TheChallenges ofSharing Files Sharing large files has always been a challenge • Email was neverdesigned forlarge attachments • ITsetsstrict attachment sizelimits Viable alternatives were hard to find • ITjust said “no”– didn’t solvethe problem • Archaic FTPtools were hard to use • Usersresorted to shipping CDs or worse Cloud-based file sharing sites have rapidly solved this problem • Easyaccess to free web-based tools • Sharing from any device to anywhere • Numerous ‘free’ offers makeit easyto getstarted
© 2014 CipherCloud | All rights reserved. 3 TheChallenge of Exploding ‘Shadow IT’ Proliferation of cloud applications • Dramatic increase in use of non IT-sanctioned cloud apps • Multiple solutions meet similar needs • Usersswitch providers basedon cost &convenience Lack of corporate visibilityand governance • Lack of controls invites cloud data compliance violations • Cloud providers won’t accept liability for your data • You can’t manage what you can’t see Numerous security risks • Providers haveinconsistent cloud security practices • Many applications lack basic security controls
© 2014 CipherCloud | All rights reserved. 4 Results from anAudit of a major media company Looked atactivitylogsfor approx 10kusers foraboutaday • 349separatecloudappsdiscovered,withIT havingnovisibilityintoalmost allof them. • 24%identifiedashighrisk • 69differentCloudDataStorageappsinuse –themost common category
© 2014 CipherCloud | All rights reserved. 5 Frequent Security Issues with apps Not using SSL Credentials requested from insecure landing page Immediate ‘free’ upload No legitimate 3rd party certification • NoSSL or insecure version • Expired or self-signed certificates • Insecure headers • Inadequate cloud data privacy policies • Weak authentication • Poor security controls • Suspicious server locations • Nolegitimate certification by third-parties • Nocorporate visibility or control over uploads
© 2014 CipherCloud | All rights reserved. 6 Enterprises MustAnswer KeyQuestions What cloud applications are being accessed? Which applications are risky? Can we standardize on enterprise solutions? Is sensitive information being exposed? Are corporate Cloud DLP policies being violated? Can you monitor users and detect anomalies? Cloud Discovery Data Discovery
© 2014 CipherCloud | All rights reserved. 7 CipherCloud forCloud Discovery Discover all cloudapplications in use • Complete visibility into all cloud applications • Detailed data on volume, usage,and categories • Easyintegration with multiple proxy devices Identify risky applications • Extensive CloudSource™ risk knowledge baseprovides expert analysis of thousands of cloud applications • Multi-factor analysisof security & privacy controls • Crowd sourcing continuously enhances coverage Enterprise-grade solution • Customizable cloud computing riskscoring attributes • Highly scalable, supports distributed deployments • Role-based administration, audit logging & alerts
© 2014 CipherCloud | All rights reserved. 8 CloudSource™ Risk Knowledge Base Risk scoringmethodology • Research lab analyzes thousands of cloud applications • Automated testing & manual analysis • Input from leading standards groups CloudSecurity Alliance(CSA), Truste Forrester Research, other analysts Over 100key metrics include • Useof SSL for application landing &login pages • Analysisof SSL and certificate quality & expiration • Privacy policy analysis • Detailed header and SPFanalysis • Authentication & security controls • Certification by third-party auditors • Location of cloud application servers • Tracking of cloud data breaches for specific services
© 2014 CipherCloud | All rights reserved. 9© 2014 CipherCloud | All rights reserved.9 CipherCloud forCloud Discovery includes granular trend analysis, multi-criteria filtering and drill-down charts. © 2014 CipherCloud | All rights reserved.
© 2014 CipherCloud | All rights reserved. 10© 2014 CipherCloud | All rights reserved.10 Intuitive drill-down dashboards,filteringand detailedreporting CloudSource tracks granular risk metrics across transport security,privacy, compliance and environmentfor each application.
