For far too long, the conversation around cloud and security has revolved around Shadow IT, the use of cloud applications that IT doesn’t know about. The reality, however, is that 90% of corporate data will reside in the SaaS applications that are approved for business use. That’s where the attention of IT organizations should focus on – how to extend visibility, governance and protection to these SaaS applications.
But, when it comes to SaaS applications versus on-premise, there are three characteristics that define the need for a different approach to data governance, risk management and security in the cloud:
• Anywhere anytime any device access – First, users with an account and password can access SaaS applications from anywhere on any device at any time. This includes access via managed and unmanaged devices. This is very different from on-premise applications where access is only allowed via corporate VPN networks and managed devices, and additional barriers of security exist between the user and the data center hosting the application.
• For the first time, how information is used and shared is defined by users, not IT – SaaS application folders and files are created by users. Users can invite collaborators and share these files with anyone using just one link. Many of these users have very little security background to understand when their actions bring risks to the organization
• Unique data sharing capabilities – There are a myriad of ways that data is being shared and stored, unique to very SaaS application. For example, did you know that within Salesforce alone, you can have data in Chatter files, CRM content, Salesforce knowledge base articles, documents (web development materials), and attachments (files attached to a record)? It is unrealistic to expect security IT administrators to understand the nuances of every SaaS application, yet they are ultimately responsible for governance of the data in it.
What all this means is that SaaS application usage risks are inexplicably tied to the human element. Who users interact with, their privileges, the data they touch, how they access the data and their behaviors are the very attributes that impact an organization’s risk profile in the cloud.
1. Address your zombies
Those of you who are close to me know that I’m a huge fan of AMC’s Walking Dead, a show about the zombie apocalypse. I’m stocking up on ammo and working on my samurai-wielding skills as we speak. But, it turns out these skills will be useful for my day job as well because zombies are real and thriving in the cloud. 11% of all enterprise SaaS accounts are “zombies,” inactive users for the last three months. They are at best eating up (no pun intended) the cost of a SaaS application license, and at worst increasing the attack surface of the organization. It’s a good best practice to address your zombie users.
2. Plan for the departed
Don’t forget about the employees who have left the company. 80% of companies have at least one former employee whose SaaS application credentials have not been disabled. As part of the exit interview, organizations have a plan in place for disabling on-premise access (easily accomplished by turning off “VPN” access), but may not have formulated a plan for cloud. Not only must access to corporate SaaS applications be removed, but IT administrators must also account for files that are owned by the departing employee. A transition plan must be in place to transfer ownership of files to prevent “orphan” file issues where files have no clear attestation trails or violate data retention policies.
3. More admins, more problems
Privileged users bring greater risks because their access makes it easier for them to do damage, whether intentionally or if their credentials are stolen. In some SaaS applications, Adallom recorded an average of 7 administrators out of every 100 users. Sometimes, the reason for this is benign; an IT administrator grants a user privileges to run a special report, and forgets to rescind the privileges later. Other times, it is because the application administrator accidentally created the same privileged accounts for multiple users. Regardless, it represents a significant threat to any organization that requires immediate attention.
4. Where is your data?
37% of Adallom customers discovered they stored more cloud data in Salesforce than any other cloud storage service. For governance and security purposes, it is critical to understand where corporate data resides and who they are being shared with. Just don’t make the assumption that it only exists in content management systems. The best practice here is to integrate an enterprise storage solution (like Box) for governance, along with a Cloud Access Security Broker for risk management.
5. Sharing is caring, except in the cloud
Sharing in the cloud is extremely easy. After all, collaboration is one of the reasons to move to cloud applications. Users are likely to (accidentally) provide public access to a folder, enable access to a third-party application or share files with their personal email accounts. The statistics are staggering:
• The average company shares files with 393 external domains
• 5% of an average company’s private files are publicly accessible
• 29% of employees share an average of 98 corporate files with their personal email accounts
Best practices include disabling anonymous access and indexing within your SaaS application. This prevents search engines from indexing or crawling documents within SaaS applications. You must also identify oversharing violators, and how third-party ecosystem applications are integrating with your SaaS applications. Cloud access security brokers focused on governance and threat prevention can help with addressing these issues, including removing public access.