Apr 21, 2015 8:53 AM PT

RSAC 2015: RSA Conference (Day 2)

Shadow IT isn't the problem, complacency is

Steve Ragan/Thinkstock

Day two officially marks the start of RSAC. Now that the show floor is open for business - the talks are underway and the halls are starting to hum with conversation as attendees move from place to place.

Most of my morning / afternoon will consist of briefings and one-on-one meetings, but I wanted to start the day with a themed discussion. Please feel free to leave your thoughts on the topic in the comments section below.

The theme is Shadow IT, and today I’ll be posting Q&As with executives on this topic. The interviews were conducted before the conference started, but the comments given on the record make for a good icebreaker.

Shadow IT sounds scary, but it's not. These days, the bulk of an organization's data already exists on a network maintained by an approved SaaS vendor.

Yet, the workforce is technologically savvy. If IT denies them a technical tool, they know how to get it on their own, and SaaS vendors make implementing a service or feature a painless process.

Overall, the majority of employees doing this are not acting maliciously. They turn to SaaS offerings as a way to streamline their work or improve productivity, and only do so because they were initially denied access and didn't agree with or understand the reason for denial.

Considering the bigger picture, Shadow IT isn't the largest problem a company dealing with SaaS has. Complacency is, because most organizations are trying to force older models of security, trust, and networking into a place where they just don't fit.

The questions posed to the executives for the Q&A are based on a few conversational topics.

The first is that legacy security has now become irrelevant because of BYOx (Bring Your Own Anything) policies and risks associated with the level of “any device” access offered by the SaaS market. After that, the topics also consider the point that SaaS vendor security isn't complete, and their application ecosystems are an unknown threat vector.

The following executives were included in the Q&A:

(Page 2) Craig Rosen, CISO, FireEye

(Page 3) Ken Baylor, CISO, Pivotal

(Page 4) Bil Harmer, CISO, Good Data

(Page 5) Assaf Rappaport, CEO, Adallom

Their comments and thoughts can be found on the marked pages. Not everyone answered all of the questions that were asked, but their comments are interesting nevertheless. Again, feel free to weigh-in with your own thoughts in the comment section below, or email me directly.

Craig Rosen, CISO, FireEye

Q: With all the FUD around shadow IT, are we focused on the wrong suspects with cloud security?

Craig Rosen (CR):

When it comes to cloud security, I think the biggest issue isn't about shadow IT and controlling the business SaaS application selection. Right now, I feel there’s a much larger struggle from security teams to gain transparency into what is happening under the hood from the SaaS providers that have been chosen, a.k.a. 'the usual suspects.'

[Organizations have] moved their very critical and important data to a smaller set of very powerful applications in the cloud used to run the business. At some point, the important data moved and there were many important security questions that just could not be answered.

Now what? Well, maybe you re-wrote some contracts, attached some security addendums and hoped you would be able to rely mostly on your contract and maybe some application-specific controls to protect your data in the cloud.

With today’s threat landscape it’s clear to me that transferring the risk through contractual commitments isn’t enough. And while you might have great contract provisions and some ability to protect, you don’t want to be in the position of having to reactively sift through your contract clause after clause while your reputation is on the line post breach or your product strategy makes its way to your competitor.

So you need to do something different to maintain your risk posture and work with your SaaS vendors and your own security teams to ensure you can provide the same level of control. As CISO, you don’t have the option of saying “I don’t know” because your liability and your mission remains the same, regardless of where the data resides.

Q: What advice do you have for organizations assessing their SaaS contracts in order to establish a clear and actionable model of shared responsibility?

CR: If you expect less, you’ll get less.

Your standards should not change just because there’s a SaaS app in play. They need to know that your responsibility for reporting risk to the executives and the board is no different just because the business has chosen to leverage SaaS applications. While they might not have all the answers, you shouldn’t be afraid to ask the questions about how they are protecting your data.

You need to understand how quickly they can detect and respond to any security concerns or incidents and clearly outline in the contract your thresholds as requirements for reporting. You need to ensure that they are willing and able to work closely with your security controls and outline those requirements ahead of time. They need to understand your need for transparency and you need to communicate to them about how they will become part of your extended ecosystem to protect the company.

Q: What do you see as one of the biggest security risks that organizations should be addressing with SaaS deployments?

