Here at Vormetric, we just issued the European Edition of our Insider Threat Report. Although the report focused on Insider Threats, we also included a strong focus on SaaS and Cloud Provider use for enterprises – both on the additional Insider Threat concerns around SaaS and Cloud Services and about what those enterprises would like to see that would increase their use. Today I’m going into details that we didn’t highlight in the report, but which are directly relevant to Cloud and SaaS Providers …. And to their customers.
For a look at the full report register here.
Before I get to the data and what it means though – one item needs to come first: What is the definition of Insider Threats?
Insider threats now go well beyond traditional definitions of the term:
- Traditional Insiders: Traditionally, the Insider Threat in most people’s minds has been created by employees who in the course of their work have access to money or other sensitive information – like an accountant with access to financial data or payroll accounts – But this is no longer the only case.
- Privileged Users: Organizations now have to recognize that additional insider threats come from their privileged users as well; system administrators, storage admins, network admins, cloud admins and others who have access to data on systems in order to maintain and operate them. The advent of the Snowden incident highlighted this “flaw in the system” that has allowed privileged users access to protected information.
- Advanced Persistent Threat (APT) and Advanced Malware account compromises: And last, as APTs and other advanced attacks have grown in scope, there is an additional threat from the compromise of both these traditional insiders and privileged user accounts. This is a primary operation method for APTs, and privileged user accounts are their top targets.
Enterprise SaaS and Cloud Concerns
What did we learn about enterprise organization’s concerns? Top of the list were concerns about visibility into the security posture at the SaaS or Cloud Provider. Enterprises are used to having under their fingertips the details of how their systems, networks and data are protected. When a concern is raised, they know exactly what tools they have in place, how their hardware, software and systems are configured, what access controls are in place, and a host of other details. This is exactly what they don’t get from their SaaS and Cloud Providers. Even the best offerings cover limited detail compared to what they know about their internal systems and processes. An example … Does the SaaS or Cloud Provider conduct regular pen testing and include IDS/IPS in their security controls? Yes – they do more often than not. But, do they cover the details of what security control implementations are in use (vendors and characterizations), how strictly the security solutions are configured, and what the administrative and management processes are around these items? In my unofficial polling so far – No. One vendor site even quotes that their servers reside behind “robust firewalls”. Robust? This is a marketing word, not the technical definition and detailed information large enterprises are looking for.
There can be good reasons for this. Revealing too much detail publicly can also highlight vulnerabilities. But if SaaS and Cloud Providers are really going to win business they will have to find the right balance, and procedures to make this data available to enterprise customers and keep it up to date as their security stance evolves. Here’s what we found as top concerns for enterprises considering adopting SaaS and Cloud Services:
|Top Security Concerns with SaaS and Cloud Services Identified by Vormetric’s Insider Threat Report||Responses|
|Lack of visibility into the security measures used by the SaaS or Cloud Provider||61%|
|Potential for other users of the service to access my organization’s data||59%|
|Lack of control over the location of data||56%|
|Inadvertent Data Across Borders Privacy infractions from use of remote, shared infrastructure||51%|
|Additional commitments needed to meet Compliance requirements (PCI DSS, National Data Protection laws, etc.)||48%|
|Additional privileged user roles that may have access to my information (Sys Admins, Cloud Admins, Storage Admins, Virtualization Admins, etc.)||42%|
|Insider and APT penetrations at the service provider resulting in a compromise of your organization’s data||38%|
|A compromise of another customer’s cloud infrastructure resulting in a new threat to your organisation’s security||34%|
What would increase enterprise use of SaaS and Cloud Services?
Now here’s some meat that we didn’t highlight in our report, but which if every SaaS and Cloud Provider needs to be aware of now: What you can do that will increase an enterprise’s willingness to use SaaS or Cloud Provider Services.
The responses came straight back to what enterprises are most concerned with – the safety of their data. Top of the list at 61% of organizations responding was encryption of data in the SaaS or Cloud provider location with the encryption keys held by the enterprise. This shouldn’t be a surprise. In addition to immediately removing many of the items of concern above because only the enterprise can access the data (lack of visibility into security, compromise by the cloud provider of enterprise data, lack of control over data location, etc.), it also prevents other circumstance important to organizations. What if a court or other government agency requires the cloud provider to provide access to enterprise data (perhaps even a court in another country)? Well if the data is encrypted, and the enterprise holds the keys, this just won’t work. The court will have to go to the enterprise to get access (as only the enterprise has the encryption keys), and the enterprise will be able to engage legal help appropriately – not have their data accessed without even being aware it is happening.
Other key findings were also directly in line with concerns – desires for security SLAs and data breach liability terms, detailed descriptions of security implementations and commitments, and more. And all were at (or very near) the 50% or higher mark.
|Capabilities that would Increase willingness to use SaaS or Cloud Provider Services Identified by Vormetric’s Insider Threat Report||Responses|
|Encryption of my organization’s SaaS/cloud data with my local (on-site at the enterprise) control of encryption keys||61%|
|Service level commitments and liability terms for a data breach caused by the service provider or another customer of the cloud provider||60%|
|Explicit security implementation descriptions and commitments||59%|
|Detailed physical and IT architectural implementation information||58%|
|Exposure of detailed security monitoring information related to my organization’s implementation||55%|
|Exposure of detailed infrastructure and virtualization monitoring information related to my organization’s implementation||52%|
|Mapping of service provider administrative roles and their access to my organization’s cloud implementation||51%|
|Specific, written compliance commitments for standards that apply to my organization||49%|
What does this data mean for those of us creating and bringing to market SaaS and Cloud services? It’s a very direct answer. Find a way to address enterprise concerns, implement it quickly, make the information available, and reap the business. Enterprises are well sold on the benefits of SaaS and Cloud. They strongly desire the business flexibility, cost effectiveness and other advantages it brings.
The SaaS and Cloud Providers that solve these problems will have a direct market share advantage.
Last note: The report sample of 720 respondents was focused on IT professional of enterprises, and data I’ve used here covers the UK, France, Germany and Australia. My experience leads me to believe that U.S. enterprises are in exactly the same place.
Of course, if you’re seeing things unfold in the market differently from what we’re seeing, or even the same, it would be great to hear from you. Send me your thoughts at email@example.com. And if you’re a Cloud Service Provider with the desire to take your business to the next level by addressing your end customer security concerns, drop us a note at firstname.lastname@example.org and we’ll show you how.