cio’s guide to enterprise cloud...

2581 Junction Ave.Suite 200

San Jose, CA 95134

White Paper

9 Steps to Enable the Cloud

While Maintaining Visibility and Control

CIO’S GUIDE TO ENTERPRISE CLOUD

ADOPTION

CipherCloud | © 2018 CIO’s Guide to Enterprise Cloud Adoption 2

applications to major business-critical initiatives, the cloud is transforming the way we work, making users more productive and making organizations more agile.

Yet each business is at a different point in its journey to the cloud, and there are varying challenges at each stage of cloud adoption. Whether you are aggressively adopting the cloud, or just trying to get a handle on what applications your users are already accessing, there are a range of concerns around

This paper provides a framework for approaching the cloud, and outlines key requirements for each stage of enterprise cloud adoption.

Not all cloud applications are alike

The nature and business uses of cloud applications vary widely. We can all think of applications that are mundane, trivial, or even silly—while other cloud services may be essential to business,

adoption and the types of applications in use, there can be very different challenges that need to be addressed.

INTRODUCTIONINTRODUCTION

Most business cloud applications fall into these three categories:

• Non-sanctioned shadow IT: Users can easily access thousands of cloud applications and are increasingly using them for business purposes. However, organizations have little visibility or control over what applications are used, what data is stored in these applications, and the security risks involved.

• Sanctioned collaboration applications: Businesses are increasingly adopting cloud-based collaboration applications to extend their reach and streamline interaction, but in most cases, there is limited visibility into the data going to the cloud, user activity, and risks

email, attachments, notes, and messages) that can represent an easy avenue for data loss.

• Core business process applications: Many core business processes are moving to cloud-based platforms to reduce infrastructure and improve agility and competitiveness. In these cases, the data and uses are well understood, but sensitive or regulated data may require additional protections to ensure security, compliance, and data integrity.

While not all enterprises follow the same path to the cloud, these categories provide a logical framework to help you discover, protect, and monitor your organization’s use of the cloud.

How to use this paperThe diagram below outlines the three types of cloud applications along with three keys to adoption at each stage. These 9 steps do not need to be followed sequentially, and different parts of your organization may be involved at each stage. This paper provides overall guidance for CIOs at each stage to gain visibility and control over all enterprise cloud adoption.

NUMBER OF APPS

SE

NS

ITIV

ITY

OF

DA

TA

• Understand compliance needs• Protect sensitive data• Preserve business functionality

• Understand usage• Enforce DLP policies• Monitor users & anomalies

• Discover applications• Assess application risks• Enable the right apps

KEYS TO ADOPTION

IT SANCTIONED COLLABORATION APPS

NON-SANCTIONED SHADOW IT

Unstructured data, notes, messages, files, attachments

Mix of unstructured data and user information

Primarily structured data in CRM, ITSM, ERP applications

Types of cloud applications


Step 1: Discover all cloud applications in use

Step 2: Assess the risk of your applications

Step 3: Enable the right applications

uncontrolled and unsanctioned use of applications for business purposes. As employees increasingly bring their own mobile devices to work, they have direct access to thousands of applications, many solving useful business problems. End users are now less dependent on

applications and sign up for a multitude of services, without asking for corporate permission or

IT help.

elsewhere and introduce new ad hoc processes that have no corporate visibility, governance,

or control.

on email attachments, while IT set strict limits on the size of attachments to protect bandwidth and

cloud applications they can sign up for with instant access at minimal cost. This solves the problem for the end user, but IT is faced with losing all visibility and control over a potentially

risky process.

This new Shadow IT model enables hundreds of unmanaged applications to be introduced

into an organization as users hop from app to app to leverage free accounts or connect with

to your organization.

Shining a Light on Shadow IT


Discover all cloud applications in use

What applications are users accessing and what are they used for? How much bandwidth is being consumed? Are there redundancies with different users choosing different applications to solve the same problems?

