Can You Afford Microsoft Cloud Security?

IT professionals have long wrestled with the trade-offs between using a best-of-breed, single point solution and one of a suite of offerings from a large, well-established vendor. Yet, the old catchphrase, “nobody ever got fired for choosing IBM,” seems increasingly out of place in the fast-changing and high stakes world of cyber security, where safe can leave you sorry. 

Microsoft is migrating customers from its licensed suite of office productivity software to Office 365 (O365), its cloud and mobile-first platform. In order to address the cloud’s unique security and compliance issues, and to generate additional revenue streams, Microsoft has developed product features and acquired businesses that compete with best-of-breed (BoB), independent providers. Some of the products in its Enterprise Mobility & Security E3 and E5 packages, and its BoB competitors, include:

Azure Active Directory. Identity and access management service, competing with Okta, Ping Identity, OneLogin and Centrify.

Defender Advanced Threat Protection. Service that detects, investigates and responds to advanced attacks. It competes with anti-virus software providers as well as endpoint detection and response providers such as Cylance, CrowdStrike, Bromium and Carbon Black.

Cloud App Security. Service that identifies and controls employee use of SaaS apps as a means of combating “shadow IT,” a phenomenon in which employees procure or access technology without first seeking IT’s consent. It competes with Netskope, Skyhigh Networks, Bitglass and CipherCloud, which started with shadow IT, but also have developed many other features and functions to achieve comprehensive control over data flowing to and from the cloud.

Let’s focus on Cloud App Security.

Microsoft’s cloud and mobile-first strategy has given the company newfound mojo. Their O365 product is a compelling, evolutionary step beyond their traditional, licensed Office suite. More than 70 million people currently use O365 commercial every single month. However, at this point, Microsoft's journey to build security into O365 has left them far short of the capabilities offered by their best-of-breed alternatives. Not surprisingly, their Enterprise Mobility & Security E5 package (which includes Cloud App Security) is routinely offered at heavy discount to its list price of $15 per user per month. Microsoft’s security offerings will continue to improve, but most customers have real problems they need to solve now, and a best-of-breed solution is the only way to go.

The cloud represents a generational transformation, requiring a whole new way of thinking about its intended and unintended consequences. The typical company today has more than a third of its data in the cloud, and many have no visibility on all the SaaS apps and cloud hosts used by their employees and contractors. There are more than 25,000 SaaS apps in circulation, of which fewer than 10% are enterprise ready, so the cloud introduces considerable security and compliance issues to manage.

By 2012, about a dozen firms that Gartner calls cloud access security brokers (CASBs) had emerged to address these issues. CASBs are gateways that filter data flowing to and from the cloud. They provide an assessment of risk for each app, usually expressed on a 1-100-point scale, so IT can quickly decide which apps should be sanctioned, permitted or unsanctioned.

CASBs can also extend a company’s data loss prevention (DLP) policies to the cloud, enabling IT to track employee behavior and even encrypt data at rest within sanctioned apps like O365, Salesforce, Workday, and many others. It’s virtually impossible to comply with data privacy regulations such as EU GDPR (where non-compliance penalties can cost a company up to 4% of global revenue), NYCRR, and many others without a best-of-breed CASB.

Today, Microsoft, as well as Cisco, Symantec and Forcepoint, offer CASB-like functionality as part of their broader offerings. Customers waiting for a seamless integration of all the elements of an integrated suite of products from these major vendors may have their patience tested. In February 2017, one CEO of a major vendor described his plans to integrate a CASB business that he had just acquired: “We’re breaking the bones and resetting the company to be really strong when we grow up.” That sounds like a pretty painful customer journey. 

Netskope and Skyhigh Networks, among others, remain pure play CASBs, and are best-of-breed in the category. Using Microsoft’s security products can lower enterprise risk, especially as a layer in a comprehensive strategy, and they’re certainly better than doing nothing. However, considering the stakes involved in cyber security, relying just on Microsoft is like bringing rocks to a gun fight. Here are some reasons why you would want to rely on a BoB CASB.

Architecture. Any major sanctioned app, such as O365, Salesforce or Box, offers its own, independent platform for security. BoBs promote a centralized approach that is applicable across all apps. The walled garden approach to security isn’t scalable in the cloud; not when the typical company has over 1,000 apps on their network. Only a comprehensive approach can detect anomalies, identify threats traversing apps, and monitor data that might exfiltrate to an app.

