- Email: [email protected]
Cloud security: how to protect critical data and stay productive
FEATURE omnipresent. This has led to a greater desire in larger organisations to have an identity governance strategy that not only embraces the PAM solution, but consolidates it with employees’ other privilege, access and asset information. This will allow the business to execute risk assessments across the entirety of the business with all avenues of threat in scope. Successful PAM programmes are a combination of the right technology, internal policies and people all working concurrently to achieve governance. While choosing the right technology is important, because it can provide a single source of truth applied to everything and everyone, when PAM is applied as a pure technology exercise, then the root issues do not get resolved. Instead, they continue to mount. Therefore, every PAM project needs to be undertaken with an eye towards governance.
Conclusion
About the author
When embarking on a PAM programme, you need to focus on business needs rather than technology features and build in a trusting and verifiable approach combined with different layers of PAM security that are seamlessly integrated and interacting with one another – either from one source or the minimum number of sources. In order to get the most from their investments, financial and otherwise, organisations should try to visualise the entire picture, instead of operating with a ‘project in a box’ mentality. And this should all be done with a view towards governance. Once the project is scoped correctly with these baseline considerations, it will make the process infinitely more effective, ultimately reducing risk and hardening the organisation against attacks stemming from poorly managed privileged accounts.
Paul Walker is EMEA technical director for One Identity. He has specialised in the field of identity and access management (IAM) for over 20 years. After graduating with a BSc in computer science in 1995 he worked solely in the world of software security, focusing on IAM since 2001. Walker has held global consulting, sales and product management positions after being acquired into the IAM practice at Sun Microsystems and later Oracle and Quest Software.
Reference 1. ‘Assessment of Identity and Access Management’. One Identity. Accessed Aug 2019. www.oneidentity.com/whitepaper/globalsurvey-exec-summary-key-findings8134482/.
Cloud security: how to protect critical data and stay productive
Charlene Bunting
Charlene Bunting, Datto It is essential that business data is protected wherever it resides. When it comes to Google G Suite and Office 365, it is a complete minefield as to how much proprietary information about a company is contained across all employee inboxes. Microsoft Exchange is likely the biggest source of all that valuable information and is, unfortunately, highly susceptible to security vulnerabilities. Software as a service (SaaS) applications are popular because they are easy to use and highly scalable. They provide a standardised user experience on the same applications, such as Word or Excel and are relatively inexpensive. However, SaaS applications do not deploy and manage themselves. Additionally, SaaS applications require data protection to protect the business and maintain compliance, just like any other mission-critical application. Cloud security is constantly evolving and the responsibilities for this are constantly shifting. As a result, a perfect, 18
Network Security
all-in-one solution is always out of reach. Hackers follow the money. Office 365 is the fastest-growing SaaS application, with more than 155 million users as of 2018. We’re already seeing cyber attacks target Office 365 directly – 24% of European MSPs have seen ransomware in SaaS applications. Of that number, 49% report attacks on Office 365 and 16% attacks on Google G Suite. The response to a security lapse, such as a ransomware attack, always lies with a backup. In the event that data comes under attack, it is critical for the user to be able to
recover it regardless of the scenario. In fact, the Microsoft service level agreement (SLA) suggests that users should regularly back up their content and data themselves.
The right solution The decision must be made to determine whether a company will use a SaaS provider’s native tools (if they exist) or opt for a third party back-up product. The biggest limitation of native tools is that they do not create a secondary copy of a company’s data independent of their SaaS provider – so there is a single point of failure. Some native tools might seem suitable to use for back-up, but have serious limitations when it comes to restores.
September 2019
FEATURE For example, Office 365 apps such as Microsoft Exchange or OneDrive allow up to 30 and 93 days respectively to recover deleted user data, which admins may take to mean that data is backed up and easily restorable. But recovering data from Microsoft is often a cumbersome process and, past the retention period, a company’s data is purged. Google Vault cautions against the potential “irreversible purging of data from user accounts” associated with its own retention tools. Businesses must leverage multiple solutions to prepare for the worst. Today’s standard security solutions are no match for today’s ransomware, which can penetrate organisations in multiple ways. Reducing the risk of infections requires a multi-layered approach. When evaluating a third-party cloud data protection solution, here is what to look for: • Ease of use and granularity of restore: It is important to evaluate how quickly users can navigate to the item or collection of items they need to recover that may have been lost. In addition, does the solution restore objects and folders in a ‘non-destructive’ way? It’s essential that the backup vendor provides protection from any potential for data overwrites. • Turnkey setup: Once the decision has been made to secure data, it is essential that the onboarding process is seamless and timely. The initial back-up will be the most comprehensive and takes time depending on the size of a company’s environment. • Set it and forget it management: Day-to-day management of the product should be absolutely minimal. Dig into the level of automation inherent in the product. For example, find a solution that goes on protecting mission-critical data without needing any manual intervention. One final note: make sure that security
September 2019
is not being sacrificed for convenience. Granting impersonation rights to Office 365 may give more access to objects in the environment, but at the cost of vital security controls.
