In the more than ten years, I have worked in developing security solutions, I have witnessed the steady evolution of security threats and the incredible strides made to combat them. Recent high profile security breaches have shown that a breach in security can have serious consequences.. It can lead to loss or destruction of business assets, bad publicity and its associated effect on a company’s brand, hefty regulatory fines, disruption of services and costs associated with numerous lawsuits. The main task of a hacker is to access business assets through the network without being detected. The threats are normally cloaked within ubiquitous traffic flows such as web or email. Whatever the nature of a threat, an attack leaves signatures behind that can be used to “un-cloak” the threat. Threat defense and visibility is the watchword.
It has been exhausting to many of us, to be constantly engaged in the never ending cat and mouse game we play to manage and detect cyber threats. When it comes to securing private and public clouds, a new generation of Read More »
Tags: Cisco Cloud Security Architecture, cloud, cloud architecture, cloud consumers, cloud security, cyber threats, invisible threats, Service Provider
Shadow IT is estimated to be 20-40 percent beyond the traditional IT budget. The ease by which organizations can purchase apps and services from cloud service providers (CSP) contributes significantly to this spending. This is an eye-catching number worthy of investigation—not only to identify and reduce costs, but to discover business risks. So, it is no surprise that CIOs and CFOs have started projects to identify and monitor unknown CSPs.
I often get questions from customers asking if it is possible for IT to monitor cloud service usage and discover shadow IT using existing technologies, and what the pros and cons would be.
The first CSP monitoring approach I am asked about is the use of secure web gateways. A gateway captures and categorizes incoming web traffic and blocks malicious malware. The benefit of this approach is that the gateways are typically already in place. However, there are several limitations in relying exclusively on this approach. Gateways cannot differentiate between a traditional website and a CSP which might be housing business data. They also have no way of discerning whether a given CSP poses a compliance or business risk. Most importantly, to use gateways to track CSPs, IT would need to create and maintain a database of thousands of CSPs, and create a risk profile for each CSP in order to truly understand the specific service being consumed.
The second approach I get asked about is whether organizations can use NetFlow traffic to monitor CSPs. Many customers feel that they can build scripts in a short amount of time to capture usage. Simply answered, yes this can be done. But organizations would face a similar challenge as if they were using web gateways. To capture CSP traffic using NetFlow, IT would need to develop scripts to capture every CSP (numbering in the tens of thousands). Then identify how each CSP is being used, the risk profile of the CSP to an organization, and how much the CSP costs to project overall spend. This is just the beginning. An IT department would then need to build reporting capabilities to access the information as well as continually maintain the database; and apply resources to this undertaking on a monthly basis to ensure the database was current.
The good news, Cisco has done this work for our customers! We have developed Cloud Consumption Services to help organizations identify and reduce shadow IT. Using collection tools in the network, we can discover what cloud services are being used by employees across an entire organization. Cloud Consumption includes a rich database of CSPs and can help customers identify the risk profile of each CSP being accessed, and identify an organization’s overall cloud spend.
Cisco has helped many IT organizations discover their shadow IT. For example, we worked with a large public sector customer in North America who was struggling to embrace the cloud, but were concerned about business risks. Employees were pushing for cloud services to improve productivity when 90% of Internet traffic was blocked by the organization’s policy. Despite these restrictions, 220 cloud providers were being used already and less than 1% were authorized by IT. Leveraging Cloud Consumption Services, the customer was not only able to manage risk, but also authorize future cloud services based on employee needs in a controlled manner.
It is a good practice for every IT organization to understand how employees are using cloud services and monitor usage on an on-going basis. I encourage our customers to determine which approach would work best for their organization; otherwise they may face unknown business risks and costs.
To learn more about avoiding the pitfalls of shadow IT and how you manage cloud services, please register to attend an upcoming webinar on Dec 11, 2014 at 9:00 a.m. PT.
Tags: Cisco Cloud Services, cloud, cloud concerns, Cloud Consumption, Cloud Management, cloud security, cloud services, data security, security, Shadow IT
#CiscoChampion Radio is a podcast series by Cisco Champions as technologists. Today we’re talking with Cisco Compliance and Data Privacy Leader Evelyn De Souza, about Cloud Security. Brian Remmel (@bremmel) moderates and Andres Sarmiento and Denise Fishburne are this week’s Cisco Champion guest hosts.
Listen to the Podcast.
Learn about the Cisco Champions Program HERE.
See a list of all #CiscoChampion Radio podcasts HERE.
Evelyn De Souza, @e_desouza, Cisco Compliance and Data Privacy Leader
Andres Sarmiento, @asarmiento85, Lead Technical Consultant
Denise Fishburne, @DeniseFishburne, Systems Engineer Read More »
Tags: #CiscoChampionRadio, cloud security, Cloud Security Alliance, data protection
That is the approximate number of cloud services that Ken Hankoff, Manager of Cisco IT Risk Management’s Cloud and Application Service Provider Remediation (CASPR) Program believes Cisco’s 70,000 employees use. For the last 14 years, this program has assessed and remediated risks associated with using a cloud-hosted service.
