Data Breach: The Cloud Multiplier Effect
•Download as PPTX, PDF•
1 like•1,325 views
The Ponemon Institute issued a first-of-its-kind report sponsored by Netskope that identifies a “cloud multiplier effect” on the probability of a data breach. IT and security professionals believe that increasing the use of cloud services in the enterprise will increase the likelihood of a $20M data breach by as much as 3x. In these slides and the accompanying on-demand video, Dr. Larry Ponemon and Netskope CEO Sanjay Beri for a look at the report findings and for advice on how enterprises can mitigate this multiplier and enable safe cloud usage.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (15)
Similar to Data Breach: The Cloud Multiplier Effect
Similar to Data Breach: The Cloud Multiplier Effect (20)
More from Netskope
More from Netskope (15)
Recently uploaded
Recently uploaded (20)
Data Breach: The Cloud Multiplier Effect
- 1. DATA BREACH: MULTIPLIER THE CLOUD EFFECT
- 2. These slides are part of an on-demand webinar. To watch the on-demand video with commentary, please visit: http://www.netskope.com/webinars/data-breach-cloud-multiplier-effect/
- 3. 3
- 4. Cloud App Explosion 4 Driven by individual and line of business adoption of cloud and mobile. 2011 2016 $21.2B $92.8B SaaSRevenue Forrester
- 5. 5 There are 5,000 enterprise apps today (and growing).
- 6. 6 But this means sleepless nights for IT But how bad is it?
- 7. 7
- 8. Of respondents don’t think IT is vetting cloud service security enough before deploying 8 69% * Includes “unsure” responses
- 9. Do you think your cloud service provider would notify you if they had a data breach? 9 72% of respondents said: “NO”
- 10. The invisible cloud is troubling to IT 10 The percentage of cloud services respondents think they know about22.5 = Netskope data shows it’s actually more like 10%
- 11. 11 Actual: 461 IT estimate: 40-50 85% cloud apps aren’t enterprise-ready Cloud procurement happens outside of IT App redundancy: • 41 HR • 27 storage • 27 finance Source: Netskope Data
- 12. The following are contributors to the cloud multiplier effect 12 Cloud app adoption Mobile and consumerization Ease and speed of data sharing
- 13. 13 Increase use and increase probability If your organization had 100 cloud apps and added 25 more in a 12-month period, you would increase your probability (and expected economic impact) of a data breach by 75%
- 14. We looked at 2 data breach types 14 Loss or theft of 100,000 customer records Theft of high-value information
- 15. Baseline cost of a data breach 15 $20.1M $11.8M
- 16. Survey respondents said… 11.8% 25.4% probability of this happening in current environment
- 17. The probability adjusted estimated economic impact 11.8% of $20.1 = $2.37M 25.4% of $11.8 = $2.99M
- 18. Effects of cloud on the probability of theft or loss of 100,000 or more customer records 18 Use of cloud services (SaaS) Backup and storage of sensitive and/or confidential information Increase use of cloud by 50% in 12 months
- 19. 19 Use of cloud services (SaaS) Backup and storage of sensitive and/or confidential information Increase use of cloud by 50% in 12 months Effects of cloud on the probability of theft of high-value information
- 20. 20 124% increase in probability of a data breach Increase BYOD access of cloud services
- 21. Invisible to IT 21 36% of business-critical apps are in the cloud. IT isn’t aware of nearly half of them. 30% of business information resides in the cloud. IT doesn't have visibility into more than one third of it.
- 22. 22 Love doesn’t have to be blind People love the cloud
- 23. 23 MEASURE: Discover the cloud apps running in your enterprise
- 24. 24 MEASURE: Discover the cloud apps running in your enterprise • 3rd party tools like Netskope can analyze firewall logs (and others) for this information • Resist the urge to immediately blacklist unsanctioned apps
- 25. 25 User Location Device Time Activity App Content Risk w/Whom ANALYZE: Understand the context of usage at a deeper level
- 26. 26 ACT: Take action based on risk, usage criticality
- 27. 27 ACT: Take action based on risk, usage criticality • Identify business-critical apps. Are they risky? • If alternatives exist, consolidate users to low-risk apps • If not, enforce usage and data policies to ensure protect data and ensure compliance • Monitor key apps for usage and data anomalies, alert on known risky behaviors, and perform periodic forensic analysis
- 28. ACT: Take action based on risk, usage criticality ANALYZE: Understand the context of app usage at a deeper level MEASURE: Discover the cloud apps running in your enterprise
- 29. Granular Context ONLY NETSKOPE Any App Any Device • Cover sanctioned or unsanctioned apps • API-level understanding • Cover web-based or native mobile apps • Covers remote access • User • Device, browser • App risk score • Time • Location • Content • DLP profile • Activity • With whom (sharing) In Real-time
- 30. 30 The real face of shadow IT is you and me. Ultimately, this is simply unmanaged risk.
