Is the Cloud Safe? Ensuring Security in the Cloud

Is The Cloud
Safe? Ensuring
Security on the
Cloud
October 25, 2018

Using ReadyTalk
• Chat to ask questions
• All lines are muted
• If you lose your Internet connection,
reconnect using the link emailed to you.
• You can find upcoming and past webinars on
the TechSoup website:
www.techsoup.org/community/events-
webinars
• You will receive an email with this
presentation, recording, and links
• Tweet us @TechSoup and use hashtag
#tswebinars

A Global Network
Bridging Tech Solutions
and Services for Good
Where are you on the map?
Countries Served TechSoup Partner Location NetSquared Local Group

Acclivity
Adobe
Alpha Software
Atlas Business Solutions
Atomic Training
Amazon Web Services
Autodesk
Azavea
BetterWorld
Bitdefender
Blackbaud
Bloomerang
Box
Brocade
Bytes of Learning
Caspio
CauseVox
CDI Computer Dealers
Cisco
Citrix
CitySoft
CleverReach
ClickTime
Closerware
Comodo
Connect2Give
Dell
Dharma Merchant Services
Digital Wish
Dolby
DonorPerfect
DocuSign
Efficient Elements
FileMaker
GoDaddy
GrantStation
Guide By Cell
Headsets.com
Horizon DataSys
HR Solutions Partners
Huddle
Idealware
InFocus
Informz
InterConnection
Intuit
JourneyEd
Litmos
Little Green Light
Mailshell
Microsoft
Mobile Beacon
NetSuite
Nielsen
NonProfitEasy
O&O Software
Okta
Quickbooks Made Easy
Reading Eggs
ReadyTalk
Red Earth Software
Sage Software
Shopify
Simple Charity Registration
Skillsoft
Smart Business Savings
Society for Nonprofit Organizations
Sparrow Mobile
Symantec
Tableau
TechBridge
Tech Impact
Teespring
Telosa
Tint
Ultralingua
Western Digital
Zoner

Explore our Nonprofit
Tech Marketplace
For more information, please visit
www.techsoup.org/get-product-donations
"We are an all-volunteer organization with
limited professional skills. Adobe's donated
technology is helping us present our story to
the public and to lenders in the format of a
much larger organization. With Adobe, we
are able to knock off a few of the "rough
edges" so that our story is front and center
instead of our technological limitations.
Thank you, Adobe!”
- Richard de Koster
Constitution Island Association, Inc

The Symantec Security and
Antivirus Donation Program
for Nonprofits
For more information, please visit
www.techsoup.org/symantec-catalog
Symantec Norton Products:
• Norton Security Deluxe 1-Year Subscription
• Norton Small Business 1-Year Subscription for 5
Devices
Devices
Devices
• Norton Utilities
Symantec Enterprise Products:
• Symantec Endpoint Protection Small Business Edition
(Protection for 1 Endpoint)
• Symantec Endpoint Protection (Protection for 1
Endpoint)
• Symantec Mail Security 7.5 for Microsoft Exchange,
Protection for 1 User

Symantec FY2018 Corporate
Responsibility Overview
Participate in the 2018 Survey:
https://www.surveymonkey.com/r/SymantecCR2018
Download the 2018 Symantec Corporate Social
Responsibility Report:
https://www.symantec.com/content/dam/symantec/docs/
reports/2018-corporate-responsibility-report-en.pdf
“Symantec believes strongly in giving back to
the communities where we live and work. We
implement programs—both financial and
hands-on—that improve people’s lives and
communities, while enhancing our business.
In growing our volunteer and philanthropy
programs, we offer our employees
opportunities to develop their leadership and
collaboration skills. The impact can be
measured in many ways.” - 2017 Corporate
Social Responsibility Report

Presenters
Deena Thomchick
Senior Director of Cloud Security
Symantec
Sima Thakkar
Online Learning Producer
TechSoup
Assisting with chat:
Zerreen Kazi
Marketing Associate
TechSoup
Sima Thakkar
Online Learning Producer
TechSoup
Zerreen Kazi
Marketing Associate
TechSoup
Deena Thomchick
Sr. Director, Cloud Security
Symantec

Is The Cloud Safe?
Ensuring Security on the Cloud
2018
Deena Thomchick, Sr. Director, Cloud Security

Copyright © 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Cost effective
Remote access
Agility and speed
Better collaboration
Improved productivity
Cloudappsare
becomingan
essentialpartof
business

Top 5 Risks to Cloud Adoption & Use
Unidentified and
unmanaged cloud apps
Unclassified and
unmanaged data
Risky Employees
Internal and
external bad actors
Compromised cloud services
1
2
3
4
5

