Presented at Texas Cyber Summit 2019
Oct. 11, 2019, 2:15 p.m.
We all know about Shadow IT and the risks and dangers that come with that but what about Shadow IT in the Cloud –that’s a scary thought. Now you have data in the hands of others and NO ONE KNOWS about it which means there aren't any governance or controls around it either. How do we lock down data in the cloud and ensure we have everything in place to avoid data loss or breach while also giving the business and other teams the tools they need to do their work? How do we block these ‘scary’ cloud services like file stores, pdf merger sites, code beautifiers, etc. when cloud is quickly becoming the new normal? Or infrastructure in the public cloud that isn't secured, inventoried, patched, logged, or monitored? How do you know that your business users don't have a public S3 bucket for collaboration?
Shadow IT refers to technology that is procured outside of official channels, processes and/or procedures meaning they aren’t vetted or managed by the IT and Security organizations. These types of procurements can put a company at great risk. We’ve seen the number of cases related to this steadily grow in many companies. With many easy-to-use solutions out there and with Cloud becoming the next big thing, Shadow IT in the Cloud has become one of our top security risks.
Shadow IT Happens: Workers are using a diversity of applications at work, from note-taking applications to file sharing applications. According to a recent Stratecast survey, 80% of workers admit to using SaaS applications at work, in many cases without IT approval.
Security, The “NO” people
So why do we have so many users turning to these cloud solutions? No one likes processes that slowdown their work and with security being the infamous “No” group, they’ll do whatever they can to avoid having to obtain approvals they may not get. What these users don’t realize is that security professionals aren’t trying to stop you from doing what you’re doing we’re just making sure that the security of the company is priority number one. Yes, we want to make sure that you can go along with your day to day work and even plug in some great new tools that make that work even easier but it is our responsibility to ensure the security of our data and the highly sensitive data that our members trust us with every day.
With that fear of rejection, users will turn to the vast amount of consumer applications available in the cloud. File sharing apps, social media, data stores, collaboration tools –these users just want easier, more efficient ways to get their work done. What they may not realize is how available this information can be once it’s put out there. “But I put this information in the Cloud, so it must be secure, right?” Many don’t realize the risks involved with these tools and without any IT or Security knowledge of these tools being used, there’s no way to monitor, track or respond to any type of malicious behavior or data incidents. The fault doesn’t lie solely on our users, as security professionals we need to be more open to the needs of our users. Instead of always saying “no”, we can say “maybe, but let’s see how we can secure it”. If users aren’t afraid to ask for the approval, the amount of Shadow IT begins to decrease.
Fixing the issue
As we work to explore these emerging technologies and create opportunities that users want/need, what do we do about the technologies being used today without us knowing about it? There are many ways to approach this, but here’s some insight as to how we’ve tackled the issue.
First, there’s the approach that blends reviewing corporate card charges and purchase order billing and comparing those against contracts with cloud services/companies. Then blending that against DLP tools to find data being sent out/stored to ‘free’ cloud services that we wouldn’t necessarily see in a billing review. Many times, we see purchases and data sent out to cloud services we’ve never even heard of but it opens the door to more research and findings which leads to locking down potential risks.
Second, we can leverage CASBs currently in place to review any cloud service accesses that employees have, block any access that hasn’t been reviewed and send the user to a bump page redirecting them to our cloud governance process. Being able to monitor user behavior and alert on any unusual behavior shines a light on the types of actions being done by our users every day and having this information helps us see when something out of the ordinary takes place.
Finally, with this type of information in place and always learning more about Shadow IT in the Cloud, we can utilize auto-remediation tools to lock down known malicious sites or sites that have not been fully analyzed. These types of tools are always learning and growing, with less and less human intervention needed, tracking user behavior, malware, malicious sites, etc. and taking action. Tools like these are what help us sleep at night.
Infrastructure and Platform as a Service present their own challenges in terms of security controls. This presentation will also offer possible technical controls (preventive and detective) to address this risk.
The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) outlines best practices and processes for security professionals to use to manage risk in their systems. The five pillars of the framework being Identify, Protect, Detect, Respond and Recover. Today, cloud technologies lean toward the last 3 of said pillars but our goals are to get our cloud technologies aligned with Identify and Protect. As cyber security professionals, we will be proactive rather than responsive.
Not everyone will be happy when you tell them they can’t do something they’ve become accustomed to or that there are new approvals they’ll need to obtain first. Not to mention all the work and resources needed for mitigation and remediation of any data incidents but it must be done. We need to work together with our users to find the best tools available that we can still manage and monitor. Our goal is to allow users to use the cloud services available to them, securely.
**Notes:** Co-presenters, Jessica Hazelrigg and Marisa Dyer, have extensive experience standing up and running a comprehensive cloud security program at USAA. Jessica is the director responsible for creating the cloud security team at the beginning of the cloud journey. Marisa joined the team and is a pivotal member of our remediation and enablement workstreams, working in AWS, Azure, and GCP.
Marisa is currently a Cloud Security Engineer serving on the Platform Threat Defense team focusing on managing and securing accounts and resources within the different cloud technologies at USAA to include AWS, Google Cloud and Microsoft Azure.
Her previous roles at USAA include Software Development within the API gateway team to manage and secure all gateway traffic for the enterprise. Before that, she served on the Managed File Transfers team handling all electronic data transfers between USAA and their suppliers, securing the transport and the data itself.
Marisa graduated from the University of Texas at El Paso in 2013 with a Bachelor of Science in Mechanical Engineering where she focused on 3D printing technologies and graphic design. (Everyone's first question - "How'd you get into IT??")
Jessica is Director over the Platform Threat Defense team, whose purpose is to enable the security and availability of USAA’s platforms and endpoints to include web security, email gateways, antivirus, PKI and cloud technologies. She is also an Information Security Instructor with the Center for Infrastructure Assurance and Security (CIAS/UTSA).
Her previous roles at USAA include Manager over the Cyber Security Infrastructure team and Lead Security Analyst on the USAA Cyber Threat Operations Center (CTOC) team where she was instrumental in formalizing the CTOC hunting program and moving the CTOC to a more proactive mindset.
Prior experience includes three years serving as a team lead for an operational analysis team supporting US cyber intelligence efforts; five years of experience researching, analyzing, and writing comprehensive intelligence products; and three years of military intelligence experience.
Jessica has a B.S. in Computer and Information Science from UMUC and a M.S. in Information Assurance from Capitol Technology University. She holds the GCIH, GCIA, and GMON certifications.