Cloud protection solution An effective cloud protection solution should have a number of key characteristics. Meet regulatory compliance guidelines: Most compliance regulations require data retention for a specific period – a cloud protection solution can help ensure that data is always recoverable regardless of the situation. Many compliance regulations require companies to make the best efforts to protect data, and having a back-up in place is an essential part of meeting that requirement. Cost savings: A back-up tool allows a company to hold onto employee data for a lower cost than maintaining a Microsoft licence. Easy user lifecycle management: This translates to significant time-saving for techs. An added bonus to data protection is that data can be moved from user to user in a granular way, and it allows for passing on only the information necessary. Access to content during outages: This is a rare use case, but having the ability to access content in OneDrive or key information in an email should Microsoft’s systems go down is a powerful failsafe. An example of a company using cloud back-up to its advantage is Gett, a ridesharing app company with drivers in more than 120 cities. When the company began storing data in the cloud, it chose to protect it with a cloud data protection solution to ensure it was safe from unexpected data loss. It has become an important tool for business continuity. When ransomware hit the company’s Google G Suite stack and synced to its cloud, it was
instantly locked out of important G Suite data. But because it had a cloud back-up tool, the firm was able to get back up and running within minutes. Cloud-tocloud back-up has also been the ‘undo button’ that recovered critical data when important files were inadvertently deleted. It has saved the company thousands in licence fees. With the ability to deprovision licences it does not lose the data on a monthly basis, and is able to easily provide it to whomever needs it.
Business continuity For data that lives in the cloud, a cloudto-cloud back-up solution is critical to business continuity. There is no sure-fire way of preventing hacking, but businesses can focus on how to maintain operations despite a breach. One way to do this is a solid, fast and reliable business continuity and disaster recovery solution. The most reliable back-up solutions should provide multiple, daily point-intime back-ups for a snapshot of information at multiple times throughout the day. The efficiency of back-up is another important consideration, as how quickly data can be restored can mean the difference between a crisis or crises averted. Choosing a solution that is backed by industry expertise and provides access to a superior customer support team is also critical because when data is compromised, a helping hand provides peace of mind. Above all, it is important to plan for data restoration. The more detailed the plan is, the less time it will take to get back in business should an emergency occur.
About the author Charlene Bunting is director of software engineering at Datto and leads the company’s SaaS protection teams. She graduated from Northeastern University.
Network Security
19
Conclusion
About the author
When embarking on a PAM programme, you need to focus on business needs rather than technology features and build in a trusting and verifiable approach combined with different layers of PAM security that are seamlessly integrated and interacting with one another – either from one source or the minimum number of sources. In order to get the most from their investments, financial and otherwise, organisations should try to visualise the entire picture, instead of operating with a ‘project in a box’ mentality. And this should all be done with a view towards governance. Once the project is scoped correctly with these baseline considerations, it will make the process infinitely more effective, ultimately reducing risk and hardening the organisation against attacks stemming from poorly managed privileged accounts.
Paul Walker is EMEA technical director for One Identity. He has specialised in the field of identity and access management (IAM) for over 20 years. After graduating with a BSc in computer science in 1995 he worked solely in the world of software security, focusing on IAM since 2001. Walker has held global consulting, sales and product management positions after being acquired into the IAM practice at Sun Microsystems and later Oracle and Quest Software.
Reference 1. ‘Assessment of Identity and Access Management’. One Identity. Accessed Aug 2019. www.oneidentity.com/whitepaper/globalsurvey-exec-summary-key-findings8134482/.
Cloud security: how to protect critical data and stay productive
Charlene Bunting
Charlene Bunting, Datto It is essential that business data is protected wherever it resides. When it comes to Google G Suite and Office 365, it is a complete minefield as to how much proprietary information about a company is contained across all employee inboxes. Microsoft Exchange is likely the biggest source of all that valuable information and is, unfortunately, highly susceptible to security vulnerabilities. Software as a service (SaaS) applications are popular because they are easy to use and highly scalable. They provide a standardised user experience on the same applications, such as Word or Excel and are relatively inexpensive. However, SaaS applications do not deploy and manage themselves. Additionally, SaaS applications require data protection to protect the business and maintain compliance, just like any other mission-critical application. Cloud security is constantly evolving and the responsibilities for this are constantly shifting. As a result, a perfect, 18
Network Security
all-in-one solution is always out of reach. Hackers follow the money. Office 365 is the fastest-growing SaaS application, with more than 155 million users as of 2018. We’re already seeing cyber attacks target Office 365 directly – 24% of European MSPs have seen ransomware in SaaS applications. Of that number, 49% report attacks on Office 365 and 16% attacks on Google G Suite. The response to a security lapse, such as a ransomware attack, always lies with a backup. In the event that data comes under attack, it is critical for the user to be able to
recover it regardless of the scenario. In fact, the Microsoft service level agreement (SLA) suggests that users should regularly back up their content and data themselves.