© 2014 CipherCloud | All rights reserved. 11 CipherCloud’sCloud Data Loss Prevention CloudData loss prevention tailored for thefile sharing platforms • Configurable DLP policy controls • Real-time and on-demand scanning • Integrates with enterprise DLP systems Flexible policyactions • Sharing rules based on content &roles • Notify, quarantine, block, encrypt, selfremediate • Block external sharing Malware protection • Scan triggered on uploads, deletes infected files Seamless integration with cloud apps • Scanning happens seamlesslyin the background • Workswith all desktop & mobile clients Detailed, granular reporting • Configurable dashboards • Easydrill-down on users, content, and policy violations
© 2014 CipherCloud | All rights reserved. 12 Internal Network External Users CipherCloud On-Premises Deployment Enterprise DLP (optional) ICAP Internal Users CipherCloud Cloud Deployment Cloud Data Loss Prevention CipherCloud’s technologyprovidesout-of-the-boxDLPcontrolsand policiesthatcanspotpotential violationsofHIPAA/HITECH, GLBA,PCI, NCD,orotherregulations, aswellasABA,SWIFT,andNDCcodes. Thesolution canalso integratewith enterprise DLP systemssuch asRSA, McAfee,and Symantec, enablingyou to extendyour existingDLP policiesto cloud applications
© 2014 CipherCloud | All rights reserved. 13 It’sAllAbout the Data…. Protecting infrastructure is not enough • Business critical systems nowoutside the network Key applications are outside your control • Reliance on cloudproviders to secure systems Cloud customers ask the wrong questions • Focus on transferring old legacy security models Need to change to a data-centric model • Cloud providers don’taccept liability for yourdata • You own the data – youneed to secure it Security needs to travel with your data • Youneed to control access regardless oflocation
© 2014 CipherCloud | All rights reserved. 14 Top 3 US Bank’s Consumer Self- Service Loan Origination Portal UK Education Organization Deploys Global Cloud-Based Portal Non-Technology Leader Trust Sensitive Data in Cloud Email German Cosmetics Giants Meets International Security Regulations Major European Telco Consolidates Call Centers for 25 Countries Largest Hospital Chain Meets HIPAA & HITECH in the Cloud Top Canadian Bank Safeguards Proprietary Information in the Cloud Major Wall Street Firm Adopts Cloud Applications with Confidence Leading Caribbean credit service protects customer data anywhere Genomics Testing Leader Protects Patient Data while Using the Cloud New Zealand Bank Collaborates in the Cloud and Meets Compliance Medical Audit Leader Launches Cloud-Based Customer Portal Large Pharmaceutical Company Uses Encrypted Email Credit Reporting Giant Deploys Cloud Collaboration with DLP Controls Government-Owned Mortgage Backer Protect PII Data in the Cloud High-Profile Federal Office Moves Public CRM Data to the Cloud Credit Reporting Giant Moves to Cloud-Based File Sharing Australian Insurer Reaches Customers Through Cloud-Based Portal Leading Drug Developer Moves Patient Test Data to the Cloud Investment Fund Giant Consolidates CRM While Assuring Compliance MajorGlobal EnterprisesAdopting theCloudSecurely withCipherCloud © 2014 CipherCloud | All rights reserved
© 2014 CipherCloud | All rights reserved. 15 Recommendations Enable the cloud – don’t just say “No” • New applications solve real problems and raise user expectations • If youdon’tsupport them, yourusers will find them anyway First step is to discover clouds being used and riskiness • You can’t manage what youcan’t see • Rely on standards-based approaches to evaluate risk Standardize on leading enterprise-class applications • Users don’tneed or want dozens of apps to dothe same thing • Provide users easy access, training and enterprise licenses You still need visibility into the data itself • Use tools that extend yourenterprise DLP policies to the cloud Look for comprehensive cloud security platforms • Solutions must provide a rangeof capabilities across many applications
© 2014 CipherCloud | All rights reserved. 16 AboutCipherCloud 450+ Employees 4 out of 5 Top US Banks Company 3.8+ Million Live Users 11 Industries 30 Countries 7 Languages Awards Cool Vendor Solutions Cloud Discovery Cloud DLP Strong Encryption Tokenization Activity Monitoring Anomaly Detection
© 2014 CipherCloud | All rights reserved. 17 Free Cloud Risk Assessment Questions? Watch this On-demand Webinar : http://pages.ciphercloud.com/On-Demand-Webinar-Shedding-Light-on- Shadow-IT-for-File-Sharing.html For additional information : • Website: www.ciphercloud.com • Twitter: @ciphercloud • Email: info@ciphercloud.com • LinkedIn: www.linkedin.com/company/ciphercloud • Phone: +1 855-5CIPHER Willy Leichter Global Director, Cloud Security wleichter@ciphercloud.com Hosted snapshot ofcloudappsin useandrisks Fulldashboard access Detailed report andexpert analysis Email: cloudrisk@ciphercloud.com