20% of Cloud Docs are
Broadly Shared1Proliferation of Cloud Apps
Variety of Endpoints
Shadow Data Problem
Compromised Accounts
New Challenges
4

...That result from your unauthorized action or lack
of action when required, or from your employees,
agents, contractors, or vendors, or anyone gaining
access to our network by means of your passwords
or equipment, or otherwise resulting from your
failure to follow appropriate security practices...
Microsoft’s Policy
Microsoft will not take responsibility for your user behavior
(or the security of your infrastructure).
(the fine print)
Security In The Cloud is
a Shared Responsibility
“95% of cloud security failures will be the
customer’s fault”
- Gartner Predictions for 2016

Box will not be liable for any loss or
damage arising from any unauthorized
use of your accounts…Box will have no
liability of any kind as a result of the
deletion of, correction of, destruction
of, damage to, loss or failture to store
or encrypt any Content...
Box’s Policy
Box will not take responsibility for your user behavior or your content.
(the fine print)

...in no event will Dropbox be liable for any
damages...for any loss of use, data,
business or profits…Dropbox’s
responsibilities do not extend to the
internal management or administration
of the Services..
Dropbox’s Policy
Dropbox will not take responsibility for your data or user behavior
(or how you manage your service).
(the fine print)

While AWS manages security of the cloud, security in
the cloud is the responsibility of the customer.
Customers retain control of what security they
choose to implement to protect their own content,
platform, applications, systems and networks, no
differently than they would for applications in an on-
site datacenter…
Amazon’s Policy
Amazon will not take responsibility for your data or user behavior
(or how you manage your service).
(the fine print)

Customer will use its reasonable endeavors to
prevent unauthorized use of the Services, and to
terminate any unauthorized use. Customer will
promptly notify Google of any unauthorized use of,
or access to, the Services of which it becomes aware.
Google’s Policy
Google will not take responsibility for malicious use of your company’s user accounts
(or security of your infrastructure or users).
(the fine print)

…you are responsible for all use of DocuSign
Signature associated with your Account;… you are
solely responsible for maintaining the confidentiality
of your Account names and password(s) ..Subscriber
will indemnify us from claims related to the nature
and content of all materials, data,…of any nature
submitted by subscriber or its authorized users.
DocuSign’s Policy
DocuSign will not take responsibility for your content
(or security of your infrastructure or users).
(the fine print)

What is Shadow IT?
In the context of the cloud, Shadow IT
refers to the adoption and use of SaaS
apps by employees without oversight
or consideration of security
requirements.
Knowing what cloud apps you are using
is a key first step for cloud security and
compliance.
12

While enterprise and consumer apps differ greatly in their functionality and their adherence to security best practices and relevant
compliance regimes, the practical distinction is becoming less relevant as consumer apps are increasingly adopted for business use.
Top Used Apps — 2017
13
Collaboration / File Sharing Business Enablement Consumer
1
2
3
4
5

What is a Cloud App?
A cloud app is a software program
where cloud-based and local
components work together. Remote
servers perform processing on data and
input from the user. Cloud apps are
accessed through a web browser or a
local or mobile app.
14
Email & Messaging
File Sharing
Database
Office apps
Social media
File format conversion
Content analysis
Backups & data storage
Project management
…and lots more

My organization only uses a
few cloud apps.”
Every organization thinks they are using far
fewer cloud apps than what is really being
used. By a lot…
10x more?
20x more?
30x more?
….even more?
Shadow IT Perception

Shadow IT Reality
Average # Cloud Apps Per Enterprise Organization
16
774
812
841
928
1232
700
800
900
1000
1100
1200
1300
1H 2015 2H 2015 1H 2016 2H 2016 1H 2017
1,232
Counts as high as
6,000 apps have
been discovered
with Shadow IT
Risk Assessments

Shadow IT — What to do
Identify Shadow IT use of cloud apps – evaluate the risk
• Talk to your Users
– not just once, make this a regular conversation
• Educate users on cloud apps & how to avoid exposing the
organization to the risks that come from using cloud apps
• Use technology to track use of cloud if that is available to you
(Cloud Access/App Security (CASB), Secure Web Gateway,
Firewall)
17
Make Smart Cloud App Choices – consider regulatory compliance
• Select only apps that meet key security requirements
• Bare minimum: They must use HTTPS (aka SSL)
• Always require strong passwords
• Use multi-factor authentication for logins (top tier apps should offer
this capability built in)

