Posts

Schools Using Google Need a Lesson in Cloud Security

I used Google Docs to write this post – the popular word processing app within Google G Suite. At ManagedMethods, Docs is an indispensable part of our workflow. Collaborating, sharing and editing documents with a team through the cloud is easier than ever, leaving many of Microsoft’s Office apps in the dust.

Within the corporate world we’re still a minority, but moving forward, graduating students who become professionals will bring the software that they used in the classroom into the office, just like they did with Apple did 20 years ago. G Suite popularity is surging in schools as the New York Times recently reported:

“Between the fall of 2012 and now, Google went from an interesting possibility to the dominant way that schools around the country teach students to find information, create documents and turn them in,” said Hal Friedlander, former chief information officer for the New York City Department of Education, the nation’s largest school district. “Google established itself as a fact in schools.”

Despite the swift takeover by Google within the classroom, its interfaces, administrative controls and security are still lacking. For example, there’s a common misconception that if you convert to a cloud-based service, you no longer have to be concerned about security. The reality is not so simple. As institutions, school districts, and states migrate from desktop software to cloud apps, security becomes critical. Some administrative capabilities that are built into G Suite are incredibly powerful, but setting up the security protocols and processes that go along with G Suite can be complex and often fall short of expectation, leaving schools vulnerable.

Why Schools Should Care About Cloud Security
According to Verizon’s 2017 Data Breach Investigations Report, education is among the most vulnerable sectors due to the combination of black market treasure troves of private data and lax security measures.

Hackers target schools using phishing scams, ransomware, and malware which can be disguised in email links that look like an invitation to a shared document, known as an OAuth attack. The goal of an OAuth attack is to obtain credentials. The hackers then use login access to steal personal information for financial or competitive gain.

Cybersecurity is an issue that every industry is coping with, but schools face challenges from every angle, weighing pressure from hackers, employees, students, administrators, politicians, and taxpayers. With the nearly ubiquitous presence of Google in the classroom, it’s too important to ignore.

Learn how Steamboat Springs School District uses Cloud Access Monitor to secure the data shared in Google G Suite.

Attention: IT has Moved to the Cloud. Why Hasn’t Security?

IT has moved out of the enterprise data center and into the cloud. Employees work from anywhere and access business data using personal devices such as tablets, phones, and laptops as BYOD is becoming more widely adopted. While the technology to support this new way to work has evolved, security protocols haven’t kept up and legacy network security vendors are scrambling to find an answer to this increasing trend.

Fear Not! There is a new solution to this called CASB or Cloud Access Security Broker.

ManagedMethods is a Cloud-Native CASB vendor. What does Cloud-Native mean? It means we reside in the cloud and we use cloud-to- cloud connections, otherwise known as APIs or Application Programming Interfaces. An API is a simple and secure way for cloud applications to connect to each other. APIs are seamless, without requirements for cumbersome proxies or web gateways, and without the need to install agents on employee devices.

Risky User Behaviors in the Cloud
Today’s employees must be able to access data wherever they are, regardless of which device they are using. However, just as the technology that enables users to access data has changed significantly, so have risky user behaviors. These can be broadly classified as:

  1. Accidental access to information
  2. Accidental insider behavior
  3. Malicious insider behavior.

There is also the “Compromised Insider” where user credentials are compromised by a hacker who pretends to be a legitimate user in the organization.

Security Hasn’t Kept Up with Technology
While the technology landscape has changed, we don’t think security has evolved enough to help organizations make this shift. Organizations have been spending millions on threat-centric/defensive security products, which makes companies reactive instead of proactive. There’s a lot of investment going into securing the non-existent security perimeter.

For many years users were constrained by IT. But with the advent of cloud apps, users were able to circumvent IT and use apps without IT’s knowledge. This is the known as Shadow IT. In the beginning, organizations blocked any cloud app use, but at some point, they had to adopt and embrace it since it became a business enabler.

As an example, consider cloud apps like Google G Suite or Office 365 and OneDrive. Both are popular in the business world and use is increasing daily. Employees collaborate, store and access data through these apps every day and they are the core of business communication. When that communication is broken or compromised by a security crisis as we have seen recently with the Google OAuth phishing attacks, people take notice and become concerned about their data.

This is why the CASB wave is quickly gaining momentum and legacy security vendors and methods must evolve to work the way employees and companies work today.

The data center and applications have already moved to the cloud. Shouldn’t security move too? With a cloud-native API approach, we here at ManagedMethods believe that we can help organizations move securely to the cloud.

