RSAC 2015: RSA Conference (Day 2)

Shadow IT isn't the problem, complacency is

1 2 3 4 5 Page 2
Page 2 of 5

Craig Rosen, CISO, FireEye

Q: With all the FUD around shadow IT, are we focused on the wrong suspects with cloud security?

Craig Rosen (CR):

When it comes to cloud security, I think the biggest issue isn't about shadow IT and controlling the business SaaS application selection. Right now, I feel there’s a much larger struggle from security teams to gain transparency into what is happening under the hood from the SaaS providers that have been chosen, a.k.a. 'the usual suspects.'

[Organizations have] moved their very critical and important data to a smaller set of very powerful applications in the cloud used to run the business. At some point, the important data moved and there were many important security questions that just could not be answered.

Now what? Well, maybe you re-wrote some contracts, attached some security addendums and hoped you would be able to rely mostly on your contract and maybe some application-specific controls to protect your data in the cloud.

With today’s threat landscape it’s clear to me that transferring the risk through contractual commitments isn’t enough. And while you might have great contract provisions and some ability to protect, you don’t want to be in the position of having to reactively sift through your contract clause after clause while your reputation is on the line post breach or your product strategy makes its way to your competitor.

So you need to do something different to maintain your risk posture and work with your SaaS vendors and your own security teams to ensure you can provide the same level of control. As CISO, you don’t have the option of saying “I don’t know” because your liability and your mission remains the same, regardless of where the data resides.

Q: What advice do you have for organizations assessing their SaaS contracts in order to establish a clear and actionable model of shared responsibility?

CR: If you expect less, you’ll get less.

Your standards should not change just because there’s a SaaS app in play. They need to know that your responsibility for reporting risk to the executives and the board is no different just because the business has chosen to leverage SaaS applications. While they might not have all the answers, you shouldn’t be afraid to ask the questions about how they are protecting your data.

You need to understand how quickly they can detect and respond to any security concerns or incidents and clearly outline in the contract your thresholds as requirements for reporting. You need to ensure that they are willing and able to work closely with your security controls and outline those requirements ahead of time. They need to understand your need for transparency and you need to communicate to them about how they will become part of your extended ecosystem to protect the company.

Q: What do you see as one of the biggest security risks that organizations should be addressing with SaaS deployments?

CR: Speed is the name of the game today and if you can’t respond fast, you will lose.

I think the ability to quickly detect and respond to security incidents is the issue. The level of transparency given the types of data collection and analysis security teams need to do this effectively has historically been opaque with SaaS deployments. As a result, detection and response times can suffer relative to what has traditionally been possible with non-SaaS applications.

Q: Lack of security budget is often cited as an obstacle. What can CISOs do to get the budget they need for cloud security?

CR: I would start by informing your executive team about how you’d like to harness the power of the SaaS applications, but not give up your current security posture.

Brief them on how this is possible and not on how the SaaS application won’t work because it can’t be secured. If you start from that position, you will just be putting the business at arm’s length when this is actually your best shot at getting the business to help you with your SaaS security controls and strongly supporting you at the table with the SaaS vendor when it comes to contract negotiation.

Next, contrast how you are able to protect your non-SaaS applications versus your SaaS applications by exercising a simple threat scenario incident and response. Show how you were able to respond to the incident with the non-SaaS application and what you were not able to do with the SaaS application without adequate controls, relatively speaking. Same scenario, much different impact when you don’t actually have what you need. Presenting that information can be pretty compelling and get you started on your way to securing your cloud applications.

1 2 3 4 5 Page 2
Page 2 of 5
8 pitfalls that undermine security program success