Are Too Many Companies Putting Identity and Access at Unnecessary Risk in Their Move to the Cloud?

I was chatting with the CSO of a Fortune 500 company a couple of weeks ago and the topic came around to cloud services. Her company is famously cloud-averse.

“I know you guys don’t do cloud,” I began, “but are you moving to Office 365?”

“Probably. Eventually. I think we’re going to get dragged there whether we want to go or not,” she replied.

Identity Access Risks in CloudMicrosoft Office has long been the most popular business productivity software suite. Now the Redmond-based giant is aggressively promoting their cloud-based version, Office 365, to organizations of all sizes. The promise of Office 365 is better collaboration (do we really need to email 12Mb Word docs around all the time?), which should increase user productivity. In theory, creative employees can use it to collaborate anytime, anywhere, from any device.

For small businesses particularly, the lure of a few dollars each month for the cloud version instead of hundreds of dollars per employee for the desktop suite is a huge temptation and given the choice, they’ll just go with it. I would, skinflint that I am.

But larger organizations, such as the one run by the CSO I was chatting with, want to be more proactive about their cloud security. And she’s right to think that way; most Office 365 deployments result in user credentials (including C-level usernames and passwords) going to the cloud whether they mean to or not.

Don’t believe me? Let’s look at the three identity and access management models used by Office 365.

Cloud Identity Model – All your passwords belong to Microsoft.

The simplest Office365 identity model is the Cloud Identity Model, where user names and passwords are managed solely in the cloud with Office 365 creating a user identity. The user identity is stored in and verified by Azure Active Directory.

Synchronized Identity Model – Passwords hashed on-premises and in the cloud.

In the Synchronized Identity Model, an organization’s on-premises server manages user identity, while the user account and password hashes are synchronized to Azure AD. Users enter the same password on premises as they would in the cloud, with their password hashes verified by Azure Active Directory.

Federated Identity Model—The most secure, but still sees mobile user passwords.

The Federated Identity Model is the most secure method to access Office 365. It is similar to the Synchronized Identity Model but uses an on-premises identity provider to verify the user password hash. That means the password hash does not need to be synchronized to Azure Active Directory.

The Federated Identity model suffers from a mobile client password gap. Nearly all mobile email clients use the ActiveSync protocol. ActiveSync doesn’t support federation and transmits the user password to Azure AD. Azure AD sends the password back to the on-premises identity manager for verification over an encrypted tunnel, but is that good enough?

What’s the Threat Model Here, Anyway?

Here’s a short list of possible threat vectors you’d consider if you were doing a threat model assessment for any of cloud passwords management models (including the three above):

· Cloud breach

· Man-in-the-middle attack

· Rogue cloud employee

· Nation-state (subpoena)

· Accidental credential logging

· Phishing attack

Where possible, Microsoft has clearly done what it can to avoid seeing user passwords, but they still do. And there are plenty of examples of all of the above threats being realized. Whether or not these threat vectors fall into your assessment model is up to your organization.

Closing the Gap

Many organizations have decided that they are comfortable with this gap. No model is 100 percent secure, right? But a few CSOs want to close the gap before they make the switch. Right now, the way to do it is to intercept and proxy ActiveSync connections from the client to an on-premises proxy which then encrypts the passwords before they transit to Azure AD.

The final step is to implement adaptive multi-factor authentication (MFA). Adaptive MFA is risk-based authentication and can include certificate checks and context-aware, one-time passwords (OTP) via email.

Most organizations say they support MFA but when you drill down, they’re only providing it to select users (C-levels, hopefully, and IT, and a few others). MFA that covers only some users isn’t ideal, but it’s better than no MFA at all.

Cloud Should Be More Than Someone Else’s Computer

Getting back to the conversation with that CSO. Even though her organization is famously cloud-adverse, she knows they’re going to end up editing Word documents and PowerPoint files in the cloud. When they do, there will be no turning back. Her staff’s real challenge will be managing the risk before – and when - that happens.

view counter

David Holmes is an evangelist for F5 Networks' security solutions, with an emphasis on distributed denial of service attacks, cryptography and firewall technology. He has spoken at conferences such as RSA, InfoSec and Gartner Data Center. Holmes has authored white papers on security topics from the modern DDoS threat spectrum to new paradigms of firewall management. Since joining F5 in 2001, Holmes has helped design system and core security features of F5's Traffic Management Operating System (TMOS). Prior to joining F5, Holmes served as Vice President of Engineering at Dvorak Development. With more than 20 years of experience in security and product engineering, Holmes has contributed to security-related open source software projects such as OpenSSL. Follow David Holmes on twitter @Dholmesf5.