See our Cloud-Native CASB in action: Watch this brief video and then request your free trial.

Accidents in the Cloud: Better Buckle Up

Last week, Ars Technica broke news about an information leak in Docs.com, Microsoft’s version of Google G Suite. Users unwittingly shared sensitive docs publicly that contained private data easily accessible from search engines. Microsoft is taking corrective action, but for those who’ve had their Social Security and health information hijacked, these actions are of little consolation. Like Mitch Ratcliffe said in 2009, “A computer lets you make more mistakes faster than any other invention with the possible exceptions of handguns and Tequila.” Eight years later that quote still holds true. When accidents happen in the cloud, the consequences can be devastating.

Just waiting to happen

Days ago, a security researcher noticed that Microsoft’s free document-sharing site, which is tied to Office 365, had a search bar on the homepage. The whole point of Docs.com is to share documents within your organization or to people outside of your organization, so in most cases, these files were meant to be shared, but not necessarily with the entire world. Search engines indexed all the files within Docs.com, so you could do a simple search for say “passwords” and find all the shared documents with password information. This would all be laughable if the implications weren’t so serious.

“Doxxing” is internet slang for the release of private data online, often done by hackers and antagonizers with malicious intent. In this case, users were doxxing themselves, and Microsoft deserves part of the blame too. When personal health information and Social Security information is made public, the consequences are stubbornly irreversible. Bank accounts can be opened, liquidated, and closed and illegal activities using your private information can surround you for the rest of your life. This situation is a trainwreck, or better yet, a car wreck.

Friends don’t let friends use the cloud irresponsibly

Driving is among the most dangerous things people do on a daily basis, but very few people refuse to drive because it’s dangerous. Instead, we’ve improved vehicle safety. We have seatbelts, airbags, and soft exteriors that allow the car to bear the brunt of the impact while preserving the valuable lives inside. The cloud bears a resemblance to driving: it’s indispensable but most companies are still using the cloud without a seatbelt. There are best practices and practical precautions businesses can take that make cloud use much safer, such as cloud security.

If an employee accidentally leaks private data, the company is responsible. Cloud security tools designed for cloud apps like Cloud Access Monitor can flag and quarantine sensitive data before it leaks. As far as security solutions are concerned, Cloud Access Monitor is even easier to do than buckling up, with API integrations with the most common cloud apps, including Microsoft Office 365, OneDrive and Google G Suite. And deployment is quick – less than 30 minutes –  and users will never notice a difference, nor is there any impact on your existing infrastructure. You literally don’t even have to think about it after that.

Please use the cloud responsibly. Buckle up with Cloud Access Monitor.

See how we make Cloud Security Easy: Watch this brief video and then request your free trial.

The Hidden Benefits of Shadow IT

Security is a balancing act. If you aren’t secure enough, risks proliferate. And if you are too secure, risks will still proliferate because users will find ways around it.

As a cloud security vendor, you might think that we always try to tip the scales towards more security, but that’s not entirely accurate. When people think of IT security, they picture expensive, comprehensive systems that cost a fortune while burdening users with extra steps. As recent spy TV shows like “The Americans” and “Turn” demonstrate, in a deeply connected world, security is more about knowledge rather than bigger and better walls.

Instead of selling “more” security, we want businesses to shine a light on their Shadow IT and become more intentional and strategic about their cloud security practices. IT pros should carefully consider what cloud apps mean for their business, then take reasonable steps to harness that power. If you want to improve security without doing too much, great! Here’s an easy way to make that happen:

Shadow IT as Business Intelligence

One of the smartest decisions businesses make is when they realize there’s a blind spot in their security and decide to learn more about what’s happening. If you’ve done that, then you deserve a pat on the back! If you haven’t, then you need a splash of cold water on your face. (we’ll gladly provide the water!)

You might not know it, but employees do companies a huge service when they use unsanctioned cloud apps. Why? Because their activity will let you know where your business has strengths and weaknesses. There’s a good chance that everyone is using an app that makes collaboration and meeting deadlines easier. You might want to sanction that app and develop standard processes for use. It’s a win/win. People who only use unsanctioned cloud apps sporadically will be easy to identify and you can address the issue by providing training before an emergency happens, like the leak of a client list. Another win/win. The only guaranteed loss is if Shadow IT remains in the shadows and businesses wait for a crisis. You should be able to see cloud activity, and this knowledge should drive a strategy.

