The adoption of cloud-based applications and services has surged over the past couple of years, to the point where they are now being used in many U.S. organizations. But like any tool, these must be used securely, or you run the risk of a high price in data loss, financial costs and reputation damage.
There are five security challenges that address a broad range of applications and activities, and as agencies do more and more of their work in the cloud, these challenges offer a good starting point for considering strong security practices.
The challenges are:
- Securing data access
- Defending against malware
- Securing BYOD
- Cross-application visibility
- Cross-application data control
Let’s break them down one by one:
Securing data access
Any cloud-based approach involves a division of responsibilities when it comes to security. The cloud provider takes care of the physical equipment, the infrastructure, and the application, and has an obligation to keep these secure, wherever your data is housed.
But the burden is on the customer — your agency — to properly secure access to the data. What is in the cloud is just as much your asset as all your physical structures, technology, and people are, and needs to be protected that way. That means making sure you have procedures and safeguards in place to limit access to your data to those who are authorized for it. This may seem a bit basic, but that doesn’t mean it is any less critical.
Defending against malware
Malware comes in two flavors: the known and the unknown. The known, of course, is the easiest to defend against, because its characteristics have been seen before, and antivirus systems have had the chance to build defenses against it. The unknown — particularly the first-appearance zero-day instances — are far more dangerous because they can get into your network without being recognized as threats.
Signature-based defense systems are designed to look for specific characteristics in the software code that can identify that software as malicious or potentially so. Basing their detection on the known signatures of various types of malware, they don’t do a bad job. But their capabilities are only as good as the extent and currency of their signature databases.
And unfortunately, from the hacker’s standpoint, it isn’t that hard to alter code so that a piece of malware can slip by the guards at the door, so to speak.
The better approach would be to use a behavior-based antivirus system. This approach involves examining the behavior of files and assessing what the code directs it to do. Anything that looks like it could have a malicious potential is flagged and acted upon.
It’s like airport screening. Do you let anyone into the terminal just because their name isn’t on a watch list, or do you pay special attention to someone’s suspicious behavior or other telltale signs? Which way would you feel safer?
As efficient as it may be for an agency, and no matter how happy it makes employees to use their own favorite tools, BYOD is an ever-present risk.
Agent-based solutions are the best approach, but employees don’t like them. They’re perfect for government-owned devices, but when they’re implemented on employee-owned phones, it means everything on their phone (even those romantic late-night texts) is subject to being seen by the government.
Agentless solutions like Sprint Secure Web can address the risk from a different standpoint, residing in the cloud and focusing their protection on the government data, what matters most to the agency.
In a BYOD environment, agentless is the way to go. That’s because almost half of employees in one survey were honest enough to say they would reject an agent-based solution on their phones. And since the data protection chain is only as strong as its weakest link, every unplugged security hole is just one more risk that an agency really doesn’t want to take.
A solution such as MultiLine, where a distinct second mobile number — strictly for government business — is created on a BYOD smartphone, can also overcome employee resistance.
With this approach, work calls, texts and voicemail take place on the government-owned number on the employee’s phone. Work and personal communications and contacts are kept completely separate. The agency IT department can exercise complete control over the work number in a “mobile-first” environment, managing all user types and mobile requirements, while the user’s personal communications remain private.
If your employees were using only a single specific cloud application, you wouldn’t have much of a problem. But every other app that they use — some you’ve sanctioned and some you haven’t — creates risk. Whether it is messaging, file sharing or something else, you need to be able to look across the whole range of apps.
Recommended here is a UEBA (user and entity behavior analysis) approach. This is a neural network/machine learning approach that monitors user behavior and establishes benchmarks for normal, expected activity. If your employee is working from home in Balitimore today but suddenly simultaneously logs in from Eastern Europe somewhere, that kind of activity is quickly red-flagged.
Cross-application control of data
To make sure that anyone who touches or tries to access your data is authorized, you need strict controls. There are three ways to do this.
The device-centric approach is another agent solution, which again can work great for company-owned devices, but which will leave employees unhappy in a BYOD setting.
Next is the application-centric approach, which allows the agency to see what users are doing with their apps. It isn’t so much locking down the device as controlling the apps. It’s a better approach, but it still has some performance issues and can also be circumvented.
Then there is the data-centric strategy, which focuses not on the apps but the data, and can work across a broad range of cloud apps. It offers contextual access control, looking one by one at individual users and what they are trying to access. It can be based on geographic location, device type, or behavioral benchmarks. And importantly, it offers a variety of defense mechanisms in the event of questionable activity.
The bottom line is that your best protection will come when you look outside the “inherent” security of your cloud applications and services and consider targeted solutions that address your specific needs.