Previous Columns by David Holmes:


SecurityWeek RSS Feed

Security and privacy of data and systems in the cloud remains a top worry for 70% of IT professionals worldwide, up from 63% in 2015, according to a new Cloud Security Survey by Netwrix. The top three cloud security concerns in 2016 are unauthorized access (69%), malware (37%) and denial of service (DoS) attacks (34%).

Cloud security concerns (up to 5)

hinder cloud adoption

Even though cloud service providers make security a top priority, cloud computing is still associated with a number of risks, including potential for unauthorized access by employees and third parties, sophisticated attacks, and lack of visibility into what is happening across cloud IT environments.

Netwrix asked more than 600 IT professionals from technology, government, healthcare, finance, manufacturing and other industries about their thoughts on security in the cloud, their readiness to adopt the technology and possible ways to ensure data protection.

Key survey findings

  • Cloud adoption rate has risen during the past year, from 43% of organizations in 2015 to 68% this year. However, only 8% of companies are ready to move their entire IT infrastructure to the cloud in the near future.
  • Security and data privacy is the top concern with cloud (70%) followed by loss of control over data (53%).
  • A hybrid cloud approach is preferred by 55% of organizations that are considering a cloud move; 40% of cloud users are already taking advantage of the hybrid model. This model enables them to balance costs, business benefits and data security.
  • The most common factors that hinder cloud adoption are insufficient security mechanisms (56%), high costs and small budgets (54%), and lack of compliance guarantees (39%).
  • The majority (61%) of respondents indicate that their own employees pose more risk to data security in the cloud than anyone else.
  • The overwhelming majority (95%) of respondents consider visibility into user activities in the cloud to be an important element in cloud providers’ security guarantees.

Cloud technology’s impact on security of IT infrastructure and data

hinder cloud adoption

“The 2016 survey has revealed that despite cloud providers trying hard to secure the cloud environments, the majority of IT pros are still not convinced that the technology is safe enough — mainly because of the insider threat. Lack of visibility is the primary reason why security remains the top cloud-related challenge for many organizations. Advanced security solutions and an integrated view of activities both in the cloud and on premises will help companies increase user accountability, detect insider threats faster and prevent data exfiltration, thus minimizing the damage from unauthorized or incorrect user actions,” said Alex Vovk, CEO and co-founder of Netwrix.

Help Net Security

Identity and access management-as-a-service, also known as IDaaS or cloud IAM, is becoming the go-to solution for CIOs, CISOs and CTOs struggling to keep up with the rapid advancements and changes in cloud, mobile and social. But because identity and access management (IAM) touches every corner of an organization, adopting cloud IAM is not a decision that these C-level professionals take lightly. Choosing the right IDaaS provider is paramount.

IBM Executive Dishes on IDaaS

The office of the IBM CIO recently made critical decisions around cloud IAM and IDaaS vendors. In the interview below, William Tworek, an executive architect in the office of the IBM CIO, described his team’s decision to adopt cloud IAM and how his team evaluated the various IDaaS providers.

Question: Bill, thank you for being willing to share your experiences in adopting cloud for your IAM environment. Before we jump into that, can you please share with us a bit about your role at IBM?

Tworek: At the time of this effort, my role was essentially as the CTO for IBM’s corporate identity and access services. My job was to update IBM’s approach in the identity arena to help accelerate IBM’s embrace of the cloud, both internally for its employees and externally for its customers and partners.

Can you please share more details about the challenge your team was facing and why it led you to consider cloud-based identity and access management?

As with most companies, our legacy identity services were behind the corporate firewall and based on older authentication techniques and protocols. Such services were also beginning to frustrate both our users and developers. They had become aged in terms of their end user experience, and a bit bureaucratic and process-driven in ways that slowed their adoption.

We quickly realized that to support the cloud, we needed our identity services themselves to move to the cloud. This was the only way we would be able to keep up with the velocity of change that occurs with a shift to the cloud, as well as the typical agile and DevOps practices that come with it.

Once you realized cloud IAM was a good fit for your needs, what selection criteria did you use to judge the various IDaaS vendors?

Once we decided to move to the cloud, our requirements really became those typical for any cloud effort. Speed of delivery and execution, a truly modern and mobile-friendly user experience, self-service adoption for our project teams and state-of-the-art security options were all key focus areas.