Smarter Security Practices

Businesses that never think about security aren’t very different from businesses that think security means locking everything down – they are similarly hard-headed. Cloud security exists within the context of a provider’s practices, a user’s needs, your business’s needs and regulatory requirements – that’s a bunch of variables to consider. Allow me to make a recommendation: tip the balance towards users as much as regulations allow. Otherwise, users will figure out ways around the system and create additional Shadow IT issues that are even more difficult to address. You want employees to feel comfortable enough to experiment with new apps and services while still in view. Keep in mind that their activity isn’t necessarily malicious, and often, they are doing you a favor. You can leverage the cloud security intelligence gathered in step one to improve your security, operational efficiency, and regulatory compliance.

Cloud monitoring and intelligence is all most businesses need. No bridge burning, lockdowns, cumbersome barriers and restrictive policies necessary.

See how we make Cloud Security Easy: Watch this brief video and then request your free trial.

The Year of the CASB

As 2017 gains momentum, I’m reminded of how quickly cloud apps have completely conquered the business world in recent years. But the transition hasn’t always been easy and security in the cloud is still a major concern. The more businesses use the cloud, the more control they’re giving up, until now. We’ve spent every hour of every week for the past few years perfecting one of the best cloud security platforms in the industry, but we still have one of our biggest challenges ahead of us: Many businesses aren’t aware that our cloud security solution, Cloud Access Monitor, can be setup in 30 minutes or less, is simple to use, AND affordable. (yeah, I said that…how many software companies claim that?) Our recent spotlight in Fortune magazine is one of the many ways we are trying to spread the word.

Recognizing the problem

The transition from desktop to the cloud wasn’t well planned. Many workflows weren’t intentional well-designed processes; they were adopted, forgotten, rehashed, hacked and cobbled-together. The loss of control over workflows can chaotic, which isn’t always a bad thing, but a lack of oversight leaves big gaps in security, and that only benefits the bad guys. Sensitive business data and client information can be shared with the world and no one would even know it happened. This unmonitored activity in the cloud creates Shadow IT. Shadow IT is responsible for 1/3rd of all breaches, but most businesses don’t even realize how much of their data is almost public and always vulnerable.

Flipping the light switch on

Businesses aren’t wholly responsible for the Shadow IT security gap. Many of the cloud solutions available, referred to as Cloud Access Security Brokers (CASB), are difficult to integrate, hard to use and completely out of reach financially. As CASBs battle for the enterprise market, everyone else has gritted their teeth waiting patiently for something less expensive and tailored to their specific needs. That’s why we’ve made the most efficient cloud security solution available, Cloud Access Monitor, integrate with the most popular business cloud apps:

Cloud security made easy

Every business wants to be assured that their data is safely used and shared in the cloud. Just like you want to be assured your own safety when driving your car. But since most companies just need a dependable Honda to get from point A to point B, there’s no point in bothering with a flame retardant suit, helmet, roll cage and five point safety harness! Businesses will be much more likely to secure the cloud when security solutions are efficient. Cloud Access Monitor is like the safety belt and airbag system: so easy to use that you don’t have to think about it, but you DO need to know about it. 2017 is going to be the year companies “buckle up” and embrace cloud security.

Fortune CASB Feature Fortune CASB Feature

Click the image to read our spotlight article in Fortune. 

CASB: The Best Cloud App for Business That You’re Not Using

The best cloud apps for business are cloud app security solutions. Commonly referred to as Cloud Access Security Brokers (CASBs), they use a mix of hardware, software, and cloud-based solutions to improve cloud app security for businesses. Cloud security is the fastest growing sector of IT with over $500m in venture capital funding and roughly $260m in forecasted revenue in 2016. CASB revenues are forecasted to grow anywhere from 30 percent to 100 percent between now and 2020.

Why CASBs are the best “cloud app”

Cloud apps are easy to use so employees are much more likely to break IT security policies without considering the consequences. These unmonitored activities are known as Shadow IT. Shadow IT is a growing problem for businesses of all sizes because:

  • Traditional perimeter security solutions, such as firewalls, weren’t designed for cloud use.
  • Cloud services often lack basic security protection and assurances, so users are responsible for upholding security.
  • Sensitive data in the cloud is often shared between unapproved users and devices because it’s easy.
  • Each cloud service has differing security approaches and controls making management difficult.

Want to see for yourself why a CASB is the best security solution for your company? Watch our brief video tour of Cloud Access Monitor.

