Old world risk practice stays true for cloud

Using the cloud to improve business agility is de rigueur but how can IT become more agile without sacrificing the information assurance holy trinity of confidentiality, integrity and availability?

My answer to this perceived quandary is based on the oldest risk management principle of all – one of ‘don’t keep all your eggs in one basket’, or more accurately, having two cloud vendors is better than having just one.

This question seems to have been at the root of a recent V3 Agile Business Roundtable.

Moving large workloads and services to the cloud is a major part of most agile business strategies but participants across a wide range of industries shared concerns about the security, reliability and adoption path to cloud computing. BSkyB enterprise architect Trevor Hackett also made the point that “When using a cloud service provider you have a vested interest in the company as if they go bust you face disaster.”

Before trusting sensitive assets to a cloud service provider, decision makers within an organization need a sound basis on which to evaluate the merits of a service offering. This should include an assessment of each Cloud Service Provider’s (CSP’s) service level agreement (SLA) terms, operational framework, architectural model, organizational history, stature within the industry, and the assurances granted to customers.

We have said many times before; reputable cloud service providers will be only too happy to help you understand how they serve and protect you and your data, and the importance of your own due diligence prior to purchase.

Office 365 adoption is a great example of the opportunity to improve agility and reduced cost of ownership with cloud services. But often CIOs don’t want to run the risk of critical business systems like core email services being outside of their immediate control. Email users have zero tolerance for downtime, and demand their connectivity be restored as quickly and painlessly as possible.

With on-premises Exchange, IT managers have choices about how they deal with planned or unplanned outages, and often put in place full disaster recovery and high availability solutions on-site. But with Office 365 that option no longer exists, and for many organizations, the fact that Office 365 is a single point of failure for such a mission critical service is a major concern, and a common roadblock for cloud migration.

But moving to the cloud doesn’t mean you should do away with a multi-vendor, multilayered security strategy. A blended-cloud approach allows businesses to distribute important data between multiple vendors. It is a truism to say all clouds have outages, we must accept that fact, this strategy offers recovery options and alternative ways to continue communicating if the primary cloud provider is not available. This exercise in risk management also supports smarter procurement by reducing the possibility of vendor lock-in.  In short, you would be replicating the multi-point business continuity strategy you’ve built on the LAN, but in the cloud—a concept often overlooked during a cloud migration.

So in the end, a pragmatic approach to risk management on-premises and in the cloud will allow businesses to avoid the greatest risk of all – inaction and stagnation in increasingly agile business practices.


Information on the POODLE vulnerability

Mimecast is aware of, and acting on the Poodle vulnerability affecting SSL version 3.0 (SSLv3). While SSLv3 is over 18 years old, support for it still remains very widespread. The Poodle attack is a client side attack (targeting the browser rather than the web server), using the “insecure fallback” behavior of browsers to negotiate the encryption down to SSLv3. The most effective way to prevent the Poodle attack is to disable SSLv3 support on the server side.  That way a client cannot negotiate down to SSLv3. More information on Poodle can be found here on Google’s security blog.

Mimecast’s web services do currently support SSLv3, in order to offer maximum compatibility with customer systems, and this unfortunately makes our services potentially vulnerable to Poodle.

While we are working on disabling SSLv3 support on our public services, and expect to complete this soon, customers can immediately act against this vulnerability by disabling SSLv3 support in the browsers in use in their organizations.

This is highly recommended for employees who have Mimecast Administrators accounts on the Mimecast platform. You can find information on how to do this for the most common browsers on the vendor’s blogs or you might find this article helpful.

The Mimecast Security and Development Teams have prioritized the outstanding work required to eliminate SSLv3 support on all of our web applications and expect this to be completed in the short term.


Can Services Like Dropbox Make the Enterprise Grade On Security?

Consumer file sharing services in the cloud like Dropbox are popular but they do raise security concerns if they are used at work.

Yesterday’s media storm about the apparent leak of Dropbox customer credentials highlights two things. Firstly that everyone should use different passwords for their services to prevent a hack on one leading to a problem on another. Secondly, that organizations (and individuals for that matter) need to think carefully before putting their data on these public cloud services. And remember, Dropbox is not alone in having issues like this.

Everyone should use different passwords for their services to prevent a hack on one leading to a problem on another.

Everyone should use different passwords for their services to prevent a hack on one leading to a problem on another.

Cloud sharing services are being widely used for a simple reason – people want and need to send each other large files. Limits on file sizes that can be sent over their corporate email service mean they have to turn to sharing services that are often outside the organization’s safety net. This makes them a significant security, compliance and e-discovery concern that has to be addressed. For many organizations the risk of confidential information leaking out onto ungoverned consumer file sharing services like this is intolerable.

But it doesn’t have to be this way. You should be able to turn to the cloud to tackle the problem. You should be able to send large files within email and obey data protection procedures in place in the organization. However this does mean a rethink. What is needed is a secure service that can match the employees’ need for flexibility and function, with the IT team’s desire for control, security and visibility without placing a strain on email infrastructure.

Selecting the Right File Sharing Service

Security is, and should be, a key consideration in selecting any new service. Data privacy features can start with role-based access control and encryption for files in transit and at rest, but can differ between services. Integrated anti-malware controls are also invaluable, particularly in terms of protection against spam and phishing attacks, now routinely used in the majority of advanced targeted attacks.