Bias. Will Microsoft devote enough attention to apps with which they compete? Will the security issues associated with Box get the attention paid to OneDrive? How about Salesforce/Dynamics CRM, Slack/Teams and Google/O365?

Persistence of Coverage. A CASB’s ability to inspect traffic is dependent on the form of its connection to the app. Microsoft only connects to an app via an application programming interface (API), so it cannot inspect traffic in real-time. A BoB CASB connects in-line, including forward and reverse proxies, providing visibility and control in real-time.

Size of App Directory. As a core competency, a BoB CASB maintains the most complete directory of apps, currently numbering over 25,000. Microsoft’s directory is much less than complete.

Adaptive Access Control. Enforcing DLP policies in the cloud requires a granular understanding of device classification and permissible activity across apps. For example, a BoB CASB can block PHI data from being downloaded from Box to an unmanaged device if the user is not a member of a “medical professional” Active Directory group. 

Use Case Coverage. Cloud security is all a BoB CASB has been thinking about for over seven years now. During that time, a BoB CASB has built its platform to accommodate all the conceivable use cases from hundreds of customer deployments. Focus brings expertise and agility that Microsoft simply cannot match.

IBM and Microsoft perfected the tactic of introducing FUD (fear, doubt and uncertainty) into the technology purchase decision. Today, the best-of-breeds are more likely to get you to question the safety of relying solely on the big guys, and for good reason.



The Minority Report on OneLogin

Your organization should feel vulnerable when one of your vendors gets hacked, especially vendors with a connection to your network or that hold your sensitive information. When one of those vendors gets hacked, their breach should send shivers down your spine. We’re at the point where security professionals have to anticipate the crime before it happens. To use an analogy based on the 2002 movie Minority Report starring Tom Cruise, organizations must operate a vendor risk management program much like a Pre-Crime unit.

Two tools can enable such a Pre-Crime effort: cyber risk ratings and cloud security gateways. Neither tool purports to be a crystal ball, but they do measure risk factors that can merit attention before a breach occurs.

Cyber risk ratings firms are driving a new age of transparency. They offer an objective assessment of an organization’s vulnerability to hackers in the form of a rating that can change daily. The lower the rating, the greater the vulnerability. Risk factors covered include IT housekeeping issues such as port configuration and email security protocols, as well as events, such as an IP address that becomes associated with malware or botnets. Cyber risk ratings complement, but also leapfrog questionnaires and penetration tests, the traditional methods of vetting vendors. BitSight adds cost-effective breadth and depth of coverage on a continuous basis.

Cloud Security Gateways (CSGs) are becoming popular because workloads are shifting from locked-down, on-premises data centers to the cloud, and organizations need to be able to identify and control employee use of cloud-based services. Also, regulations such as the EU GDPR require control over data that can only be achieved with a CSG, with penalties for non-compliance that can cost a company up to 4% of annual global revenue. The cloud offers amazing agility and innovation, but it also introduces considerable security and compliance risks that must be managed.

The breach reported by OneLogin on May 31, 2017, was a spine-tingling event for its customers. OneLogin is a cloud-based service that provides single sign-on and identity management for all the cloud-based applications used by an organization. Comparable providers include Ping Identity, Okta, Centrify, Sailpoint and Bitium. OneLogin's breach has been well-covered by the media, including security bloggers. Let’s see what we could have known about OneLogin before the event occurred.

BitSight Technologies has become the standard for cyber risk ratings. Organizations that use BitSight can detect changes in the security posture of any of their covered vendors across numerous risk factors on a daily basis. BitSight promotes a transparent conversation between customer and vendor that can drive greater accountability on security standards.

OneLogin experienced a reported breach in September 2016, causing their score to decline. OneLogin’s score has risen since then, but dropped again after last week’s event. None of the other comparable providers experienced that kind of event over the past year. It's one thing to be once bitten, twice shy, but how should you react to a vendor that's twice bitten?

While not clinically predictive, BitSight asserts that a vendor with a botnet grade (one of several risk factors measured) of ‘B’ or lower is twice as likely to experience a significant data breach than one with a grade of ‘A.’ BitSight isn’t a comprehensive measure of cyber security, but it can drive efficient, meaningful interaction between customers and vendors that leads to a safer and more compliant supply chain. The age of cyber transparency ushered in by the ratings firms can affect market share over the long run.