Security solutions designed with the cloud in mind are the only solutions that address the new risks created by increased cloud use. With the explosion of cloud apps in business, CASBs have become mainstream in a short period of time to help businesses improve cloud:

  • Data loss prevention (DLP)
  • Compliance
  • Policy enforcement
  • Intelligence
  • Control
  • Security

An easy approach to cloud security

Discover/Monitor – Businesses can start by shedding light on the extent of their Shadow IT problem. Through cloud activity monitoring businesses can learn:

  • How many apps are in use
  • Who’s using them
  • What apps
  • What data
  • How much
  • How often

Analyze Use/Assess Risk – Analyzing cloud behavior patterns provides the baseline for discussing and prioritizing the existing risks. This gives IT personnel an opportunity to discuss the somewhat messy business of regaining control over cloud-based activity.

Automate/Control – Policies need to be enforceable. After monitoring and assessing the risks, businesses can create smart policies and make sure they are upheld. When unsanctioned activities occur, follow up actions such as notifications, blocks or quarantines should occur automatically.

CASB shopping in a nutshell

Finding the right CASB isn’t as hard as it used to be when the category first emerged. The marketplace matured quickly through rapid solution development, mergers, and acquisitions.

Identify your pain points, monitor/analyze cloud risks, and decide which integrations are important. Then, look for a CASB that directly addresses those needs at the most affordable price.

Want to see why a CASB is the best security application for your business? Watch our brief video tour of ManagedMethods’ CASB tool, Cloud Access Monitor.

Cloud Security: You’re Doing It Wrong

angrymanatcloud

You’re doing it wrong, also known as YDIW, is a meme for when people make egregious mistakes IRL (In Real Life). The phrase is so popular, PBS even created a show around how to get back on track for when YDIW. There are probably hundreds of things that we all do wrong on a daily basis, and small to midsize businesses are no exception – for example, most of them drop the ball with cloud security. Here’s why…

Why You’re Doing Cloud Security Wrong

1. You assume you know what’s going on
You’ve sanctioned Dropbox and Office 365/OneDrive. There are defined processes and rules of engagement with cloud apps. Employees follow these rules perfectly. Really? If you think everyone follows unenforced rules perfectly, here are a few facts:

Most businesses condone some use of cloud apps due to their ease and efficiency. Most businesses think that written rules and processes are adequate measures for hedging the risks that cloud apps create, but they don’t even come close.

Businesses have security, visibility and control over everything outside of cloud apps. Why should cloud apps be the exception to normal IT security measures?

2. You task employees with security

Your employees are awesome. Their execution is impeccable and they always meet deadlines. Following security rules benefits everyone and strengthens the organization to create a solid digital defense. Everyone is on the same team; a cohesive unit. There is a good chance that everyone believes they aren’t the weakest link, but someone always is.

People are terrible at self-policing. Take driving for example. There are moments where everyone isn’t as good of a driver as they expect. We all get lost, listen to our GPSs when we shouldn’t and make split second decisions on the road at some point. Yet somehow, it’s always the other driver’s fault.

Tasking each employee with IT security responsibilities is like saying the roads don’t need any rules – everyone will self-regulate.

3. You trust cloud app security

Sticking with the car analogy here, we’d like to think that every road and every car is in impeccable condition. Even though we’ve improved driving safety dramatically over the last 100 years, safety still isn’t a promise.

We use cloud apps as though safe driving conditions were guaranteed. Mainstream business use of cloud apps has been around for less than a decade and in many ways, the internet is still like the Wild West. We use it at our own risk.

Cloud vendors are huge hacking targets. As cloud providers store more sensitive information, they become a bigger target for hacking.

4. You say one thing and do another

This is the crux of all cloud security issues. The people who use technology the most are also the most likely to break the rules. When you drive all the time, you know what you are doing and you feel like you own the road. Similarly, when you have control over security measures and use technology all the time, you feel like exceptions to the rules should be made in your case.

Cloud use is growing, security risks due to cloud app use are also growing and businesses get to decide if those risks should be a concern. When it comes to cloud security, Y(probably)DIW, but you can do it right by setting up cloud app monitoring. Visibility into cloud use means IT pros can:

  • Monitor activity in real time, detect sharing patterns and identify anomalies.
  • Discover Shadow IT and also gain visibility into user activity within sanctioned apps.
  • Identify sensitive data in the cloud and enforce DLP policies to meet data residency and compliance requirements.
  • Detect and respond to insider threats, privileged user threats, and compromised accounts

Ready to see how a CASB can help you do Cloud Security the Right Way? Watch this brief video product tour of Cloud Access Monitor.

