[BreachExchange] You're the IT worker in charge of securing the cloud for your company. Welcome to Hell

Audrey McNeil audrey at riskbasedsecurity.com
Tue Feb 6 19:13:58 EST 2018


Once upon a time, you’d go into the office, do your work during the day at
your desk, then leave everything behind and go home. Well, end users would
- IT workers have been lugging home the on-call laptop since the dial-up
modem was invented.

Back then, securing the information and the IT assets of a desk-based
workforce required a pretty simple architecture - secure the network, the
internet, the email gateway, the server and the workers' device.

Bonus points if you could achieve that with a minimal amount of different
vendor's products.

Then along came the cloud. Our DMZ architecture world was rocked.
Software-as-a-Service applications meant that the business expected to
access data stored outside of the company firewall so they could work from
free Wi-Fi at trendy cafes.

Today, work is no longer a place we go; it’s a thing we do. And sometimes
we want to do it from our own phone, tablet or MacBook. Oh and by the way,
everything still needs to be secure. Hmm.

Expectations of a modern workforce

Without blaming millennials, our society expects to access information fast
and in a manner that’s convenient. That behaviour is seen in our customers
and in our workers. Whether it’s a self-service portal to change your
address, an account with your personal details for ordering from an app, or
just the ability to check work emails on the train from your own phone,
we’ve changed our definition of “remote access.”

To accommodate this, the business needs to make information easily
accessible from outside of the corporate network.

Your mileage may vary, because there are some financial and government
systems that will never be (or at least should never be) anywhere near the

This requirement for mobility has changed the way we look at IT security.
In the old days, we blocked USB drives on your work PC. Then, we blocked
you from accessing file-sharing websites. Neither of those tactics work in
2018. However, some universal security concepts are still true. Hackers are
going to hack. Phishers are going to phish. And grumpy employees are going
to siphon information out of a business before you even know they are

Risks of a mobile workforce

Workers see mobility as the freedom to work anyway, at any time. IT
professionals picture that as people leaving their phone on the bus, along
with corporate data. People are going to lose devices and if you can’t
enforce that their phone at least has a PIN code, that’s the start of your
risk. Amplify that if they can access information that has strict privacy
regulations or is under a Non Disclosure Agreement.

While they’re at a trendy café, today’s modern worker takes advantage of
the establishment’s free Wi-Fi. They are now very productive, whether
working on a project or just in-between client meetings. Unless they’ve
unknowingly connected to a fake network and are now the victims of a
man-in-the-middle account. If you think that only happens in bad crime
dramas (needing the cybers for the ratings), see how easy it is to buy a
Wi-Fi Pineapple online and what you can do with it.

In a Software-as-a-Service (SaaS) world, the winner for Miss Popularity
goes to the API. If you’re not automating things, you’re not doing it
right. Connectors like Zapier, IFTTT and Microsoft Flow make it easy for
the average user to read data out of one system and stick it into another …
without the need to involve the IT department. What a winning concept for
raising productivity when we’re working across a dozen different Software
as a Service apps! What a nightmare for IT who has no idea what other apps
now have access to the corporate data or who’s using them.

Checked out the company SaaS app’s terms of service to ensure your data is
staying confined to your country? Great! Doesn’t help you when a connector
is copying stuff somewhere else and you don’t even know, because a user set
it up. Not to mention when that user becomes an ex-user of your app... but
they still have access to their other apps. And you thought that
auto-forwarding emails to a Gmail account was your worst data protection

IT security tactics for the real word

So, what’s the IT department to do? If we point out the risks, we look like
we’re just saying “no” again to get in the way of business progress.
Performing a classic risk assessment and identifying the security risk, the
likelihood of it happening and the impact if it does, is just half the
story. The next step is to identify any possible control measures, then
re-evaluate to see if they’ve reduced the risk. But then what - what, at a
high-ish level, are your strategic and tactical options?

Mobile device management

We could just say “no” to allowing the use of any personal devices for
accessing company information. If you are a Defence Force, this is a valid
& reasonable strategy. If you are a growing business with a young
workforce, some IT solutions may allow your staff to use their own phones
and also let you sleep at night. Mobile device management offerings like
Manage Engine and AirWatch work across iOS and Android, while others such
as Jamf are for one platform only - iOS. Before any of that, however,
you’ll need to get the workers to enrol their devices with your system of

Conditional access

This is a slightly different beast to MDM. Some SaaS systems (especially
Microsoft Office 365 and security product Microsoft Intune) can enforce
that data is inaccessible unless the device meets certain criteria, without
the need for device enrolment. This can range from requiring the device to
have a PIN code, through to specifying which mobile apps are allowed to
access the data (effectively preventing copying & pasting or API access).

External sharing controls

External sharing controls provide another means of protection – only
regardless of the device used. If you can lock down the data at the source,
you can prevent it from being shared outside of your organisation in the
first place. This kind of protection is embedded in the file. Attach it to
a personal email via your browser and you’ll find the recipient can’t open
it, without a valid company account. Even Google’s G Suite lets you stop
certain file names or types being emailed – it does this through an
attachment compliance feature.

Data loss prevention

This goes one step deeper, into the contents of a file or an email.
Microsoft makes this a selling point for its Enterprise level Office 365
licenses. Users can see a warning that sending that credit card number in
their email may not be a good idea, or have it blocked completely by a DLP
policy. If you want data loss prevention for G Suite, however, you’ll need
to look at a third-party package like CloudCodes.

Spotlight on shadow IT

One of Microsoft’s lesser-known security offerings is Office 365 Cloud App
Security. It can analyse what apps had access your Office 365 data via API
calls, via a central dashboard and without any end-user intervention. And
if you really want to find out what your users are doing, it will analyse
your network and present reports on what other SaaS apps are in use in your
business. That’s more powerful that your firewall logs and handy for
sniffing out browser-based unauthorised software.

Paging HR for reinforcement

Last but not least, check that your house is in order with some strong HR
policies and procedures. While we like to think it natural for people to
take care of a mobile phone, it’s better to express the need for care to be
taken and the degree to which your organisation would be displeased at the
prospect of a lost device with the addition of a “take care” clause in your
employee handbook. Same goes for sensitive data and non-disclosure
agreements. If you ever need to take action because of a data breach caused
by an employee, it’s far simpler to fire them with the backing of a good,
signed, human resources policy.

For every security threat around the cloud or mobile there exists one or
more risk control measures. It’s just up to us in IT to know what’s
possible and advise on what is practical.

Remember though that, ultimately, it falls to the business side of your
operation or to managers to decide where they want to draw the lines. They
may retreat into: “It’s too hard, no personal phones for you”, or: “It’s
all too expensive, we’ll just wear the risk.” If that happens, at least you
told them.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180206/8fd113af/attachment.html>

More information about the BreachExchange mailing list