Cloud-based vendors have a whole other set of risk factors to consider. The Cloud Security Alliance has developed a robust set of about 50 factors that have been incorporated and further developed by CSGs such as Netskope and Skyhigh Networks, among others. For example, does your organization continue to retain sole ownership of its data after uploading to a cloud host? What compliance certifications do they possess? Do they encrypt data-at-rest and in-transit? Does the app have a disaster recovery plan?

Netskope’s approach to measuring risk is embodied in their Cloud Confidence Index (CCI), a 1-100 metric that indicates a cloud-service’s enterprise-readiness. There are over 25,000 cloud-based services out there, of which only 6% are enterprise-ready, so there are considerable security and compliance risks to manage.

By monitoring their CCI score, you can understand the unique risks that a cloud-based vendor can represent to your organization. A customer should engage cloud-based vendors with its eyes open, raise an issue that is concerning, and choose another vendor if it's not satisfied.  

Hindsight is 20/20 but, with the right tools, your risk management program can help you foresee issues that can lead to trouble, so that you can avoid them.

Note: Source Calle LLC is a channel partner for BitSight Technologies, Netskope and Skyhigh Networks.



IT Housekeeping Drives Strong Cyber Security

We learned some of the most important life lessons in kindergarten. “Clean up your room” is just as relevant a call to action in IT environments across organizations of all sizes and sophistication. Poor housekeeping leads to security and compliance shortcomings and unnecessarily high costs. While not an exhaustive list, here are some problem areas and ways to address them.

Start With IT Asset Management (ITAM). ITAM’s traditional mandate to keep track of licensed software and physical hardware may lack the visibility (and budget) that Information Security enjoys, but it is no small feat and can drive strong cyber security and lower costs.

Licensing rules are hard to interpret, and virtualization and shifting workloads from on-premises to the cloud compound the challenge. Accurate data on resident software publishers, versions, usage and entitlements is elusive. Siloed business units may resist sharing underutilized licenses with other units. Unsupported, vulnerable software can linger undetected for years. ITAM is challenging but the payoff can be considerable.

IT departments are appropriately anxious about the prospect of upcoming audits. Microsoft, Oracle, IBM and other traditional licensed software publishers derive large sums from penalties and true-up payments that these audits yield. The best defense here is a good offense. Become well organized, and demonstrate competence. Publishers target the largest and weakest sheep first, and dedicate resources where they think they’ll get the best return on their effort.

Hardware is just as important an asset to manage. From smart phones to servers, hardware should be tracked throughout its lifecycle (with clear access controls), from provisioning to disposition, and all the configuration changes made to them along the way. Many companies still leave valuable data on hard drives that have not been appropriately decommissioned. Photocopiers are returned after lease expiry laden with recorded images of sensitive documents. Every company can do better.

ITAM is more of a journey than a destination. Installing one of the popular asset management tools is just a start. ITAM needs to be integrated into responsive service management and provisioning processes, and be considered a core aspect of the security and compliance mission. It takes senior level support, thoughtful processes, and the right people.

Get Your Arms Around the Cloud. The rapid shift away from the use of licensed software forces us to expand the traditional definition of Asset in ITAM to include software-as-a service applications (SaaS apps) and cloud hosts (infrastructure). More than a third of a typical organization’s data now runs through the cloud, and visibility and control over this activity is sorely lacking. Popular sanctioned SaaS apps like Office 365, and Workday are just beginning to recognize the need to bring necessary transparency with regard to user activity.

Employees access SaaS apps because they are easy to use and tend to be innovative, single point solutions that are unique or superior to licensed software alternatives. Employees are often frustrated by slow, internal, licensed software provisioning processes. They may not recognize or respect policies designed to police this activity. The resulting ‘shadow IT’ phenomenon can create significant security and compliance risk. The typical large organization can now have more than 1,000 SaaS apps running on their networks, and only 6% of them are considered to be enterprise-ready.

An emerging group of companies that Gartner calls cloud access security brokers (CASBs) now shine a light on shadow IT. Unique cloud risks require a new set of questions to answer and governance policies to audit. Cloud risk categories include certifications and standards, data protection, access control, auditability, business continuity, legal and privacy issues, and vulnerabilities and exploits. For example, a SaaS app that many people use instead of PowerPoint admits, in the fine print of its user agreement, that it owns any of the data uploaded to the site. That should be troubling to anyone interested in safeguarding sensitive information. Good housekeeping in the cloud requires you to identify, risk assess, control and optimize the use of cloud-based services.