The Right Cloud Security Tool for the Job

There are a variety of popular terms for cloud security including SaaS Security, Cloud Access Security Brokers (CASBs) and Cloud Access Control (CAC). Cloud-specific security solutions are already an enterprise-level standard in the security stack, even though the vast majority of businesses are still uncertain of what to call them. 451 Research estimates that CAC vendors raised $500m so far this year to fight over a $260m pie in revenue for 2016. This sort of large-scale funding requires large scale solutions, massive feature sets, and expensive contracts in order to produce a return within a few years.

Due to pricing models based on monthly subscriptions per user, there is a battle looming over seats. Enterprise adoption of SaaS security is high, so first-to-market vendors compete over a few large contracts where one contract can fill thousands of seats. The growth and competition are exciting, but it’s left midmarket businesses wondering when they’ll see solutions tailored to their needs. A few cloud security vendors are going after a handful of big enterprises, while the vast majority of businesses that don’t have the same needs and budgets are left without good options. Large CASBs are overkill for most businesses:

“The majority of the market will be satisfied with discovery, basic analytics, and behavioral insights.” – 451 Research

Less is More

As more small to medium-sized enterprises address their Shadow IT problem, they’ll see past the feature bloat and marketing of large scale CASBs. If not, the high cost of large-scale solutions will deter them. For example, cloud activity discovery and analysis is a near universal need, so large CASBs offer it for free in an attempt to capture downmarket revenue streams. The catch is that the overall price per seat is at least 10x more than CASBs that were developed with more specific uses in mind.

Solutions that are more specifically targeted downmarket, like our Cloud Access Monitor (CAM), will be easier to integrate, simpler to use and more affordable. CAM is tailored to your specific needs. Our cloud-native API integrations and network monitoring solution can be added in the cloud or integrated into existing architecture through next-gen firewall partners. CAM provides:

  • Compliance
  • Discovery
  • Visibility
  • Behavior analytics
  • Automated anomaly detection, notifications, and quarantine.

Despite the astronomical price tags of large CASBs, small and medium sized businesses can address their Shadow IT problem easily and affordably today if they seek out the right tool for the job.

Ready to see a CASB in action? Watch this brief video product tour of Cloud Access Monitor.

What did your corporate data do in the cloud last night?

As I was reading Ponemon Institute’s most recent report on data protection and information security, “Closing Security Gaps to Protect Corporate Data,” I was struck by the study’s most significant finding: 3 out of 4 companies have experienced loss or theft of important data. Three out of four?! That means that at recent meetings I’ve attended with other CEOs and corporate leaders that almost everyone has faced this significant challenge to their business and reputation! And that’s companies of all sizes, not just the big guys you hear about in the news. How did we get to a place where data insecurity is the norm?

To start, the pace of business today requires information to flow quickly and efficiently to those who need it to do their jobs; we need the data now! This critical flow of data is expedited by the rise of cloud collaboration apps like Office 365 and Google Apps. Now Jim in Finance in Boston can access key customer purchase data from Susan in Operations in Chicago, and Diane and George in Patient Accounts can work together on a report that shows a correlation between account delinquencies and insurance providers.  In fact, Ponemon found that 88% of end users say their jobs require them to access and use proprietary information. If everyone’s doing it, it must be ok, right? What could possibly go wrong?

Well, we all know the answer to that. Now that the data is so easily accessible, it’s also easily abused. And usually not with malicious intent. In fact, Ponemon found that it’s more than twice as likely to be due to innocent employee behavior than a crafty cybercriminal. A simple user error, like uploading a sensitive file to the wrong folder in Dropbox, can result in the accidental disclosure of client data, trade secrets, and even health records. So aside from removing all access to the cloud or firing all employees, what can you do to protect your company?

Cloud Access Security Brokers (CASBs) are the answer. This new segment of cloud security products provides visibility into the use of those collaborative cloud apps that, unmonitored, can wreak havoc with your company’s confidential data and reputation. CASBs can tell you who is using which apps and on what devices, even if they’re outside of the corporate security perimeter.

But that’s only half the equation. To be truly confident in your cloud security and determine if you are at risk, you need to know what data is being shared too. Is it credit card or social security numbers? Patient case info? Proprietary development code? To answer that you need a CASB with audit and control features that use cloud-native APIs to see deep into the shared data. Our CASB product, Cloud Access Monitor, provides these critical features, with APIs to Office 365, Google Apps, and other popular cloud collaboration apps. So you can detect suspicious data behavior before your company becomes another statistic.

Want to see how a CASB can protect against innocent insider security mistakes? Watch our brief video tour of Cloud Access Monitor in action.

Portfolio Items