Take the Cloud IAM TCO assessment to learn how much could you be saving

Which IDaaS providers were you formally considering? Why did IBM’s very own enterprise-level cloud IAM stand out as the best solution?

We considered all the leading players in the IDaaS industry and performed proof-of-concept efforts/pilots with many of them. Ultimately, what made IBM’s own IDaaS [Cloud Identity Service] stand out was the flexibility that the solution provides around authentication and security policies. Many cloud IAM products could deliver on our general cloud agility requirements, but finding the needed security options was much tougher.

We knew that externalizing our corporate authentication services would only be feasible if we could do much more than just authenticate the user. As identity becomes one of the sole security control points in the cloud, we needed to perform many other analytical and policy-based security checks at the time of auth. We found that only IBM’s Cloud Identity Service provided us with the needed flexibility and extensibility in this area.

Can you please share some immediate results you experienced after deploying Cloud Identity Service?

We went from onboarding less than 100 projects a year with our legacy corporate authentication services to onboarding literally thousands of projects virtually overnight with Cloud Identity Service. Even more, we did this while dramatically improving end user satisfaction and improving the security of our enterprise.

By using Cloud Identity Service, my team could focus purely on automating adoption, implementing the security policies desired and innovating on design-led user experiences — versus needing to worrying about the details of running an identity service.

Next Steps

Congratulations to the office of the IBM CIO for their successful adoption of IDaaS. If you are wondering how cloud-based IAM can reduce your costs and accelerate your business initiatives, visit the Cloud Identity Service website.

Learn more: Read The Ultimate Guide to Calculating the TCO of Cloud and On Premises IAM

Security Intelligence

While venture capitalists have been tightening their belts over the past year, there’s still a lot of love and funding for security startups – especially if you’re working in the right areas.

During a panel discussion at the Structure Security conference in San Francisco today, a trio of top VCs identified three key areas where security startups would have no problems getting initial funding: cloud security, containerized protection, and machine learning – although that last area comes with caveats.

Asheem Chandna, a partner at venerable VC firm Greylock Partners, and Theresia Gouw, managing partner at Aspect Ventures, both said they were investing heavily in cloud security outfits, since they matched the tech industry's ongoing movement to the cloud and the need for increased security budgets.

“In the last two decades that I’ve been doing this there never been a better time to be in this [security] business,” Chandna said. “Look at how important it is to buyers and how the checkbooks are open. Most people expect security budgets to double in the next few years – it’s a good time to be an entrepreneur in the cloud space, but for customers it’s confusing.”

The second area of interest among funders is containerization, and how it can be secured and used to protect data and applications. Alex Doll, founder of Ten Eleven Venture, said it was an area his firm was spending a lot of time and money on.

“When we look at containers it's as big a trend as Linux was a decade ago, or virtualisation was a few years ago,” he said. “We think the containers trend is a series-A level for investment funders.”

Machine learning for security was also a hot area, he said, but warned it required care to train up AI models with high quality information – to sort the wheat from the chaff, in other words. True machine learning systems in security are rare, and too many startups claim they are applying AI techniques when, in fact, they are simply running human-overseen data mining, and often coming to the wrong conclusions.

Chandna said that VC funding for the broader IT area is shrinking slowly, as VCs winnow out the “me-too companies” and those without a realistic growth plan. For security, there is still a lot of startup moolah out there for budding entrepreneurs to tap.

But before you tell your boss he or she's a pillock and rush out to set up your own firm, be warned. While getting initial series-A funding is relatively easy, getting more funds out of VCs is getting a lot harder.

“A-level funding is still easiest to raise,” Chandna said. “Series B is easier but valuations have come down. But when it comes to Series C or D then firms need to show real progress and customer wins. The cost of capital has gone up.” ®

Sponsored: Optimizing the hybrid cloud

The Register - Security

There are clear benefits to adopting cloud services, such as improved availability and cost optimization. Cloud also offers an opportunity to update legacy systems and processes that may have been on the risk register for a long time with no clear mitigation strategy in place.

Common Misconceptions About Cloud Security

IDC predicted more than 80 percent of enterprise IT organizations will implement hybrid cloud architectures by 2017. IT executives remain concerned about operating model changes, however, and many are wary of the perceived security challenges and increased operational complexity of cloud solutions.

Below are some common misconceptions related to cloud adoption.

