Who Is

watching out for you?

In today's world you need to understand a few more things...

Who Is

knocking on your virtual front door?

It could be someone down the block or from the Bloc

Cloud insecurity is not always from malicious intent

Tom Trottier, Netskope

23-June-2015 Data loss comes from lack of user education and IT unwillingness to adapt.  

Way back when, many IT administrators banned the use of cell phones in the enterprise.
Then they relented to only Blackberries, for security.
Users ignored them. Users will always find ways around security.
And for the past few years we’ve had BYOD.

We’ve witnessed the same thing with cloud. Users love the cloud. At first many IT admins said cloud apps are not allowed. Users are winning this one too.

“Not allowing cloud apps — I find that that draconian,” said Tom Trottier, Canadian Country Manager of Netskope. “If a user can get them on their phone, then they’re usable. I think there are going to be some changes. It comes down to late adopters. Just like phones, users will force IT departments to deal with cloud apps. They absolutely will.”

From the other side customers and business partners are going to push that as well. Dropbox or whatever for when you can’t use traditional file attachments. In the same way that you can only contact some people you know via social media, other users are driving that as well.

 “You need more context, which is why what we’ve cooked up makes sense,” Trottier said. “We didn’t take technology and shove it into the cloud. We’re trying to get more surgical, as opposed to using a sledgehammer.”

Many years ago when someone told Trottier, “One day everyone is going to have a router in their house,” he thought it was ridiculous. Yet it has come to pass. IT infrastructure became commoditized.

And now this cloud thing is not going away. When giant corporations move to Google Apps it’s apparent that IT has become a partner in the business. IT has to go to the next level – advisory.

“The security guys who were doing the heavy lifting and ugly stuff to keep the bad guys out, will have to become enablers of business,” he said. “It’s a bit of a mind shift that senior people will have to go through and then it’ll work its way down.”

CIOs come to Netskope to a) understand who their users are… b) discover what their users are doing… and c) take it to the next level by coming up with an architecture that lets IT control policy.

“Don’t just shut down users, because they’ll find more dangerous, unsanctioned ways to do what they want,” said Trottier. “Rather than saying no, let’s encrypt that information to guard against unintentional as well as intentional breaches.”

There are different ways to do that.

“I can take your logs for information, and set them up in real time. But if you want me to do something about it, I have to get in the middle between the app and the user.” 

One way is a reverse proxy. It steers the traffic through Netskope, which you can do for sanctioned apps. There’s a forward proxy too. Which one is used depends on the situation, via a proxy in the cloud.

“If I send you a file from my phone to yours I’m going through the cloud and bypassing the security perimeter. So we use an agent to protect that.”

Financial institutions and government agencies want their logs retained within the walls of their own data centers. There’s a Netskope appliance for that. 

“Introspection uses API calls for sanctioned apps across a connection from our Netskope cloud to your Office 365 or a box or Google Drive, to find who’s using, what’s being shared, and run all of the DLP scans on the actual content,” said Trottier. “Now you can use these services, while maintaining control over your data.”

You have the ability to quarantine files or put them on legal hold prior to approval for it to be shared, or encrypted prior to sharing.

“Now you can budget for securing the cloud and strap it onto a service, because we can semi-automate the process of sanctioning apps,” Trottier said. “If you’re concerned with compliance or want to protect IP. It forces you to start thinking about cloud policy.”

Of course if you don’t go through discovery then you have plausible deniability of any negligence. Some CIOs don’t want to audit until the Board of Directors comes in and asks what is happening.