What is Shadow Data?
All unmanaged content that users are
uploading, storing, and sharing in cloud apps.
Confidential data & government regulated
data is data that should always be kept private.
This includes financial data, legal documents,
HR files, client/partner/donor contact
information, etc.
Some confidential data is regulated by law,
including:
personally identifiable information (PII, GDPR),
personal healthcare information (PHI), and
payment card information (PCI).
19

Percentage of government regulated data in cloud
apps that is exposed, by type:
20

Symantec found that 29% of emails and attachments are broadly shared and at risk of leakage, with
9% of these emails containing compliance related data, distributed as follows:
Email Threats
21

Avoid easy file sharing mistakes
Alice shares a file with Bob
Bob shares that file with others
Or shares via
other apps
Bob: No account could be found
for billy@gmail.com would you
like to share this file as a link?
[Yes] [No] Sound Familiar?

Shadow Data — What to do
Educate your users
• What is confidential data?
• What actions create data exposure?
Label your data, Use in-app features
• Clearly label files that contain
confidential data – use watermarks,
file naming conventions, etc
• Use the data protection capabilities
that come with the apps you use
Automate data protection with
technology if you can
• Use cloud app security (CASB)
• Use Data Loss Protection (DLP)
23
john.smith@yourco.com john.smith@gmail.com
01 02 03

High Risk Employee
• Uses spouse’s name and
bday for password
• Uses same password on
all his accounts
• Keeps username and
password on a sticky note
hanging from monitor
• Use four different
personal file sharing
accounts to transfer work
files home for the
weekend.
• Rarely locks his screen
• Always joins unsecured
public wifi without using a
VPN, etc.
25

Risky User — What to do
Educate your users. What is risky?
Remind them regularly.
26
Use technology to
to prevent data
exposures and
control access,
sharing, or other
actions
01 02

Malicious Activity
Session Hijacking
Malware agents (or bots) on end-user
systems can hijack cloud app sessions.
Malicious Insiders
A disgruntled employee may abuse
company assets.
Account Takeover
User credentials may become
compromised through phishing
attacks or similar techniques.
Malware & APTs
Malware can use cloud accounts to
spread throughout an organization.
Ransomeware & Crimeware
Ransomeware & Crimeware can target
cloud accounts full of rich data to hijack.
Botnets / Trojans / …
Attacks can use cloud
accounts to exfiltrate data.
Threats to Data & Infrastructure
Threats to User Accounts & Activity

Risky
Behavior
Risky behavior
seen in cloud
accounts
30
71%
indicates attempts to
exfiltrate data 30
17%
indicates attempts of
brute force attack
6%
destroy data
6%
hack into user cloud accounts

Bad Actors — What to do
Protect your endpoints against malware
Use strong passwords
Activate multi-factor authentication
31
Use technology to automate threat protection
in your cloud accounts
01
02

Risk #5
Compromised
cloud services

You see articles in the news everyday of cloud apps with data breaches
Exploits by App Type
33

Compromised Cloud Apps — What to do
Watch the news for cloud app breaches
Watch your email for breach
notifications
34
Change all your passwords for that app
Assess whether your data was exposed
Notify your clients and required regulatory
bodies if regulated data was exposed
Consider whether you still want to use that app
01
02

Cost effective
Remote access
Agility and speed
Better collaboration
Improved productivity
Cloudappsaregreat
Youcansafelyusethem
Educate your users & remind them regularly
Use strong passwords & multifactor authentication
Label & be careful with confidential data
Watch for news of breached apps
Use the security functionality that comes with cloud apps
Secure all your endpoints
Use a CASB for cloud app security

Share and Learn
• Chat in one thing that you learned in today’s
webinar.
• Please complete our post-event survey.
Your feedback really helps.
• Follow TechSoup on social media
(FB, Instagram, Twitter)
• Visit the TechSoup Blog at blog.techsoup.org

Join us for our
upcoming webinars.
10/29
How to Convert Community Stakeholders to
Impact Investors
10/30
What Open Source Is and How Your Nonprofit
Can Benefit
11/01
Maximize Your Giving Tuesday Fundraising and
Engagement
11/13
Intro to Building PDF Forms
Archived Webinars:
www.techsoup.org/community-events

Thank you to our
webinar sponsor!
Please complete the post-event survey that will
pop up once you close this window.

Is the Cloud Safe? Ensuring Security in the Cloud

More Related Content

What's hot

Similar to Is the Cloud Safe? Ensuring Security in the Cloud

More from TechSoup

Recently uploaded

Is the Cloud Safe? Ensuring Security in the Cloud