Almost a decade has passed since the introduction of the federal cloud computing strategy, while two years have passed since President Trump’s executive order mandating procurement preferences for shared IT services. As both continue to fuel cloud adoption within federal agencies, two side effects are clear: use of SaaS applications is increasing, as are concerns about security.
Recently, Forcepoint surveyed over 600 IT and IT security practitioners, including cloud administrators representing federal agencies, departments and enterprise organizations. Nearly 70% said less than half of cloud service providers were FedRAMP authorized, and many expressed skepticism about their agencies’ abilities to protect sensitive information.
The findings paint a pretty clear picture: federal agencies need a better security posture in the cloud. That starts with achieving better visibility into what applications their employees are using, and how they’re using them.
Coming out of the shadows
With on-premises architecture, securing intellectual property, For-Official-Use-Only data, and sensitive information, security simply meant securing the perimeter. The cloud, on the other hand, offers unprecedented flexibility and scalability. But it also presents a new, complex attack surface, since data passes between on-premises and hosted environments. To improve cloud security, agencies must be able to map their entire infrastructure, including all of the applications running on it.
The problem is that it’s difficult to keep track of these services, leading to the threat of shadow IT—use of unknown applications. Survey respondents expressed anxiety at this challenge; on a scale of 1 to 10, 35 percent of survey respondents rated gaining visibility into unsanctioned applications a seven or eight. And while 42 percent of respondents reported over 250 SaaS applications in their environments, only 23 percent of those surveyed were highly confident that number was correct. It’s tough to tally because so many people are using unsanctioned applications or apps on their personal devices. Indeed, 59 percent of survey respondents said users violate policies about where digital assets can reside, as is commonly the case with file-sharing.
Eliminating shadow IT represents the foundation of a better security posture—particularly when Cloud Access Service Brokers (CASBs) are taken advantage of. CASBs leverage the functionality of traditional security controls and methods, applying them to cloud architecture, on-premises architecture, or both. For example, with a CASB, IT managers can add a reverse proxy to single sign-on authentication, which can ensure the security of applications that may reside on a user’s own smartphone. This is a frictionless security method that allows employees to continue using their personal devices without compromising security.
Of course, the need for a reverse proxy can’t be identified without talking to employees about their usage. Thus, employee communication is a key ingredient to improved security, whether that means asking them what apps they’ve downloaded, how they’re being accessed, or reminding people of security policies already in place.
Why user analytics are the best defense
The nature of the cloud means everyone is an outsider—thus, analytics are crucial with regard to telling normal users from malicious ones. While a bad actor may be able to steal someone’s credentials, they can’t imitate their behavior. They’ll use a different browser, different endpoint, different device, different location, and so on. As a result, cloud risks can be mitigated through user behavior analysis, which involves collecting a baseline of “normal activity,” so deviations (such as attempting to access restricted files or abnormal geolocation) can be easily recognized.
Naturally, user behavior analytics is strongest when coupled with a CASB that can monitor behavior across applications and devices (and when the full range of those applications and devices is known). Armed with detailed insights on user behavior, high-risk individuals can be identified, compromised credentials can be automatically flagged, and access to the individual in question can be curtailed, without shutting down access for the entire team at the first whiff of a threat.
Catching up on cloud security
Flexibility, scalability, remote access and other benefits that come with the cloud are real, yet security concerns are also prevalent. Many of these concerns from shadow IT and the way that users engage with cloud services. Gaining visibility into the number of applications being used throughout the agency—and how they’re being used—is the first step toward a better security posture for today’s overwhelmingly cloud-based environment.
George Kamis is Chief Technology Officer for Global Governments and Critical Infrastructure at Forcepoint