The cloud is no longer a disruptive new technology. It is now the norm and because of that, it is also becoming an attractive target for today’s cyber criminals. The old ways of protecting data are becoming obsolete and businesses are increasingly turning to cloud access security brokers (CASBs), to act as a gateway between their company’s IT infrastructure and that of the cloud providers.
To find out more about how the threats landscape is expanding and why CASBs are growing in relevance in our region in the age of the cloud, we interviewed Bitglass Vice President of Sales for Asia Pacific and Japan, David Shephard.
The following is the full transcript of the email interview.
CSA: We know that Southeast Asian companies are taking “cloud first” seriously. Does this really make the security threat more complex or is that just hype?
David Shephard: The cyber risk evolves constantly. As new risks and threats emerge, organisations have to identify, understand and react accordingly. Protecting sensitive customer and corporate data is always going to be a top priority for any enterprise, regardless of whether they’re in the cloud or still using traditional on-premises IT.
What we see more and more is organizations being realistic about what level of security they can hope to achieve on their own. Many appreciate the enormity of the task and accept that they lack the resources (people or budget) to build and maintain a complete and effective security program, so they’re actually looking to the cloud as a way to uplift their security. Cloud providers will likely do a better job of securing their infrastructure than many organizations could manage on their own, with contractual SLAs offering further assurance to customers. It’s about focusing on your core business, and most companies are not in the infrastructure management or information security business.
It is encouraging that companies in Southeast Asia are embracing cloud – largely thanks to the push from government initiatives, positive experiences from companies who have gone first and a realisation that cloud and mobile are necessary to remain competitive and create environments where users want to work.
Interestingly, 90% of organisations around the world are either very or moderately concerned about public cloud security. In fact, security is the single biggest factor impeding faster adoption of cloud. This is consistent across all sectors and all countries.
The most commonly cited cloud security concern is unauthorised data access, which can be caused by improper access controls, malicious insiders, or hijacked employee accounts. This stands in contrast to the idea of malware and other threats directly attacking cloud service providers, which is of less concern to the average enterprise. Traditional security controls don’t cater to this and are why cloud access security brokers are fast becoming a security requirement for any organization adopting cloud.
CSA: When people say the threat landscape is expanding, what does this really mean from a Bitglass perspective?
David Shephard: From a Bitglass perspective, we see the threat landscape expanding on two fronts. First, from the outside, where persistent targeted attacks are becoming increasingly sophisticated and dangerous. Second, from the inside, where employees are engaging in risky activities that can place the entire organisation in jeopardy. This doesn’t mean these employees are nefarious, but a user on an unmanaged (or BYO) device being able to directly access corporate resources in the cloud and download or share data is a risk that needs to be understood and mitigated.
An example of an external threat is ransomware – we see hackers exploiting enterprise file sharing applications as a means of bypassing common controls to distribute their malware. At Bitglass, our Threat Research Team recently discovered a new variety of ransomware dubbed "ShurL0ckr.” The threat encrypts users' data and demands a ransom in exchange for decryption. Somewhat alarmingly, native ATP tools within Microsoft SharePoint and Google Drive were unable to detect ShurL0ckr. This highlights the growing dangers of relying solely upon cloud applications' native security features.
In our recent report, Malware P.I., we also discovered that nearly half of organisations have some form of malware in at least one of their cloud apps. With users able to access their cloud apps from any device, and off-network, it’s pretty easy for modern malware to spread. This is unnerving given that a single piece of malware can cause extensive damage to an enterprise.
A common example of an internal risk is employees accessing corporate data in the cloud from their own device and downloading unprotected files. Most businesses will have this happening, and while the user might be well intentioned, the risk and consequence of loss remains the same. In modern enterprises there is a huge rise in the use of cloud applications and BYOD, where employees are able to access enterprise cloud applications from their own device, or from any browser. With these new ways of working, traditional perimeter or device-centric security solutions are no longer able to protect data in the cloud being accessed by mobile employees.
CSA: Cloud first means taking on new applications like Slack or other more “social” apps. Does this increase the risk and does “regular” security software protect us?
David Shephard: With everyone from developers to executives using social apps (like Slack) to exchange sensitive information, securing them requires solving unique challenges. Compounding the difficulty is the fact that Slack, like many high growth startups, has not been without security issues. In 2015, the company suffered a high profile data breach. For these reasons, more and more organizations are turning to cloud access security brokers (CASBs), like Bitglass, to protect data in Slack.
What differentiates Bitglass from “regular” security software is the automatic scanning of entire deployments of Slack (or other social apps) across all teams and channels. Through ongoing crawling, sensitive data is identified and high-risk sharing is discovered; for example, public URLs or non-employees having access to certain channels containing sensitive content. Traditional endpoint security cannot secure social apps to the extent that agentless CASBs can.
CSA: We note you talk a lot about "Zero Day" protection, can you really protect us against the "unknown" and are Zero Day attacks happening in cloud-based apps?
David Shephard: Definitely. Late last year, we announced a major step forward in our data protection solution with a suite of new machine-learning-based technologies. Our CASB can detect and prevent data leakage as well as defend against unknown malware – on any application and in real time. What makes this even more compelling is that many of the next-generation endpoint solutions require agents and don’t actually work on mobile devices. So in most modern enterprises there are going to be obvious gaps - we help to fill those.
For example, Bitglass’ Zero-day Unmanaged App Control enables discovery, blocking, and coaching for new and unknown cloud applications. Our patent-pending technology detects leakage paths in any application or web traffic and provides read-only access to unmanaged apps, allowing access but controlling leakage.
CSA: Do we need extra protection for SaaS applications like salesforce.com - isn't there a lot of security built in?
David Shephard: SaaS application vendors go to great lengths to secure their underlying infrastructure against attacks. However, there still exists a large security gap when it comes to securing access to the data within said cloud apps. As such, CASBs like Bitglass are commonly used to protect data at access – particularly in organisations that hold valuable intellectual property or operate within regulated industries.
As an example, consider a large financial company that used Bitglass to secure its SaaS applications – Salesforce and Office 365. Given the high-profile nature of its clientele, the organisation wanted complete assurance of privacy and desired sole control of its data – it didn’t feel comfortable with cloud vendors having any visibility into customer information. So, it decided to deploy our access control, data loss prevention (DLP), and encryption. In this way, the company was able to secure data access and obfuscate sensitive information within apps to hide it from the view of cloud vendors.
CSA: Does Bitglass have any plans or offerings for IoT? We are starting to hear a lot of talk about the "edge" threat.
David Shephard: Bitglass is built to provide data protection across all endpoints and applications, including IoT endpoints. Given that IoT creates new avenues for data leakage – a new attack vector of sorts – it’s no surprise that forward-thinking IT leaders are contemplating how best to address these threats. While it remains unclear how IoT will interact with cloud over the long term, enterprises must take a proactive approach to identifying and mitigating risk.
CSA: Can tell us anything about your regional development plans or product plans over the next 12 months?
David Shephard: In Asia Pacific, we plan to continue our expansion into new territories and with the addition of new channel partners to support our accelerating customer growth. As for product plans in the next 12 months, we’re focused on developing some of our existing marquee features – real-time DLP and Shadow IT Discovery – as well as building deeper integration with cloud app vendors. Companies deploying Bitglass will get immediate value from what we already have to offer today.