For compliance purposes, it’s important that businesses know where their data and files are shared and stored. In order to help meet compliance standards and to provide a measure of disaster recovery protection, files should be duplicated and stored in geographically dispersed data centers.

It’s also worth finding a solution that provides a 100% service availability SLA including failover during outages in order to help ensure a seamless, uninterrupted service with constant access to files. In addition the service chosen should be as flexible and scalable as possible, providing support for an unlimited number of people at any given time.

A particularly useful function of enterprise-grade file sharing and storage services is the ability to manage all processes and get reporting via a single management console. This saves IT time and money by providing centralized administration and can help to encourage enforcement of corporate policies.

Ensuring Employees Adopt Your Chosen File Sharing Solution

Any service, no matter how well considered and implemented, will not be effective if employees do not buy into it and it‘s not blindingly simple to use. Another application, another login, another password – all these things will limit utilization of the ‘approved’ corporate service and drive them straight back to the consumer services they have been using to date.

Also employees should be well informed of the security issues surrounding the numerous consumer orientated options that are available. Otherwise there’s a strong likelihood that they will continue to make use of them, regardless of the company’s new investment.

Fundamentally though, large files should be shared where all other communication and file sharing is happening – within email itself. So applications like Mimecast’s Large File Send have been designed specifically to do this. Mimecast’s application allows secure file sharing from right inside Outlook and a specifically designed Mac app. This is a best of both worlds approach – best for the employee as they get to share what they want, where they want, and best for the IT team because it’s kept within the policy control and risk management rules of their enterprise.

Large file sharing over the cloud by employees doesn’t have to be risky if the right supporting technology is put in place. With the right alternative, they will happily leave consumer-oriented services and play ball. But you need to choose carefully – so make sure you focus on ease of use, integration with email, back-end reporting and enterprise grade security when making your service selection.


Protect Against Targeted Attacks Webinar – The Highlights

First of all, I’d like to say a big ‘thank you’ to everyone who attended Tuesday’s Mimecast webinar featuring Forrester on ‘Protecting Against Targeted Attacks’.

The interest has been huge, and we’ve made the recording of the session available here. We’ll also be focusing on key themes raised during the session over the coming weeks on this blog.

To start, we thought it would be useful to pull out and reflect on some key quotes from the session.

Recording of Mimecast webinar featuring Forrester on ‘Protecting Against Targeted Attacks’ from September 30th 2014, when practical steps to protect your business were outlined by Rick Holland.

Recording of Mimecast webinar featuring Forrester on ‘Protecting Against Targeted Attacks’ from September 30th 2014, when practical steps to protect your business were outlined by Rick Holland.

Rick Holland, Principal Analyst, Forrester Research:

- ’67% of the espionage cases in organizations involved phishing’ discussing the Verizon ‘2014 Data Breach Investigations Report‘.

- ‘There are two types of phishing vectors – one the malicious attachment…and two, URLs to malicious sites’.

- ‘The average cost of a data breach is $3.5m up 15% from 2013’ discussing the Ponemon Institute ‘2014 Cost of a Data Breach Study: Global Analysis’ sponsored by IBM. Interestingly, class action law suits of effected customers are part of the calculation and might be a rising trend for organizations to address.

- ‘As it becomes more common for remote workers to operate outside of VPNs (BYOD and BYOC), enterprises must protect the user when they actually click’. ‘Even if users could put something on their mobile device to protect them, they are hesitant from a user experience perspective.’ – this was one of the key points in the session, as traditional approaches to security only protect users on the network and corporate managed devices. It’s important to think beyond this given BYOD and remote working. Protection must be available no matter the device used to access corporate email systems, without increasing the IT overhead or adversely affecting the users’ experience. As Rick suggested, organizations must ‘protect the click’.

- ‘Sometimes the URL isn’t bad at the time of delivery’ the attacker may turn the server over from benign to malicious after the email is sent.’

- ‘URL rewriting is emerging to protect the user…I recommended it as an RFP requirement.’

- ‘Whatever the culture of the organization, use that to (tailor) security training…increasing awareness and propensity to report incidents.’

- ‘(Phishing) is only going to get more and more sophisticated.’- which is why the protection organizations put in place now must be able to stay ahead of the attackers.

Steve Malone, Security Product Manager, Mimecast:

- ‘Phishing is viewed as a technology problem…the usual approach is to add more technology. But the issue is that adding more technology is actually increasing complexity.’ Steve further explained that the most successful approach is two-fold: choosing the right technology coupled with user education.

- ‘As we’ve got better at protecting against these attacks, the attackers have moved the goal posts. We now have to assume all the links in emails are bad.’

- ‘Clean up (post-attack) is generally very difficult and time consuming and the root cause is not addressed.’

- ‘Mimecast’s Targeted Threat Protection addresses advanced attacks in email by rewriting the URLs. It means protection regardless of the device used.’

- ‘We’re building into the service a real-time education component for users.’

It’s clear from the interest and the great questions we received at the end of the presentations that this is a hot topic. The evolution of threats is forcing IT teams to rethink the planning, purchasing and management of their business security systems. In addition, it’s being recognized that in order to stay ahead of the attackers, technology alone is not the answer – the complete solution needs to account for this and train users in a new way.

Please leave a comment or @reply me at @orlando_sc if you’ve any particular areas you want us to cover in our follow up posts.