Cloud Computing Is Less Secure

This should not be the case if done correctly. Security risks vary depending on the deployment model, but a clear assignment of ownership and accountability between the organization and the cloud service provider (CSP) can provide adequate security for the migrated workloads. The homogeneous operations and management practices applied by CSPs in their IT and operating environments can actually improve your security posture.

Cloud Security Is Too Complex

Cloud security poses a new challenge since it is managed as an extension of the current controls environment. However, a comprehensive security framework can prioritize areas of control enhancement and inform investment decisions. Added focus on data security and privacy may compound the complexities from a compliance perspective.

Cloud Security Is Difficult to Maintain

Many IT professionals are concerned about transparency and assurance. Establishing strict governance backed by metrics and enforceable service-level agreements (SLAs) can assist in measuring a CSP’s performance.

Frequently Asked Questions

Taking the first step on a journey to cloud adoption can be daunting. Some common questions to ask at the beginning of this process include:

Which Framework Do We Use?

Multiple standards are available, each with different benefits, depending on circumstances and the environment. It is critical to establish a comprehensive cloud security controls framework that leverages industry best practices and aligns with the organization’s risk appetite.

It is also important to recognize key sets of security controls and delineate roles and responsibilities clearly. This will drive performance measurement against the SLA if the CSP is appointed as a vendor.

What Are the Regulatory Implications?

Cloud offers a new set of challenges in terms of data transfer and protection, especially with new regulations coming down the pipeline. The European Union’s General Data Protection Regulation (GDPR), which will take effect in May 2018, adds to the list of concerns. To remain secure and compliant, organizations need a holistic view of the regulatory landscape.

Will I Have Full Access to the CSP’s Security Environment?

Typically, this is not the case, but some CSPs provide more security transparency than others. This should be clearly identified as part of the vendor due diligence phase. Transparency requirements must be satisfied before agreeing to the vendor’s terms and conditions.

What Workloads Can I Put on the Cloud?

This depends. Some organizations experience scope creep in cloud adoption, leading to the unplanned migration of more sensitive workloads onto cloud and negligence of the initial security principles. Such issues must be monitored to avoid a mismatch of expectations.

Where Do I Start?

Security needs to be at the heart of your cloud strategy and design. An effective cloud strategy must match the workload with the appropriate controls framework to provide assurance and protection. This approach ensures that the security capabilities offered and managed by the CSP align with the organization’s risk appetite. The framework should also consider regulatory, legal and compliance requirements that are relevant to the organization.

A Dynamic Framework

IBM utilizes a unique cloud security framework that breaks down the domains into eight categories: governance, metrics, cloud security optimization, data security, application security, network and system security, secure operations, and identity and access management.

Screen Shot 2016-09-28 at 15.24.37

Security teams can use governance and metrics to measure and audit the security capabilities in place. The domains consist of cloud-centric categories as well as business-as-usual security. For these domains, fundamental changes relate to maturity in service integration and the manner in which roles and responsibilities are defined within a clear ownership structure.


A successful transition requires a clearly defined cloud strategy. That strategy should identify the target state and provide prioritized road map considerations that may lead to a consolidation of cloud activities within the organization.

A paradigm shift in operating models comes with many challenges. By clearly defining the workload sensitivity and controls framework, security teams can enable efficiency, agility and trust when it comes to cloud security.

Register for the 10/6 webinar: Demystifying Cloud Security Transformation

Security Intelligence

Fuzzing as a service, from Microsoft

Ignite Microsoft's conviction that "fuzzing in the cloud will revolutionize security testing," voiced in a research paper six years ago, has taken form with the debut of Project Springfield: an Azure-based service for identifying software flaws by automatically subjecting the code to bad input.

Introduced at the Ignite conference in Atlanta, Georgia, on Monday, Project Springfield offers developers the ability to conduct continuous testing of binary files on virtual machines running atop Microsoft Azure, in order to identify and eliminate bugs.

Allison Linn, self-described writer and storyteller for Microsoft, says that Microsoft's research team thinks about Project Springfield as a "million-dollar bug detector" (not to be confused with the Million Dollar Homepage) because some software bugs cost that much to fix if left too long. Your costs may vary.

A 2002 study released by the US National Institute of Standards and Technology estimated that software bugs cost the US economy between $ 22.2 and $ 59.5 billion annually (more like $ 79 billion today). Catching bugs before software gets released presumably can bring repair costs down, if that's your goal.

Microsoft insists a third of the "million dollar" security bugs in Windows 7 were found using its "whitebox fuzzing" technology, referred to internally as SAGE (scalable, automated, guided execution). SAGE is one of the components of Project Springfield.