- 31. Allow is the new block (allow is new block green light slide) 31 S M
Editor's Notes
- Cloud computing is one of the most dramatic workplace shifts we’ve seen in decades. When we think about cloud app growth, it’s often about individuals’ usage of apps like Box and Dropbox. The reality is every line of business is adopting cloud apps, whether for HR, finance, supply chain, or business intelligence. Mobile, the other major crossover we’re seeing – with mobile devices and access surpassing that of PCs in virtually every measure – has fueled this shift. Cloud is no longer a question – it’s the way we do business.
- There are nearly 5000 enterprise apps today. This is up from 3,000 6 months ago and we’re adding somewhere in the range of 100-150 of these apps per month on average. These are the most common apps and some apps you’ve never even heard of. I talk to customers who a year ago were trying to get their heads around deployments of apps we’ve all heard of like Evernote and HipChat… today these customers are calling me about apps like Trello and Seamless. These things aren’t just grow up in numbers, they’re growing out in category redundancy – we’ll talk about that in a minute. But why is this happening? How has it come to be? The answer is closer to you than you think. Reach into your pocket and pull out your phone. Take out that tablet. Grab 1 of the 3 devices we all carry around with us everyday… We love these devices and we love these apps!
- All of this is troubling to IT departments. When we talk to CIOs and CISOs there’s just a lot of uncertainty and anxiety about the quickly changing environment and pace of change. We’ve seen this before with other trends like mobile.
- We wanted to find out the effect this was having on the perceived vulnerability and how cloud might effect the estimated economic impact of a data breach. We asked the Ponemon Institute to conduct a study. They surveyed more than 600 IT and security professionals, all of whom had knowledge of their use of cloud services. 61% of whom report to the CIO
- However, for all of this cloud app goodness also comes tremendous cloud app sprawl. We at Netskope perform cloud assessments for our prospects and find that while IT usually estimates that they have about 40-50 apps running in their organizations (only a handful of which they manage), we discover about 400. Beyond the sheer volume of apps, the number of apps in business-critical or risky categories is surprising. In HR we find an average of 35 apps, and in finance/accounting, we find an average of 18. We also measure these apps’ enterprise-readiness, and find that more than three-quarters of them score a “medium” or below in our Cloud Confidence Index, which means they don’t meet enterprise standards for security, auditability, and business continuity. With the majority of cloud app procurement happening outside of IT, there is risk – risk of security events, data loss, and non-compliance. For IT, this creates a catch-22: Enable the cloud, but protect the business.
- IT considers the following to be contributors to the cloud multiplier effect Cloud app adoption Mobile and consumerization Ease and speed of data sharing
- According to survey respondents, if you increase use of cloud services, you increase the probability of a data breach. By 3.1x actually, depending on the scenario involved. So, for example, if you organization had 100 cloud apps and added 25 more in a 12-month period, you would increase your probability of a data breach by 75%
- We examined 2 types of data breaches Loss or theft of 100,000 or more customer records Theft of high-value information such as intellectual property In the study of data breaches over the years these are commonly used methods of examination
- Leveraging previously calculated amounts from actual data breaches we know that the baseline cost of a data breach is $20.1 million for the loss or theft of 100,000 or more customer records and $11.8 million for the theft of high-value information. This comes from the Ponemon Institute’s study of the Cost of a Data Breach conducted with IBM in May of 2014.
- This survey considered respondents answers and determined that their estimated baseline probability of a data breach of these two types was 11.8% and 25.4% respectively. This is, essentially, how they feel about their current environment, absent any changes. This is not “before cloud” and doesn’t consider how much they are, or are not, using the cloud today. It’s simply their “current state”.
- So, if you consider their estimated probability today you get a probability adjusted estimate of the economic impact. 11.8% times $20.1 million gets you to $2.37 million for the loss or theft of 100,000 or more customer records. 25.4% times $11.8 million gets you to $2.99 million for the theft of high-value information Of course IF a data breach of one of these types were to happen to them then the actual cost would be different, but this gives us a baseline from which to work.