The right solution The decision must be made to determine whether a company will use a SaaS provider’s native tools (if they exist) or opt for a third party back-up product. The biggest limitation of native tools is that they do not create a secondary copy of a company’s data independent of their SaaS provider – so there is a single point of failure. Some native tools might seem suitable to use for back-up, but have serious limitations when it comes to restores.
September 2019
FEATURE For example, Office 365 apps such as Microsoft Exchange or OneDrive allow up to 30 and 93 days respectively to recover deleted user data, which admins may take to mean that data is backed up and easily restorable. But recovering data from Microsoft is often a cumbersome process and, past the retention period, a company’s data is purged. Google Vault cautions against the potential “irreversible purging of data from user accounts” associated with its own retention tools. Businesses must leverage multiple solutions to prepare for the worst. Today’s standard security solutions are no match for today’s ransomware, which can penetrate organisations in multiple ways. Reducing the risk of infections requires a multi-layered approach. When evaluating a third-party cloud data protection solution, here is what to look for: • Ease of use and granularity of restore: It is important to evaluate how quickly users can navigate to the item or collection of items they need to recover that may have been lost. In addition, does the solution restore objects and folders in a ‘non-destructive’ way? It’s essential that the backup vendor provides protection from any potential for data overwrites. • Turnkey setup: Once the decision has been made to secure data, it is essential that the onboarding process is seamless and timely. The initial back-up will be the most comprehensive and takes time depending on the size of a company’s environment. • Set it and forget it management: Day-to-day management of the product should be absolutely minimal. Dig into the level of automation inherent in the product. For example, find a solution that goes on protecting mission-critical data without needing any manual intervention. One final note: make sure that security
September 2019
is not being sacrificed for convenience. Granting impersonation rights to Office 365 may give more access to objects in the environment, but at the cost of vital security controls.
Cloud protection solution An effective cloud protection solution should have a number of key characteristics. Meet regulatory compliance guidelines: Most compliance regulations require data retention for a specific period – a cloud protection solution can help ensure that data is always recoverable regardless of the situation. Many compliance regulations require companies to make the best efforts to protect data, and having a back-up in place is an essential part of meeting that requirement. Cost savings: A back-up tool allows a company to hold onto employee data for a lower cost than maintaining a Microsoft licence. Easy user lifecycle management: This translates to significant time-saving for techs. An added bonus to data protection is that data can be moved from user to user in a granular way, and it allows for passing on only the information necessary. Access to content during outages: This is a rare use case, but having the ability to access content in OneDrive or key information in an email should Microsoft’s systems go down is a powerful failsafe. An example of a company using cloud back-up to its advantage is Gett, a ridesharing app company with drivers in more than 120 cities. When the company began storing data in the cloud, it chose to protect it with a cloud data protection solution to ensure it was safe from unexpected data loss. It has become an important tool for business continuity. When ransomware hit the company’s Google G Suite stack and synced to its cloud, it was
instantly locked out of important G Suite data. But because it had a cloud back-up tool, the firm was able to get back up and running within minutes. Cloud-tocloud back-up has also been the ‘undo button’ that recovered critical data when important files were inadvertently deleted. It has saved the company thousands in licence fees. With the ability to deprovision licences it does not lose the data on a monthly basis, and is able to easily provide it to whomever needs it.
Business continuity For data that lives in the cloud, a cloudto-cloud back-up solution is critical to business continuity. There is no sure-fire way of preventing hacking, but businesses can focus on how to maintain operations despite a breach. One way to do this is a solid, fast and reliable business continuity and disaster recovery solution. The most reliable back-up solutions should provide multiple, daily point-intime back-ups for a snapshot of information at multiple times throughout the day. The efficiency of back-up is another important consideration, as how quickly data can be restored can mean the difference between a crisis or crises averted. Choosing a solution that is backed by industry expertise and provides access to a superior customer support team is also critical because when data is compromised, a helping hand provides peace of mind. Above all, it is important to plan for data restoration. The more detailed the plan is, the less time it will take to get back in business should an emergency occur.
About the author Charlene Bunting is director of software engineering at Datto and leads the company’s SaaS protection teams. She graduated from Northeastern University.
Network Security
19