Like other announcements echoing around Silicon Valley these days, artificial intelligence comes into play. Microsoft says its system employs AI to ask questions and make better decisions about conditions that might cause code to crash.

Microsoft's whitebox fuzzing algorithm symbolically executes code from a starting input and develops subsequent input data based on constraints from the conditional statements it encounters along the way. The technology is distinct from blackbox fuzzing, which involves the sending of malformed input data without ensuring all the target paths have been explored. Blackbox fuzzing thus has the potential to miss a critical test condition by chance.

Fuzzing lends itself to cloud computing because fuzzing software can run different tests in parallel using large amounts of available infrastructure. But Microsoft researchers Patrice Godefroid and David Molnar, in their 2010 research paper, argue that such computational elasticity matters less than the benefits of shared cloud infrastructure.

"Hosting security testing in the cloud simplifies the process of gathering information from each enrolled application, rolling out updates, and driving improvements in future development," they wrote.

It also, it is claimed, simplifies billing. ®

Sponsored: IBM FlashSystem V9000 product guide

The Register - Security

Cisco has provided a patch to address a remote hijacking vulnerability in its Cloud Services Platform (CSP).

Switchzilla said that all customers who run CSP 2100 software should install the 2.1.0 update to close a remote code execution flaw it considers to be a high security risk.

Designed as an efficient way to manage virtualized network services and components, CSP is installed as a Linux x86 virtual machine built into a Cisco network appliance. The system includes a web-based GUI for device management.

Cisco says that the flaw (CVE-2016-6374) allows an attacker to send malformed HTTP requests to achieve remote code execution.

Specifically, Cisco warns, the attacker will be able to shoot the targeted system a poisoned DNS-lookup request through the CSP web interface. That attacker could then execute commands on the server without the need for further authentication.

Cisco noted that, aside from installing the update, there are no known mitigations for the vulnerability. No other Cisco appliances or hardware are believed to be subject to the flaw, and Cisco says it is not aware of any attempts to exploit the vulnerability in the wild.

The patch comes just three days after Cisco issued a fix for another high-severity flaw in its IOS platform.

That flaw, spotted during the "Shadow Brokers" review, allowed for a cock-up in the handling of IKE requests to open up memory contents to a remote attacker, potentially allowing for information disclosure. ®

Sponsored: Fast data protection ROI?

The Register - Security

  • Home
  • Cloud Computing
  • Cloud Security

Tenable brings network visibility into Google Cloud Platform Credit: Shutterstock

Tenable Network Security has integrated Tenable SecurityCenter Continuous View with Google Cloud Platform, giving administrators better visibility into what is happening within their cloud infrastructure.

Cloud-based infrastructure eases IT’s administrative woes and lowers operating costs, but the benefits don’t count for much if there is any doubt about the security of key applications running in the cloud. While system administrators can easily spin up new services and hosts, security teams don’t always know what applications and services are running in their cloud and hybrid environments or understand the risks associated with each one.

[ Security expert Cricket Liu lays out the workings of a DNS-based DDoS attack -- and how to prevent one from hitting your company. Download the PDF today! | Stay up to date on the latest security developments with InfoWorld's Security newsletter. ]

With SecurityCenter CV, administrators can export logs from Google Cloud via the publish-and-subscribe service and be notified about host-level changes as they occur in the cloud environment. SecurityCenter CV gives administrators the information they need to identify potential danger spots and uncover indicators of compromise.

Attackers typically spend some time with reconnaissance after the initial breach and before they steal data or cause some kind of damage. Google Stackdriver handles cloud monitoring, logging, and diagnostics information on Google Cloud. Log data feeding into SecurityCenter CV from Google Cloud can alert defenders to potential reconnaissance activities, such as unexpected web application scans, new or existing hosts consuming too many resources, and unauthorized changes in the cloud environment.

"Organizations need a comprehensive security program that delivers complete visibility and the assurance to know their data will be safe and secure, whether using an all-cloud approach, a hybrid or multicloud environment," said Matt Alderman, vice president of strategy at Tenable Network Security.

Google has been wooing enterprise customers to its Google Cloud Platform, which is lagging behind Amazon Web Services and Microsoft Azure. The company has been investing heavily in its cloud platform and building out its infrastructure, but it is still in catch-up mode with its more established competitors.