Treat Your Data Like a Key Asset. Good housekeeping requires yet a further expansion of the definition of Asset to include data and information.

There are at least eight reasons why you need a data map. Data and information are among a company’s most vital assets, yet few companies have a good understanding of where they are located. If you don’t know where your data reside, you cannot protect them or create the most value from them.

Companies sit on vast data landfills. Two-thirds of company data are redundant, obsolete or trivial (ROT). Eliminating ROT data can dramatically reduce storage costs. The remaining data will be easier to find, protect and utilize, and is more likely to be of sufficient quality to drive big data opportunities. Any company looking to lift and shift their workloads to AWS, Azure or other cloud hosts should clean-out their closets first.

Classification technologies help to distinguish sensitive data from everything else. Companies can best enforce data loss protection policies (e.g., employees cannot download customer lists to their Dropbox accounts) if they have first classified their data.

Look at Your House From the Outside. A handful of firms have emerged to answer an important question: what does good look like when we talk about cyber security? These ratings firms size up a company’s cyber hygiene like a hacker would, and create a FICO-like score based on continuous, objective, non-invasive assessments of vulnerability. While not a comprehensive measure of a company’s security posture, weaknesses based on these external scans can indicate vulnerabilities that can be confirmed through internal scans. The cyber risk ratings phenomenon is ushering in a new age of cyber transparency.

The risk factors measured by these firms cover basic housekeeping issues that can be easily rectified. Are your ports configured correctly? Do you unnecessarily reveal too much information about the type and version of server software in use on your network? Do you adhere to appropriate email protocols to combat phishing expeditions? Are you attentive to vulnerable or outdated software by patching deficiencies promptly? Do you maintain certifications for sufficiently potent forms of encryption?

Cyber risk ratings firms draw attention to housekeeping issues that previously went unrecognized, sometimes even to the IT staff. Hackers got access to Target Corp through a vendor with poor cyber hygiene. More than half of reported data breaches are attributable to weak third parties, so cyber risk ratings are an indispensible tool for measuring a vendor’s or partner’s attention to good housekeeping. Even Board members can follow the story, with easily digestible reporting that doesn’t require a technology background to decipher.

Maybe it’s true that 80% of success comes from showing up. Similarly, a lot of cyber security is attributable to basic, good housekeeping. If this paper got you thinking about other ways you can exercise good IT housekeeping at your company, please share your stories below.

Craig Callé is CEO of Source Calle LLC, a consulting firm that makes organizations more data-centric. He is a former CFO of Amazon’s Digital Media and Books businesses and other companies, and was an investment banker at Salomon Brothers. Prior to starting his firm, he was chief strategy officer at SHI International.





Eight Reasons It's Time For A Data Map

A data map is an inventory and visualization of your company’s data and information assets. The rising number and severity of data breaches is generating strong demand for maps, and there are other reasons to create, improve and sustain one.

1. Data Maps Make Chief Information Security Officers (CISOs) More Effective. 

2. Data Maps Drive Business. 

3. Your Board Wants a Data Map. 

4. Data Maps are Essential for Compliance. 

5. Data Maps Let Us Actually Treat Data as an Asset. 

6. Data Maps Create Data-Centric Organizations. 

7. Data Maps Make Good Housekeeping. 

8. Data Maps are Doable. 

[For more, click View Post]



Ready for the Age of Cyber Transparency?

Cyber transparency is a condition where the quality of your organization’s security is obvious to everyone. Just as you might walk down the street and consider the suitability of a diner based on the sanitary letter grade displayed in the window, businesses want to understand the cyber hygiene of their vendors.  Two firms are becoming known as the Moody’s and S&P of cyber ratings, and their influence is changing the way businesses compete.

Organizations cannot become secure without a comprehensive understanding of their data and information assets, and they need to take precautions when entrusting them to third parties.

Learn more about the two firms that are leading the cyber rating revolution and the implications in an article I wrote for CFO magazine: Cyber Ratings Services Can Help Thwart Hackers.

[For more, click View Post]



Seven Questions You Must Add to Your M&A Due Diligence List

Merger and acquisition (M&A) advisors, and the clients they serve, pore over a seemingly endless amount of material to determine the suitability of a transaction. Ironically, one of the most important assets, data, gets little or no attention in the process. Developing a comprehensive understanding of a target’s data and information assets results in a transaction with substantially lower risk, especially cyber risk, and creates vast opportunities for value creation.