Fortunately, tools are now available that can detect cloud application usage from network proxy

CipherCloud for Cloud Discovery meets these needs with a comprehensive solution that:

• • Accesses an extensive knowledge base of thousands of applications• Categorizes applications across dozens of business categories• Provides easy-to-understand dashboards with immediate feedback and drill-downs on

• Leverages crowd sourcing to continuously expand the application knowledge base

CipherCloud for Cloud Discovery dashboard


6

While most well-known cloud applications provide strong security, there are thousands of less sophisticated and poorly run applications that do not follow security best practices and can be conduits for malware attacks, data theft, and security breaches.

CipherCloud delivers a comprehensive, standards-based process for identifying and scoring risky applications. A global research team continuously monitors new and existing cloud applications, using automated and manual techniques to assess over 100 key metrics including:

• Transport security including the use of SSL for application landing and login pages• • Detailed header and SPF analysis• Privacy policy analysis• Authentication and security controls• • Location of cloud application servers•

CipherCloud for Cloud Discovery provides an overview of the top high-risk applications, as well as detailed drill-down analyses of the risk of each cloud service in use by your organization.

Risk analysis and monitoring examples


Assess the risk of your applications

Lorem ipsum

balance between controlling usage and enabling the applications that your users need. Don’t just say “no.” For the most part, your users are accessing applications that help them get their

functionality than was previously available through traditional IT channels. Work with your users to understand what applications are critical and what functionality is important to them.

• Standardize whenever possible. sharing, messaging, and email) and buy enterprise licenses for all interested users. The top-tier vendors (such as Box, Dropbox, Microsoft, Google and others) provide strong enterprise controls to manage users and maintain visibility over most activity.

• Discourage the use of free services. It may be a cliché, but nothing is really free. Many vendors entice users with free starting offers, but this encourages users to hop between applications (when they exhaust free accounts) and causes sprawl of ungoverned cloud services. Most enterprise cloud applications offer dramatic cost savings compared to legacy in-house systems, but tacitly encouraging the use of free services only increases your risk.

• Block risky applications.

lets you export IP information to create blocking rules with your existing edge devices. You

• Monitor alerts for new risky applications. CipherCloud provides automated alerts to all customers when new high risk cloud services are detected. CipherCloud also enables customers to report newly discovered applications, improving the global coverage of the knowledge base.


Enable the Right applications

8

partners and customers.

While these applications may be sanctioned by IT, there can still be a loss of visibility and control over data going to the cloud. Key questions include:

• Do you really know what your users are doing in the cloud? Cloud applications may

any outsiders.

• Is sensitive data going to the cloud? The convenience of cloud collaboration tools also makes it easy to put sensitive or regulated information into the wrong hands. Many users

mistakes that can cause liability for your business.

• Are there anomalies in user behavior that could indicate a problem? Most users are well intentioned and follow predictable usage patterns. Changes in user behavior, such as logging in from new locations or downloading large amounts of data, can indicate security

Step 4: Understand how your users work

Step 5: Enforce data loss prevention policies

Step 6: Monitor user activity and detect anomalies

Monitoring Data in Collaboration Applications


Traditional networks provided limited and controlled channels for users to interact, and

have dramatically changed the way users work, providing easy access and rapid collaboration

from anywhere and with anyone. This also means that sensitive business data can now reside entirely outside your network.

It is impossible to try to put the cloud genie back in the bottle and saying “no” to your users will probably be futile. The cloud has fundamentally changed the way employees work, and understanding these new dynamics is critical to gaining visibility and reasonable control.

Collaboration and communication with partners may need to be instantaneous for your business

to remain competitive.

Understand how your users work


Many enterprises have invested in data loss prevention (DLP) systems to prevent sensitive data from getting into the wrong hands. While these systems have sophisticated capabilities to identify data patterns, they usually can only enforce policies within the network and are blind to the cloud.

To enforce data loss prevention policies outside your network, you need solutions that are tightly integrated with cloud applications, while understanding the content and context of your data. CipherCloud provides out-of-the-box DLP capabilities for major cloud applications including Salesforce and Box. The solutions include policies for a range of regulations including PCI,

HIPAA, GLBA, ABA, and Swift codes, national drug codes, and others. CipherCloud can also integrate directly with most enterprise DLP systems including RSA, Symantec, and others via

the ICAP protocol.