CR: Speed is the name of the game today and if you can’t respond fast, you will lose.

I think the ability to quickly detect and respond to security incidents is the issue. The level of transparency given the types of data collection and analysis security teams need to do this effectively has historically been opaque with SaaS deployments. As a result, detection and response times can suffer relative to what has traditionally been possible with non-SaaS applications.

Q: Lack of security budget is often cited as an obstacle. What can CISOs do to get the budget they need for cloud security?

CR: I would start by informing your executive team about how you’d like to harness the power of the SaaS applications, but not give up your current security posture.

Brief them on how this is possible and not on how the SaaS application won’t work because it can’t be secured. If you start from that position, you will just be putting the business at arm’s length when this is actually your best shot at getting the business to help you with your SaaS security controls and strongly supporting you at the table with the SaaS vendor when it comes to contract negotiation.

Next, contrast how you are able to protect your non-SaaS applications versus your SaaS applications by exercising a simple threat scenario incident and response. Show how you were able to respond to the incident with the non-SaaS application and what you were not able to do with the SaaS application without adequate controls, relatively speaking. Same scenario, much different impact when you don’t actually have what you need. Presenting that information can be pretty compelling and get you started on your way to securing your cloud applications.

Ken Baylor, CISO, Pivotal

Q: With all the FUD around shadow IT, are we focused on the “wrong suspects” with cloud security?

Ken Baylor (KB): Information security does not have a moral right to dictate what is acceptable to the business.

They serve the business, they advise the business, they assist with crystallizing the risk-appetite of the company and they enforce the agreed upon standards. If the business is investing heavily in Shadow IT, then something is out of alignment. The culprit could be Information Security.

SaaS adoption is rapid. InfoSec should focus on protecting the critical data, rather than serve as a doorstop.

Q: What advice do you have for organizations assessing their SaaS contracts in order to establish a clear and actionable model of shared responsibility?

KB: First establish what data is proposed to go into the cloud. That sets the tone for all due diligence. Second establish how people authenticate. Multifactor authentication is preferred. Also there are tools that should be employed to tell you who is accessing which documents, from which device and from a certain location.

Third, focus on de-provisioning users: ensuring ex employees do not have access to current data is key. Fourth focus on logging: is there a log on which users touched which documents? Can you have access to them? Will the SaaS provider notify you in the event of an attempted breach? If so what is the SLA? Can you enforce it?

Q: What do you see as one of the biggest security risks that organizations should be addressing with SaaS deployments?

KB: Losing control of critical IP including trade secrets. Having these breached through careless sharing or by hacking the provider or customer endpoint.

Q: Lack of security budget is often cited as an obstacle. What can CISOs do to get the budget they need for cloud security?

KB: The data they seek to protect is the data that is critical to the brand and goodwill of the company. It is a small price to keep it safe.

Bil Harmer, CISO, Good Data

Q: What advice do you have for organizations assessing their SaaS contracts in order to establish a clear and actionable model of shared responsibility?

Bil Harmer (BH): The key to ensuring a correctly share responsibility is with respect to sharing the technical and organizational measures.

The client should be able to review and understand the SaaS providers’ methodologies and processes and how they apply. They should not be trying to make the SaaS provider follow their specific processes. The outcomes should be the same but the path to the outcomes can be different.

SaaS providers need to deliver a single methodology that is applied to the environment. It cannot apply different processes based on each customer. It’s the process side of multi-tenancy. We see dozens of companies claiming they are multi-tenant SaaS providers when in reality they are hosting individual VM’s for each customer and use terms like 'multi-tenanted.' Now with a clear understanding of what each party will do setting up contractual obligations that define who will do what and when is very simple.

Q: What do you see as one of the biggest security risks that organizations should be addressing with SaaS deployments?

BH: Transparency with the providers. Simply grabbing a SOC2 audit or ISO cert is not sufficient. When selecting a SaaS partner and deploying a SaaS tool requires appropriate due diligence into how the provider delivers the service, where it’s delivered from and who is the provider using as sub-processors?

Q: What is your guidance on how an organization should get started with SaaS security?

BH: You need to inventory your approved SaaS providers and establish a process for each that aligns with the companies policies. Many of the SaaS providers being used will cover 90% of the corporate data but there is no consolidated view into the application of correct policies and requirements.