An assessment process for new cloud services is a vital step toward reducing the risk of using externally hosted services. Many customers I speak with struggle to rapidly assess cloud services and integrate them into their IT organization. As part of my blog series on governing cloud service adoption, I asked Ken to share some of his ‘lessons learned’ in assessing the risks of cloud services and bringing them into Cisco IT’s fold.
How do you ensure that teams wanting to use new cloud services work with your team?
Our team is not in the business of sourcing cloud vendors. That responsibility lies with the individual business units and their architecture teams who are seeking to use the service, often in partnership with IT. Once a vendor is selected, there are two primary ways in which my team gets engaged. First, through the Global Contracts team as they have made Cloud Service Provider assessment a part of the contracting process, and second when a new service is being integrated within IT.
How do you evaluate whether a new cloud service is risky to the business?
We look at seven risk factors to create a formula for risk—business criticality, financial viability, security, resiliency, architectural alignment, regulatory compliance, and assessment status.
We establish the business criticality of the service to determine how Cisco would be impacted or disrupted in the event the capability provided by the vendor would go away, and whether we could react or compensate.
We then look at the financial viability of the vendor to give us comfort that they will remain in business. To evaluate vendors we leverage Dunn & Bradstreet’s Predictive Scores & Ratings. We rely heavily on Cisco’s Information Security (InfoSec) organization to provide us with a Security Composite Risk score. Depending on the parameters of the cloud provider engagement, InfoSec will look at the vendor’s application development process, infrastructure, data handling security, system-to-system interoperability, and other areas. For resiliency we focus on how they meet our standards around business continuity and disaster recovery to ensure that our business data will be there when needed, regardless of what happens.
We also need to ensure that we stay compliant with regulations. A vendor that has to comply with HIPAA, SOX, or other regulatory/privacy requirements poses a higher risk than one that doesn’t. For this reason, we look into whether regulatory compliance is a factor, and if so, that it is addressed appropriately.
Finally, we also assess if the vendor aligns to the broader architecture that Cisco IT is investing in to support the business. Vendors are deemed higher investment risk if they do not align to the business and operational roadmap that Cisco is pursuing.
We re-asses vendors on a periodic basis according to their overall risk score. If a service is overdue for a reassessment, that in itself increases the risk of doing business with the provider, so we factor it in.
In your opinion, what are the three most important things to manage the business risks of cloud services?
First, I would suggest establishing ownership and governance of cloud services via a centralized PMO at enterprise level, not just within IT. This ownership needs to go beyond just assessing vendors for security risk, and focus on establishing company-wide policies for overseeing cloud services at the enterprise level.
Second, provide visibility into existing services and how they are being used. This helps enable a catalog of assessed and approved vendors for people to access. If you can have fewer vendors being used, you can reduce your risk.
Third, continually monitor services across the board to know what risks we might be facing, and ensure that the service providers are meeting their SLAs. Additionally, this helps to ensure that investments aren’t being wasted. There is a natural CSP application lifecycle – selection, implementation, adoption, and eventually that service usage might decline and you may end up supporting something that has very few users if you don’t have a lifecycle approach to phasing out services.
What is your biggest lesson learned in assessing new cloud services?
I wish the program had collected more metrics earlier. What we are finding is that there are a significant number of services being contracted all over the company. By collecting really good metrics we might have been more effective in showing executives what services are being used, who is using them, and how. We are making good progress on this now, but I wish we started earlier.
How are you monitoring cloud services and gathering this intelligence?
Our professional service team has helped us a great deal. With the Cisco Cloud Consumption Services, we have begun to capture an enterprise view of what cloud services are being used, by whom and have a great dashboard of metrics we can now use to inform Cisco executives. I never imagined before we were using the software that we had nearly 2,000 cloud services in use, but with Cisco Cloud Consumption we now know and can monitor activity.
Learn more about how Cisco can help monitor and manage cloud providers at http://www.cisco.com/go/cloudconsumption.
Tags: Cisco IT, cisco on cisco, cloud, cloud governance, cloud risks, cloud security
As organizations seek ways to maintain real-time connections with their workforce and customers in an increasingly digital and mobile-centered world, the growth of mobile cloud will be a major force in shaping the business landscape and future tech decisions. The first blog post in this series, by Padmasree Warrior, explores how the convergence of mobility and cloud will deliver unprecedented transformation for all organizations. The second blog post in this series, by Sujai Hajela, answers the question of what mobile cloud really is and how it continues to provide new business opportunities. In the third post, Joe Cozzolino looks at what mobile cloud means for service providers and enterprises. And finally, this post will discuss the need for end-to-end security in a mobile cloud environment.
Mobile cloud services are growing exponentially in both number and scope. According to a report from Smith’s Point Analytics released late last year, mobile cloud services platforms are projected to grow over the next four years from US$579 million to a staggering US$4.4 billion in 2017.
Read More »
Tags: cloud, cloud security, mobile security, mobility, security