More Related Content

Shedding Light on Shadow IT for File Sharing

  • 1. © 2014 CipherCloud | All rights reserved. 1© 2014 CipherCloud | All rights reserved. Shedding Light on Shadow IT for File Sharing WillyLeichter GlobalDirector,CloudSecurity
  • 2. © 2014 CipherCloud | All rights reserved. 2 TheChallenges ofSharing Files Sharing large files has always been a challenge • Email was neverdesigned forlarge attachments • ITsetsstrict attachment sizelimits Viable alternatives were hard to find • ITjust said “no”– didn’t solvethe problem • Archaic FTPtools were hard to use • Usersresorted to shipping CDs or worse Cloud-based file sharing sites have rapidly solved this problem • Easyaccess to free web-based tools • Sharing from any device to anywhere • Numerous ‘free’ offers makeit easyto getstarted
  • 3. © 2014 CipherCloud | All rights reserved. 3 TheChallenge of Exploding ‘Shadow IT’ Proliferation of cloud applications • Dramatic increase in use of non IT-sanctioned cloud apps • Multiple solutions meet similar needs • Usersswitch providers basedon cost &convenience Lack of corporate visibilityand governance • Lack of controls invites cloud data compliance violations • Cloud providers won’t accept liability for your data • You can’t manage what you can’t see Numerous security risks • Providers haveinconsistent cloud security practices • Many applications lack basic security controls
  • 4. © 2014 CipherCloud | All rights reserved. 4 Results from anAudit of a major media company Looked atactivitylogsfor approx 10kusers foraboutaday • 349separatecloudappsdiscovered,withIT havingnovisibilityintoalmost allof them. • 24%identifiedashighrisk • 69differentCloudDataStorageappsinuse –themost common category
  • 5. © 2014 CipherCloud | All rights reserved. 5 Frequent Security Issues with apps Not using SSL Credentials requested from insecure landing page Immediate ‘free’ upload No legitimate 3rd party certification • NoSSL or insecure version • Expired or self-signed certificates • Insecure headers • Inadequate cloud data privacy policies • Weak authentication • Poor security controls • Suspicious server locations • Nolegitimate certification by third-parties • Nocorporate visibility or control over uploads
  • 6. © 2014 CipherCloud | All rights reserved. 6 Enterprises MustAnswer KeyQuestions What cloud applications are being accessed? Which applications are risky? Can we standardize on enterprise solutions? Is sensitive information being exposed? Are corporate Cloud DLP policies being violated? Can you monitor users and detect anomalies? Cloud Discovery Data Discovery
  • 7. © 2014 CipherCloud | All rights reserved. 7 CipherCloud forCloud Discovery Discover all cloudapplications in use • Complete visibility into all cloud applications • Detailed data on volume, usage,and categories • Easyintegration with multiple proxy devices Identify risky applications • Extensive CloudSource™ risk knowledge baseprovides expert analysis of thousands of cloud applications • Multi-factor analysisof security & privacy controls • Crowd sourcing continuously enhances coverage Enterprise-grade solution • Customizable cloud computing riskscoring attributes • Highly scalable, supports distributed deployments • Role-based administration, audit logging & alerts
  • 8. © 2014 CipherCloud | All rights reserved. 8 CloudSource™ Risk Knowledge Base Risk scoringmethodology • Research lab analyzes thousands of cloud applications • Automated testing & manual analysis • Input from leading standards groups CloudSecurity Alliance(CSA), Truste Forrester Research, other analysts Over 100key metrics include • Useof SSL for application landing &login pages • Analysisof SSL and certificate quality & expiration • Privacy policy analysis • Detailed header and SPFanalysis • Authentication & security controls • Certification by third-party auditors • Location of cloud application servers • Tracking of cloud data breaches for specific services
  • 9. © 2014 CipherCloud | All rights reserved. 9© 2014 CipherCloud | All rights reserved.9 CipherCloud forCloud Discovery includes granular trend analysis, multi-criteria filtering and drill-down charts. © 2014 CipherCloud | All rights reserved.
  • 10. © 2014 CipherCloud | All rights reserved. 10© 2014 CipherCloud | All rights reserved.10 Intuitive drill-down dashboards,filteringand detailedreporting CloudSource tracks granular risk metrics across transport security,privacy, compliance and environmentfor each application.
