Protecting data during digital transformation [Q&A]
In recent years, many businesses have embraced digital transformation to boost productivity and streamline operations in an attempt to create competitive advantages. But in the process of migrating critical operations to the cloud, they have exposed themselves to new risks.
With cloud apps accessible from anywhere, it not only helps your users get their work done, it also provides attackers with new vectors to exploit.
We spoke to CTO of SASE products at Lookout, Sundaram Lakshmanan, to discuss the hidden risks behind cloud services and how enterprises can guard against them.
BN: Why are cloud apps especially attractive to attackers?
SL: As part of an organization's digital transformation journey moving critical operations onto the cloud. An example of this would be human capital management (HCM) services, such as SAP SuccessFactors or Workday, that host a wide range of private or regulated employee data. These can include anything from personal or financial information used for payroll or health information for benefits.
Replacing on-prem workflows with digital solutions in the cloud has unlocked operational efficiencies for human resources, but it also puts data at risk of being compromised. Security teams no longer have the visibility and control they had on premises when data is sprawled across numerous cloud services and being accessed by unmanaged endpoints over public networks. The risk doesn’t just come from your employees working from home, it can also be introduced by external parties such as partners, vendors, clients and third-party agencies that need access to the data.
BN: How do cloud risks impact businesses directly?
SL: Great question. One of the challenges of chief security officers is to tie security to their organization’s bottom line.
First, you have to realize that having data residing in the cloud, whether it's a SaaS app like Box or OneDrive, or in an S3 bucket from Amazon Web Services, the expensive perimeter-based security tools become obsolete instantly. Also, because you’re using dozens of apps, securing and managing them becomes quite complex.
A recent example of this was the accidental exposure of sensitive customer and employee data by a large Turkish-based airline that misconfigured its AWS S3 bucket. These cloud systems are governed by complex controls that can be difficult to manage, but very susceptible to misconfigurations due to a certain ease-of-use, especially when your organization is migrating data to the cloud.
BN: How does shadow IT add to the risk?
SL: Traditionally, we think of shadow IT as random software an employee purchases without IT’s knowledge. In the context of the cloud, this expands into other areas as well. For example, you may have control over a particular SaaS app, but your end-users and administrators could be using personal GDrives or Gmail, or could be interacting with partner SaaS apps over the personal Wi-Fi and devices connected to it. This sidesteps your perimeter-based security -- which means IT and security teams no longer have visibility into how users are interacting with the apps, the application instances, the risks of their devices and how they are handling sensitive data.
The other shadow-IT-like issue at hand is that cloud apps are not exclusively accessed by employees. To maintain a competitive edge, many organizations rely on a network of external contractors, partners and third parties to collaborate in the cloud. Not only are they using their own devices and networks, but they may also end up holding data within their systems.
We actually helped a large construction company with this visibility issue that ended up stopping a ransomware attack. Prior to the incident, the customer collaborated through Box to upload design documents that partners would download to use for construction. When the partner's system got infected, we saw that the partner machines were downloading files in bulk from Box, encrypting and renaming the files, and then reuploading the files to their original location. With the controls in Box alone, the construction company had no way of quickly detecting or controlling these activities.
BN: What can organizations do to make their transformation process safer?
SL: The main question is, how do I protect sensitive data while still enabling my employees to access what they need and stay productive? The answer to that is making smart zero-trust access decisions. There are many products that provide binary allow-deny access controls. To ensure you take full advantage of the cloud, you need to make granular decisions that take into account both the fluctuating risk level of users and endpoints, as well as the sensitivity level of data.
To get to that point, you need to move away from deploying disparate 'string-of-pearl' security products in favor of a converged approach.
If you think about it from the perspective of a typical user, particularly someone who’s remote, you can see the advantages of consolidating your security. On any given day, that employee will access a SaaS app on their laptop such as Office 365 or Gmail. They also may access enterprise apps sitting on-premises or conduct research on the internet. Each of these destinations is very different, which means they are nearly impossible to secure in isolation.
With a unified platform approach to security, IT and security teams can quickly and efficiently write and enforce granular policies based on user behavior, endpoint risk posture as well as data sensitivity across all cloud apps in one place without the need to double their efforts.
BN: What steps should organizations take to start securing their digital transformation?
SL: As I mentioned earlier, productivity is key. It's one of the main reasons you would adopt cloud services. With everything available at the tap of a finger, employees have come to expect a frictionless experience every time they log in to work.
To accommodate this productivity, it's critical that security and IT teams rethink their legacy security strategy and adopt zero trust in the cloud. Simply put, this means that access to apps and data is only provided when a user or entity can be continuously authenticated as a trusted user, and just like apps moved to cloud security also should be delivered from the cloud A perfect world where security becomes a big enabler for productivity is when someone's device has been identified as 'risky' because they’re using a personal unpatched device from a public Wi-Fi, I can still give them limited view access to a corporate Google Doc, but I won't allow them to download anything. This is how security becomes a big enabler for productivity.