Here are seven questions you should address in your next transaction to determine the extent to which the target operates in a data centric manner.

[For more, click View Post]



Why Data Needs a Seat at the Corporate Table

Data is an asset that needs much better representation at the C-level. The head of HR makes sure People get full representation, and Data is no less important.

Responsibility for data is integral to, and spread across, the jobs held by Chief Officers for Accounting, Audit, Compliance, Data, Digital, Financial, Governance, Information, Information Security, Knowledge, Legal, Marketing, Privacy, Risk, Strategy and Technology, not to mention those who may report to these people. Any one of these jobs is complicated and demanding, and their interests in Data can conflict with one another's. When organizations establish a comprehensive understanding of their Data assets, they can do a much better job protecting and creating value from them.

Virtually every company today seeks to become more data-driven in their decision making process. That desired outcome is best achieved by appointing someone, reporting to the CEO, who represents Data across the organization. Most CEOs think of Data as simply an IT issue, and that perspective is incredibly shortsighted. Learn more about one of the biggest organizational transformation opportunities today in an article I wrote for CFO magazine: Why Data Needs a Seat at the Corporate Table.



Fair Compensation For Data Breaches

Just about every day now, we read or hear about data breaches, and some of us are actually victims of them. Some organizations are even preparing a breach response plan in advance, just assuming that one day, perhaps soon, it will have to be implemented. Developing the right response for your business requires an understanding of the consequences of data breaches on the behavior of your customers, regulators, investors and vendors, among other constituents. While this topic is worthy of further research, a pattern is beginning to emerge.

[For more, click View Post]



How Microsoft Office 365 is Becoming More Transparent

Microsoft has long been the undisputed leader in home and office productivity software. In June 2011, it launched Office 365, its cloud-based software that enables you to use Word, Excel, PowerPoint, Outlook and other applications from multiple devices.  O365, as it’s typically abbreviated, is at the heart of Microsoft’s mobile-first, cloud-first mission. Yet, as Microsoft would be among the first to concede, something important has been missing from O365, and the company has been hard at work, through partnerships and acquisitions, to close the gap.

[For more, click View Post]



Companies Should Fight Hackers, Not Regulators

It’s a wonder why you don’t find just about every Chief Information Officer (CIO) sitting under their desk considering the large and growing number of security breaches that are costing their organizations dearly.  If it’s not bad enough that they must fend off hackers and other external threats, CIOs also feel besieged by regulatory entities that are flexing their muscles to protect the interests of consumers, investors, and other constituents.  Audit Committees and Chief Financial Officers (CFOs) are getting involved in the discussion too.  Board members and executives need to better understand how the FTC, SEC, the accounting profession, and various standards bodies are trying to get organizations to raise their game when it comes to cybersecurity practices.

[For more, click View Post]



Disclosing the SEC's Cybersecurity Disclosure Guidance

When the U.S. Securities and Exchange Commission (SEC) talks, people listen; and when the topic turns to cybersecurity, people are obliged to act. Estimates of the economic costs of commercial cyber-espionage to the United States top $100 billion annually. Security breaches affecting companies such as Sony, Target, Anthem, as well as various US government agencies, seem to make headlines each week. Yet, with all the attention paid to cybersecurity, organizations react to and publicly disclose incidents in remarkably inconsistent ways. The SEC’s Division of Corporation Finance (DoCF) continuously assesses public companies’ disclosure processes, and it provides guidance designed to increase corporate transparency and information around cybersecurity. The SEC’s growing attention to cybersecurity disclosure should motivate the external audit community (e.g. PwC, EY, Deloitte, KPMG, etc.), and the entities they audit, to raise their game by ensuring that technology controls get the attention they deserve.

[For more, click View Post]



Why CFOs Must Own Cybersecurity

After 20 years, the internal control framework that is a cornerstone of Sarbanes-Oxley was recently updated by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) to put an emphasis on controls around technology. Think of COSO as something akin to the high priests of accounting. Technology is embedded in everything people and businesses do, so the update motivates Boards, Chief Financial Officers, Chief Information Officers, General Counsels and Enterprise Risk Managers, as well as external auditors, to reassess the associated risks and opportunities, and to raise the bar on technology controls.

[For more, click View Post]