Cloud security breaches dominated security headlines in 2018, and misconfiguration of AWS S3 storage buckets continues despite new administrative features. While these breaches do serious damage, they also generally involve older data sets stored in the cloud for retention purposes. The March 2019 discovery of leaking Box enterprise accounts affected data in use by the business, data that’s relevant today to dozens of companies.
All of this makes the shared responsibility model for cloud security–where data protection falls solely on the enterprise–even more relevant. When assessing cloud risk, it’s tempting to begin with what’s known about large centrally-stored datasets; however, it’s the data moving through everyday business flows that represents the greater hurdle to secure without impacting user experience or operational capacity.
Unlike applications like SAP or Peoplesoft, which are managed centrally by IT, file sharing and collaboration services like Box are brought into an organization by the employees themselves, who are continually searching for ways to improve their own productivity. These “shadow IT” services are pervasive, often set up as an afterthought to bypass other restrictions or to exchange information down through a supply chain.
It’s no surprise that enterprises have already deployed or are considering a cloud access security broker (CASB) like McAfee MVISION. After years of experience with hundreds of companies, McAfee has distilled their practices into a cloud maturity model that outlines the progression from ad hoc, reactionary practices to governance-based practices that can respond dynamically to changing and evolving business needs.
After acknowledging the risks, companies implement basic, repeatable policies like a whitelist of approved services. The next step involves more sophisticated policies to prevent data loss, and it’s here where companies often fumble. Block, delete, and quarantine are the three main remediation flows relied on by most CASB administrators, but these more complex policies introduce friction:
- Blocking an action frustrates users, who will get creative in finding workarounds, often introducing yet another service into the already unmanageable problem of cloud sprawl
- Deleting a file moved to a file sharing service often results in data loss, which is something these policies are trying so hard to prevent in the first place
- Quarantining a file constrains a company’s speed of doing business to how long it takes for a security operations team to review every incident opened
These legacy DLP remediation options interfere with why SaaS services were adopted in the first place: to access data through an easy and intuitive flow. All three options impact how users need to conduct business, and the third even adds an IT operational burden to remediate DLP events. Because remediation requires manual intervention, the ramifications of process delays inherent in this third option impact the business even further.
Thankfully, Ionic offers a fourth alternative:
- Encrypting a sensitive file leaving your perimeter, which allows users to conduct business naturally without data loss or operational overhead
Encryption is a best practice for protecting data, and because Machina is natively integrated into McAfee MVISION Cloud, it’s easy for administrators to add continuous, pervasive data protection remediations to DLP, with just a few clicks. Machina benefits directly address the business user and IT operational process impacts that legacy DLP remediation tactics pose.
Protecting data in the cloud is your responsibility. Don’t let the pervasiveness of shadow IT prevent you from addressing the data in use by your employees today, and don’t get stalled on your CASB journey by preventing the very ease of use that a service like Box represents. Jumpstart your cloud security maturity with Machina Tools for McAfee MVISION Cloud.