By extending your DLP controls to cloud applications, you can have assurance that cloud applications are being used wisely and not becoming avenues for data loss or harmful breaches.

CipherCloud can enforce DLP policies directly in cloud applications


Enforce data loss prevention policies

Visibility and compliance must be an ongoing process to be effective, and cloud visibility solutions need to provide clear feedback on user activity that is easy to understand and actionable.

Effective monitoring requires more than just gathering bulk data. You need to understand

integration across multiple cloud applications allowing you to monitor exactly what your users are

are clearly visible, with real-time drill-down for additional details.

and outside your organization. This helps you effectively manage cloud resources, spot potential problems before they become serious, avoid costly data breaches, and maintain the valuable reputation of your brand.

Consistent user activity monitoring provides a baseline of known behavior. Noticeable changes in typical behavior can be important indicators of suspicious activity or serious breaches. However,

irrevocable damage is done.

patterns, and learn from data to accurately spot anomalies and potential security threats. CipherCloud leverages state-of-the-art machine learning technology to automate the process of detecting anomalies, adapt to changing usage patterns, and immediately notify key individuals if suspicious activity is detected.

CipherCloud activity monitoring and anomaly detection dashboard


Monitor user activity and detect anomolies

Even as cloud adoption accelerates, businesses and their auditors are becoming increasingly concerned about data privacy, compliance, and the rash of data breaches. The response of many government regulators has been to draft new laws, increase penalties for non-compliance, and hold businesses and executives more accountable.

With the legacy perimeter security model, organizations tended to assume that all data was equally protected, as long as it stayed behind

employees increasingly collaborate with external parties, you need to be more precise and granular about exactly what type of data needs to be protected and how. Just as not all data in your organization requires the same level of security, not all data within an application is equally sensitive. Data protection

roles and context.

CipherCloud meets these needs with a comprehensive cloud data protection platform that

cloud applications.

As you consider encryption systems, always look for solutions that are standards-based and have been thoroughly vetted by independent outsiders. CipherCloud uses AES 256-bit encryption

its encryption modules.

Step 7: Understand compliance requirements

Step 9: Preserve business functionality


Safely Moving Business-CriticalApplications to the Cloud

compliance requirements for any data it is handling and potentially putting in the cloud. For example, understand if you are handling:

• Private customer information• Protected employee data• Personal health information • Financial and credit data• • Regulated government information

information. For example, some countries prefer sensitive information to remain

within national boundaries. Other countries try to extend legal protections to their citizen’s

data, even when it resides in servers located outside their jurisdiction. In addition, many

outside their jurisdiction.

USA FeferalCALEA, CCRA, CIPA, COPPA, EFTA, FACTA, ECPA, FCRA, FISMA, FERPA, GLBA, HIPAA, HITECH, PPA, RFPA, Safe Harbor, US PATRIOT Act

MexicoPersonal Data Protection Law

ColombiaData PrivacyLaw 1266

BrazilArtcle 5 of Constitution

ArgentinaPersonal Data Protection Act,information

ChileProtection ofPersonal Data Act

CanadaPIPEDA, FOIPPA, PIPA

IsraelProtection of Privacy Law (PPL)

United KingdomICO Privacy and Electronic Communications Regulations

MoroccoData Protection Act

South AfricaElectronic Communications and Transactions Act

European UnionEU Data Protection Directive,State Data Protection Laws

IndiaInformationTechnology Art

South KoreaNetwork Utilization and Data Protection Act

JapanPersonal Information Protection Act

RussiaData Protection Act

Hong KongPersonal Data Privacy OrdinanceThailand

Act B.E. 2540

SingaporePersonal & Financial Data Protection Acts

PhilippinesPropose Data Privacy Law

AustraliaNational Privacy Principals, State Privacy Bills, Email Spam and Privacy Bills

New ZealandPrivacy Amendment Act

EgyptEgyptian Constitution and Laws

Sample global data privacy regulations


Understand compliance Requirements

6While there are some misconceptions around encryption and it can be applied in many ways, encryption remains one of the most effective ways to secure data regardless of where it goes—assuming only the right people have access to the keys.

