RSAC 2015: RSA Conference (Day 2)

Shadow IT isn't the problem, complacency is

1 2 3 4 5 Page 5
Page 5 of 5

Assaf Rappaport, CEO, Adallom

Q: With all the FUD around shadow IT, are we focused on the “wrong suspects” with cloud security?

Assaf Rappaport (AR): When you look at the cloud usage statistics, 90-percent of corporate data actually resides in one-percent of cloud services – the corporate enterprise SaaS. The “usual” suspect of shadow IT isn’t where your IT organization should focus their efforts. That just seems completely backwards.

The right strategy is to start with securing corporate managed SaaS. Then, on a periodic basis, understand which other types of Shadow IT cloud applications are being used, and [include] the key ones as corporate apps.

The reality is most users are just trying to find more effective ways to do their jobs and gain competitive advantages. If you block them, they’ll find another way or another application. IT can no longer be the department of no, they must help the business. Use the discovery of shadow IT to educate IT on which applications are preferred by users.

Q: What advice do you have for organizations assessing their SaaS contracts in order to establish a clear and actionable model of shared responsibility?

AR: We’ve only worked with one organization that was effective at getting a cloud application vendor to change their SaaS contracts just for their needs.

A more realistic scenario is understanding what is being done by a cloud provider to secure their cloud infrastructure – security, availability, penetration testing and certifications—and complementing it with cloud security solutions. The key is understanding that the shared responsibility model means that the organization is ultimately responsible for the usage of and access to the SaaS application. Put it another way, you’ve outsourced your application; you haven’t outsourced your security.

Q: What do you see as one of the biggest security risks that organizations should be addressing with SaaS deployments?

AR: There are two key risks that organizations should address. The first is with data sharing. SaaS applications make it easy for users to share and collaborate on documents. The second risk is managing and monitoring privileged users that have too much access and can inflict too much damage if their credentials are stolen.

Q: What is your guidance on how an organization should get started with SaaS security?

AR: Evaluate SaaS provider security, and complement with cloud access security brokers. Start with an out-of-band approach where you can gain consistent visibility across your entire suite of cloud applications, and govern users, data, and activities.

Then, implement in-line prevention for specific high-risk users and activities, such as unmanaged device access. The key with SaaS security is to look for an architecture that is cloud-centric. Meaning, it must be easy to deploy, it must not impact the user experience and it must work with any user any device access.

Q: Lack of security budget is often cited as an obstacle. What can CISOs do to get the budget they need for cloud security?

AR: I don’t think organizations can afford not to secure cloud applications anymore. Even on-premises attacks such as Sony are bleeding into cloud applications. It’s about risk management, and having the right conversation with the board.

Copyright © 2015 IDG Communications, Inc.

1 2 3 4 5 Page 5
Page 5 of 5
8 pitfalls that undermine security program success