These apps are purchased by the business, configured by the vendor with the business and run by the business. This can lead to inconsistencies in the application of what the business 'thinks' is appropriate. Do they understand what a strong password is? Do the users know what data can and cannot be put into the freeform text field? By creating an inventory and getting insight into how these applications are being used companies will be able to reduce their risk.

Q: Privacy and data security appears to be a dichotomy. How do organizations balance this? For example, IT needs to monitor the activities but may be constrained under certain privacy considerations.

BH: Privacy and security should not be a dichotomy. Security is a tool that helps achieve privacy. If a CISO is trying to become “Secure” there is no way to know if they’ve made it without privacy.

Privacy should be the goal and security part of the tools. Many European countries do not permit the monitoring of employee behavior at work but companies need to proactively monitor system activities to protect data and stop attacks before they happen.

Someone, not necessarily IT, needs to monitor these activities. This is where a SaaS or outsourced solution can bring huge benefits. Monitoring for abnormal behavior can be done by the vendor and when something crosses a threshold, the customer can be contacted to investigate further. At this point the company is not monitoring employees but instead investigating a security event.

Q: Lack of security budget is often cited as an obstacle. What can CISOs do to get the budget they need for cloud security?

BH: Hand the CEO a newspaper. Seriously, the comparison between security and insurance has been around forever. This all about mitigating risk.

If the data being held is at risk then mitigating controls need to be implemented. CEO’s and Boards are being held responsible for breaches now. These are board-level discussions. If a CISO is having trouble getting budget then they are not speaking the right language.

They should be talking about business risk; CISO should not be talking about firewalls and anti-virus. Those risks need to be reviewed and compared to other risks in the business and funds should be allocated based on business risk. Right now the business risk of being compromised is much higher due to the high profile cases that have been hitting the newspapers.

Assaf Rappaport, CEO, Adallom

Q: With all the FUD around shadow IT, are we focused on the “wrong suspects” with cloud security?

Assaf Rappaport (AR): When you look at the cloud usage statistics, 90-percent of corporate data actually resides in one-percent of cloud services – the corporate enterprise SaaS. The “usual” suspect of shadow IT isn’t where your IT organization should focus their efforts. That just seems completely backwards.

The right strategy is to start with securing corporate managed SaaS. Then, on a periodic basis, understand which other types of Shadow IT cloud applications are being used, and [include] the key ones as corporate apps.

The reality is most users are just trying to find more effective ways to do their jobs and gain competitive advantages. If you block them, they’ll find another way or another application. IT can no longer be the department of no, they must help the business. Use the discovery of shadow IT to educate IT on which applications are preferred by users.

Q: What advice do you have for organizations assessing their SaaS contracts in order to establish a clear and actionable model of shared responsibility?

AR: We’ve only worked with one organization that was effective at getting a cloud application vendor to change their SaaS contracts just for their needs.

A more realistic scenario is understanding what is being done by a cloud provider to secure their cloud infrastructure – security, availability, penetration testing and certifications—and complementing it with cloud security solutions. The key is understanding that the shared responsibility model means that the organization is ultimately responsible for the usage of and access to the SaaS application. Put it another way, you’ve outsourced your application; you haven’t outsourced your security.

Q: What do you see as one of the biggest security risks that organizations should be addressing with SaaS deployments?

AR: There are two key risks that organizations should address. The first is with data sharing. SaaS applications make it easy for users to share and collaborate on documents. The second risk is managing and monitoring privileged users that have too much access and can inflict too much damage if their credentials are stolen.

Q: What is your guidance on how an organization should get started with SaaS security?

AR: Evaluate SaaS provider security, and complement with cloud access security brokers. Start with an out-of-band approach where you can gain consistent visibility across your entire suite of cloud applications, and govern users, data, and activities.

Then, implement in-line prevention for specific high-risk users and activities, such as unmanaged device access. The key with SaaS security is to look for an architecture that is cloud-centric. Meaning, it must be easy to deploy, it must not impact the user experience and it must work with any user any device access.

Q: Lack of security budget is often cited as an obstacle. What can CISOs do to get the budget they need for cloud security?

AR: I don’t think organizations can afford not to secure cloud applications anymore. Even on-premises attacks such as Sony are bleeding into cloud applications. It’s about risk management, and having the right conversation with the board.