Encryption is well understood and frequently used for protecting data in transit (via SSL) and protecting data at rest, when it is stored in a server or data center. However, most of today’s threats to cloud data fall in between transit and storage by targeting data in use. Even with the best cloud providers, data in the cloud can be exposed to a large number of people, processes, and unauthorized outsiders. Almost all the top current concerns tracked by the Cloud Security Alliance (CSA) involve data in use, including:

• Account hijacking• Forced disclosure• Data breaches • Malicious insiders• Insecure APIs• Shared technology

CipherCloud has pioneered the application of encryption and tokenization to protect sensitive data used in a range of cloud applications. CipherCloud delivers protection that is tightly integrated with cloud applications and controlled exclusively by the customer, encrypting or tokenizing any type of

Encryption is only effective if the encryption keys are well protected and separated from the data itself. Most enterprises insist on this separation when encrypting data in the cloud. If the data is sensitive, the cloud provider must not have access to the keys.

CipherCloud encryption solutions always assure that encryption keys are never outside of enterprise control. Encryption keys can be managed by robust out-of-the-box key tools or through integration with third-party keys stores.


Encrypt or tokenize sensitive data �elds

While encrypting or tokenizing data in the cloud can increase privacy and compliance, if it is not well applied and integrated with cloud applications, it can break key business functionality and defeat the purpose of using the cloud.

A long-standing technology challenge has been maintaining the searchability of encrypted

information, essentially creating a needle in an (encrypted) haystack.

CipherCloud has pioneered techniques for searchable strong encryption, with multiple patents on techniques to retain sorting, searching, reporting, and other key functions. CipherCloud offers a wide range of encryption techniques supporting various types of data structures—preserving length, preserving formatting, limiting data expansion, and providing partial encryption—used often with credit card numbers.

CipherCloud solutions provide extensive integration with popular cloud applications, including


Preserve business functionality

CipherCloud, the leader in cloud visibility and data protection, delivers cloud adoption while ensuring security, compliance and control. CipherCloud’s open platform provides comprehensive cloud application discovery and risk assessment, data protection—searchable strong encryption, tokenization, data loss prevention, key management and malware detection—and extensive user activity and anomaly monitoring services.

CipherCloud is experiencing exceptional growth and success with over 3 millionbusiness users across 11 different industries.

The CipherCloud product portfolio protects popular cloud applications out-of-the-

Named SC Magazine’s 2013 Best Product of the Year, CipherCloud’s technology

Transamerica Ventures, Andreessen Horowitz, Delta Partners, and T-Venture, the venture capital arm of Deutsche Telekom. For more information, visit www.ciphercloud.com and follow us on Twitter @ciphercloud.

Headquarters:CipherCloud

www.ciphercloud.com

linkedin.com/company/ciphercloud

@ciphercloud

[email protected] (1-855-524-7437)

All trademarks are property of their respective owners.

CipherCloud | © 2018

Organizations vary in their attitudes and rate of adoption of the cloud, but practically no one is

but it can also pose new risks to data, privacy, and security.

Regardless of your stage of cloud adoption, fundamental requirements remain the same:

• Understand what your users are doing and how their business needs have changed• Gain visibility to where your sensitive data is going and who should and should not have access• Take proactive steps to protect business-critical information and retain control regardless of where it goes For many businesses, using the cloud has become imperative to remaining competitive. Asbusiness-critical data moves into the cloud and outside your direct control, the focus needs to shift from securing infrastructure to applying strong protection to the data itself, regardless of where the data resides.

CipherCloud provides a comprehensive platform that supports the industry’s widest range of cloud visibility and data protection options. These solutions provide visibility over current cloud usage, standards-based risk assessment, controls to prevent data loss, and industry-leading technology to secure sensitive data and to prevent unauthorized access, all while meeting your compliance and regulatory requirements.

For more information go to: www.ciphercloud.com

.

CONCLUSIONS

2581 Junction Ave.Suite 200San Jose, CA 95134

CONCLUSIONSCONCLUSIONS

cio’s guide to enterprise cloud...

Documents