  • 11. © 2014 CipherCloud | All rights reserved. 11 CipherCloud’sCloud Data Loss Prevention CloudData loss prevention tailored for thefile sharing platforms • Configurable DLP policy controls • Real-time and on-demand scanning • Integrates with enterprise DLP systems Flexible policyactions • Sharing rules based on content &roles • Notify, quarantine, block, encrypt, selfremediate • Block external sharing Malware protection • Scan triggered on uploads, deletes infected files Seamless integration with cloud apps • Scanning happens seamlesslyin the background • Workswith all desktop & mobile clients Detailed, granular reporting • Configurable dashboards • Easydrill-down on users, content, and policy violations
  • 12. © 2014 CipherCloud | All rights reserved. 12 Internal Network External Users CipherCloud On-Premises Deployment Enterprise DLP (optional) ICAP Internal Users CipherCloud Cloud Deployment Cloud Data Loss Prevention CipherCloud’s technologyprovidesout-of-the-boxDLPcontrolsand policiesthatcanspotpotential violationsofHIPAA/HITECH, GLBA,PCI, NCD,orotherregulations, aswellasABA,SWIFT,andNDCcodes. Thesolution canalso integratewith enterprise DLP systemssuch asRSA, McAfee,and Symantec, enablingyou to extendyour existingDLP policiesto cloud applications
  • 13. © 2014 CipherCloud | All rights reserved. 13 It’sAllAbout the Data…. Protecting infrastructure is not enough • Business critical systems nowoutside the network Key applications are outside your control • Reliance on cloudproviders to secure systems Cloud customers ask the wrong questions • Focus on transferring old legacy security models Need to change to a data-centric model • Cloud providers don’taccept liability for yourdata • You own the data – youneed to secure it Security needs to travel with your data • Youneed to control access regardless oflocation
  • 14. © 2014 CipherCloud | All rights reserved. 14 Top 3 US Bank’s Consumer Self- Service Loan Origination Portal UK Education Organization Deploys Global Cloud-Based Portal Non-Technology Leader Trust Sensitive Data in Cloud Email German Cosmetics Giants Meets International Security Regulations Major European Telco Consolidates Call Centers for 25 Countries Largest Hospital Chain Meets HIPAA & HITECH in the Cloud Top Canadian Bank Safeguards Proprietary Information in the Cloud Major Wall Street Firm Adopts Cloud Applications with Confidence Leading Caribbean credit service protects customer data anywhere Genomics Testing Leader Protects Patient Data while Using the Cloud New Zealand Bank Collaborates in the Cloud and Meets Compliance Medical Audit Leader Launches Cloud-Based Customer Portal Large Pharmaceutical Company Uses Encrypted Email Credit Reporting Giant Deploys Cloud Collaboration with DLP Controls Government-Owned Mortgage Backer Protect PII Data in the Cloud High-Profile Federal Office Moves Public CRM Data to the Cloud Credit Reporting Giant Moves to Cloud-Based File Sharing Australian Insurer Reaches Customers Through Cloud-Based Portal Leading Drug Developer Moves Patient Test Data to the Cloud Investment Fund Giant Consolidates CRM While Assuring Compliance MajorGlobal EnterprisesAdopting theCloudSecurely withCipherCloud © 2014 CipherCloud | All rights reserved
  • 15. © 2014 CipherCloud | All rights reserved. 15 Recommendations Enable the cloud – don’t just say “No” • New applications solve real problems and raise user expectations • If youdon’tsupport them, yourusers will find them anyway First step is to discover clouds being used and riskiness • You can’t manage what youcan’t see • Rely on standards-based approaches to evaluate risk Standardize on leading enterprise-class applications • Users don’tneed or want dozens of apps to dothe same thing • Provide users easy access, training and enterprise licenses You still need visibility into the data itself • Use tools that extend yourenterprise DLP policies to the cloud Look for comprehensive cloud security platforms • Solutions must provide a rangeof capabilities across many applications
  • 16. © 2014 CipherCloud | All rights reserved. 16 AboutCipherCloud 450+ Employees 4 out of 5 Top US Banks Company 3.8+ Million Live Users 11 Industries 30 Countries 7 Languages Awards Cool Vendor Solutions Cloud Discovery Cloud DLP Strong Encryption Tokenization Activity Monitoring Anomaly Detection
  • 17. © 2014 CipherCloud | All rights reserved. 17 Free Cloud Risk Assessment Questions? Watch this On-demand Webinar : http://pages.ciphercloud.com/On-Demand-Webinar-Shedding-Light-on- Shadow-IT-for-File-Sharing.html For additional information : • Website: www.ciphercloud.com • Twitter: @ciphercloud • Email: info@ciphercloud.com • LinkedIn: www.linkedin.com/company/ciphercloud • Phone: +1 855-5CIPHER Willy Leichter Global Director, Cloud Security wleichter@ciphercloud.com Hosted snapshot ofcloudappsin useandrisks Fulldashboard access Detailed report andexpert analysis Email: cloudrisk@ciphercloud.com