- The baseline established previously is important for estimating the economic impact that comes from increasing use of cloud in the enterprise. For instance, if you increase the use of SaaS by 50% in a 12 month period, you increase the probability of the loss or theft of 100,000 or more customer records by 2.6 times. When you factor in the probability adjusted economic impact, the cost goes up from $2.37 million to $6.08 million.
- Similarly, the baseline established previously is important for estimating the economic impact that comes from increasing use of cloud in the enterprise. So, if you increase the use of cloud-based backup and storage for your sensitive or confidential information, you increase the probability of theft of high-value information by 1.6 times. When you factor in the probability adjusted economic impact, the cost goes up from $2.99 million to $4.93 million.
- Survey respondents indicate that IT is still skittish about BYOD and that increasing access of cloud apps from personally owned mobile devices increases the probability of a data breach by 124 percent
- Visibility into the use of cloud services is a big component of the challenges and why we think that the perceptions reflected in this study are resulting in the cloud multiplier effect. When business critical apps are in the cloud and IT can’t see half of them, this is naturally going to lead to uncertainty about security and the perception that cloud will lead to an increased probability of a data breach.
- Love doesn’t have to be blind. So, let’s start to talk about some solutions and how we find our way out of this morass. Here are a few things IT can do to get a better handle on things
- Step 1: Let’s rip off our blind folds. Seeing is believing and knowing definitively the number of cloud apps people are using in your enterprise is the first step.
- Your firewall alone isn’t going to be able to tell you this. You need a tool that’s tuned to see the 5000+ apps in existence that traverse your firewall or web gateway. And to be honest, that’s just the beginning. The portion of apps that will never touch a perimeter device is growing, so consider how you discover in real-time, beyond the network and in remote and mobile situations Once you discover, take a moment and resist the urge to blacklist apps. You’ll find that many of these apps are actually considered business critical today.
- Context is critical and you’d be surprised how deep an understanding you can get Understand App risk Who is using the service and where they’re using it from Understand the devices that are being used to access these apps Understand the content and if it’s sensitive or not Get to know the types of activities that people are conducting in these apps. In the case of sharing, understand who they are sharing with.
- Act: With all the information you’ve gathered, you can start to come up with a plan and start making decisions.
- When doing this, don’t think that you alone must assess every app. There are companies out there that will provide this information for you and some of them are leveraging the Cloud Controls Matrix from CSA. This matrix provides guidance for people in plain English and I think they’ve done a good job at capturing the criteria that should be used to evaluate cloud services. The usage/popularity of apps can really help guide your triage. If a particularly risky app is being used by 300 people, you need to be a lot more thoughtful about your next steps than if it’s 1 or 2 people. Unless of course that 1 person is the CEO… and then you’ve got another problem on your hands. :) And remember that Context Matters. The usage of an app can be risky and this is another pivot point you should consider in your triage. Coming at it from an activity point of view can be helpful. Saying “I want to look at sharing first, regardless of app risk”
- Here, in summary. I think it’s a good starting point and I hope you think so to. Because ultimately ….
- What makes Netskope unique? We developed our solution with three core assumptions in mind. The first is we assumed that IT wouldn’t always manage the app. Unlike other solutions that may provide analytics and policy enforcement for apps that IT manages, they don’t do those things for any app, including unmanaged ones. This is important because, for example, if you set a policy against the upload of ePHI to cloud storage, you want to enforce it across the board, not just for the apps you manage or even know about. Second, we assumed that users would be anywhere, on premises or on mobile devices. We architected the solution to support both on-premises and remote devices, PC and mobile, and web-based or native apps. So whether your user is accessing an app via the web at work or via the mobile version of that app via at Starbucks, you will have visibility and control over that usage. Third, we assumed that beyond gaining visibility, IT would want the option to assert some control over cloud usage. This prompted us to provide the ability to enforce policies across any app, in real-time. These three core assumptions are the basis for our philosophy and capabilities are unique to our solution and architecture.
- Here’s the real face of shadow IT. A lot of the time it’s not at all sinister. They’re people like you and me, getting their jobs done and trying to do a better job of that all the time. And for IT, let’s just face it. It’s just a risk that has gone unmanaged and for quite some time now. So let’s do something about it… But during that, let’s remember not to repeat the heavy-handed sins of the past instead, remember a simple mantra…
- Allow is the new block.