You're the IT worker in charge of securing the cloud for your company. Welcome to Hell
How'd data leave country? Yep, control-V'd into a rando app the user set up
Once upon a time, you’d go into the office, do your work during the day at your desk, then leave everything behind and go home. Well, end users would - IT workers have been lugging home the on-call laptop since the dial-up modem was invented.
Back then, securing the information and the IT assets of a desk-based workforce required a pretty simple architecture - secure the network, the internet, the email gateway, the server and the workers' device.
Bonus points if you could achieve that with a minimal amount of different vendor's products.
Then along came the cloud. Our DMZ architecture world was rocked. Software-as-a-Service applications meant that the business expected to access data stored outside of the company firewall so they could work from free Wi-Fi at trendy cafes.
Today, work is no longer a place we go; it’s a thing we do. And sometimes we want to do it from our own phone, tablet or MacBook. Oh and by the way, everything still needs to be secure. Hmm.
Expectations of a modern workforce
Without blaming millennials, our society expects to access information fast and in a manner that’s convenient. That behaviour is seen in our customers and in our workers. Whether it’s a self-service portal to change your address, an account with your personal details for ordering from an app, or just the ability to check work emails on the train from your own phone, we’ve changed our definition of “remote access.”
To accommodate this, the business needs to make information easily accessible from outside of the corporate network.
Your mileage may vary, because there are some financial and government systems that will never be (or at least should never be) anywhere near the internet.
This requirement for mobility has changed the way we look at IT security. In the old days, we blocked USB drives on your work PC. Then, we blocked you from accessing file-sharing websites. Neither of those tactics work in 2018. However, some universal security concepts are still true. Hackers are going to hack. Phishers are going to phish. And grumpy employees are going to siphon information out of a business before you even know they are grumpy.
Risks of a mobile workforce
Workers see mobility as the freedom to work anyway, at any time. IT professionals picture that as people leaving their phone on the bus, along with corporate data. People are going to lose devices and if you can’t enforce that their phone at least has a PIN code, that’s the start of your risk. Amplify that if they can access information that has strict privacy regulations or is under a Non Disclosure Agreement.
While they’re at a trendy café, today’s modern worker takes advantage of the establishment’s free Wi-Fi. They are now very productive, whether working on a project or just in-between client meetings. Unless they’ve unknowingly connected to a fake network and are now the victims of a man-in-the-middle account. If you think that only happens in bad crime dramas (needing the cybers for the ratings), see how easy it is to buy a Wi-Fi Pineapple online and what you can do with it.
In a Software-as-a-Service (SaaS) world, the winner for Miss Popularity goes to the API. If you’re not automating things, you’re not doing it right. Connectors like Zapier, IFTTT and Microsoft Flow make it easy for the average user to read data out of one system and stick it into another … without the need to involve the IT department. What a winning concept for raising productivity when we’re working across a dozen different Software as a Service apps! What a nightmare for IT who has no idea what other apps now have access to the corporate data or who’s using them.
Checked out the company SaaS app’s terms of service to ensure your data is staying confined to your country? Great! Doesn’t help you when a connector is copying stuff somewhere else and you don’t even know, because a user set it up. Not to mention when that user becomes an ex-user of your app... but they still have access to their other apps. And you thought that auto-forwarding emails to a Gmail account was your worst data protection nightmare.
IT security tactics for the real world
So, what’s the IT department to do? If we point out the risks, we look like we’re just saying “no” again to get in the way of business progress. Performing a classic risk assessment and identifying the security risk, the likelihood of it happening and the impact if it does, is just half the story. The next step is to identify any possible control measures, then re-evaluate to see if they’ve reduced the risk. But then what - what, at a high-ish level, are your strategic and tactical options?
Mobile device management
We could just say “no” to allowing the use of any personal devices for accessing company information. If you are a Defence Force, this is a valid & reasonable strategy. If you are a growing business with a young workforce, some IT solutions may allow your staff to use their own phones and also let you sleep at night. Mobile device management offerings like Manage Engine and AirWatch work across iOS and Android, while others such as Jamf are for one platform only - iOS. Before any of that, however, you’ll need to get the workers to enrol their devices with your system of choice.
This is a slightly different beast to MDM. Some SaaS systems (especially Microsoft Office 365 and security product Microsoft Intune) can enforce that data is inaccessible unless the device meets certain criteria, without the need for device enrolment. This can range from requiring the device to have a PIN code, through to specifying which mobile apps are allowed to access the data (effectively preventing copying & pasting or API access).
External sharing controls
External sharing controls provide another means of protection – only regardless of the device used. If you can lock down the data at the source, you can prevent it from being shared outside of your organisation in the first place. This kind of protection is embedded in the file. Attach it to a personal email via your browser and you’ll find the recipient can’t open it, without a valid company account. Even Google’s G Suite lets you stop certain file names or types being emailed – it does this through an attachment compliance feature.
Data loss prevention
This goes one step deeper, into the contents of a file or an email. Microsoft makes this a selling point for its Enterprise level Office 365 licenses. Users can see a warning that sending that credit card number in their email may not be a good idea, or have it blocked completely by a DLP policy. G Suite enterprise provides this DLP feature. If you want data-loss prevention for G Suite business, you’ll need to look at a third-party package like CloudCodes.
Spotlight on shadow IT
One of Microsoft’s lesser-known security offerings is Office 365 Cloud App Security. It can analyse what apps had access your Office 365 data via API calls, via a central dashboard and without any end-user intervention. And if you really want to find out what your users are doing, it will analyse your network and present reports on what other SaaS apps are in use in your business. That’s more powerful that your firewall logs and handy for sniffing out browser-based unauthorised software.
Paging HR for reinforcement
Last but not least, check that your house is in order with some strong HR policies and procedures. While we like to think it natural for people to take care of a mobile phone, it’s better to express the need for care to be taken and the degree to which your organisation would be displeased at the prospect of a lost device with the addition of a “take care” clause in your employee handbook. Same goes for sensitive data and non-disclosure agreements. If you ever need to take action because of a data breach caused by an employee, it’s far simpler to fire them with the backing of a good, signed, human resources policy.
For every security threat around the cloud or mobile there exists one or more risk control measures. It’s just up to us in IT to know what’s possible and advise on what is practical.
Remember though that, ultimately, it falls to the business side of your operation or to managers to decide where they want to draw the lines. They may retreat into: “It’s too hard, no personal phones for you”, or: “It’s all too expensive, we’ll just wear the risk.” If that happens, at least you told them. ®