Google’s senior vice president of enterprise business, Diane Greene, has claimed that Google Cloud Platform has the edge in areas like machine learning, open source software, and security. Part of that comes from Google, with the company’s security engineers continuously working to secure and improve the platform. The other part comes from partnerships like this one with Tenable to provide administrators with security tools they can use to monitor their own systems.

Moving key applications to the cloud introduces new types of risk to the organization, and Google Cloud Platform’s growth will depend on giving administrators the tools to gain the visibility they need across their infrastructure.

In its latest quarterly report on the cloud, Netskope reported that 43.7% of malware found in the cloud is carrying ransomware and one in 10 of the enterprises monitored by Netskope yielded ransomware-infected files in sanctioned cloud apps.

Although the Netskope Threat Research Labs report covered only cloud apps that were officially approved by the enterprises using them, it discovered an average of 26 pieces of malware in cloud apps across organizations where cloud ransomware was present -- and over half of all infected files were shared publicly.

Sanjay Beri, founder and CEO at Netskope, said in a statement: "With the rise of ransomware, the cloud threat landscape is now increasingly complicated; IT teams need deeper intelligence, protection, and remediation that can help them stop malware and ransomware in their tracks and prevent them from spreading."

Netskope reported cloud ransomware being delivered through Javascript exploits and droppers, Microsoft Office macros, PDF exploits and Linux malware. "Ranging from one to hundreds of pieces of cloud malware at each organization, for enterprises infected with malware, the average amount found in cloud apps was 26 pieces of malware." Netskope also reported that 55.9% of the cloud malware "was shared with others, including internal or external users, or publicly, a significant increase from last quarter's 26.2%."

Solutions to the cloud ransomware threat have yet to catch up. Netskope's recommendation was to have security teams focus on the cloud malware threats. "With these threats often delivered through phishing and email attacks, security teams should consider training sessions for employees on spotting suspicious emails and not opening attachments from unknown sources or suspicious email addresses. Within a cloud context, files that have been encrypted can easily affect other users when they are in sync folders."

Other suggestions from Netskope included "using a cloud access security broker (CASB) to detect and remediate ransomware that affects files in cloud applications, as well as enabling the versioning function in Box, Dropbox, Microsoft OneDrive, Google Drive, and other file-sharing applications in order to roll encrypted files back to their last known good version and fully recover from ransomware attacks."

Experts agreed that as cloud ransomware becomes more common the risks will continue to grow -- and finding solutions will be challenging.

"Now more than ever, companies need to prepare for a ransomware attack by implementing fully-baked business continuity plans," said Richard Walters, senior vice president of security products at Intermedia, the Mountain View, Calif., business cloud app firm. "These should incorporate off-site, real-time cloud backups to ensure file archives can't be deleted and employees can access clean versions of the files on another device."

"The number of options for enterprises to reduce risk is decreasing," said Vishal Gupta, CEO at Seclore, the Sunnyvale, Calif., enterprise digital rights management firm. "Infrastructure protection strategies focused on protecting the device, the application or the network are moving to the necessary but not sufficient category. The amount of malware infiltrating even 'secure' cloud applications and data being delivered via containers like office files and PDFs is already at 43.7%, and increasing every day. Focusing on securing the information itself as it moves in and out of cloud apps, which is part of a data-centric security model, is the future of security."

"The fact that ransomware attacks are now so pervasive in the cloud only reinforces the need for a multi-dimensional defense strategy, including the use of machine learning and artificial intelligence techniques to pinpoint small changes in behavior that identify malicious carriers such as email, while flagging telltale signs that a user has been infected" said Larry Lunetta, vice president of strategy at Niara, the Sunnyvale, Calif., security analytics firm.

"One of the biggest risks ransomware poses on enterprises isn't the ransom that the executives might have to pay, it's employee downtime," Walters said. "The major damages occur when employee productivity is abruptly halted by ransomware attacks, jeopardizing business operations and sales. Companies can't afford the crippling effects of downtime, as that tends to be pricier than the ransom itself."

Gupta said the risks for enterprises vary. "At the least, a breach is an embarrassment -- at the worst, it means lost intellectual property, compliance violations, lawsuits and loss of reputation. Risk assessment can also be a very subjective exercise since the true risks of information breaches is almost never obvious."

Next Steps

Find out more about how cloud ransomware attacks are targeting cloud providers.

Learn about why the cloud may not be a solution for healthcare IT pros battling ransomware.

Read about how ransomware as a service growth is tracking the continued growth in cloud computing.

SearchSecurity: Security Wire Daily News

Many discussions within IT departments revolve around whether to adopt cloud as a delivery model. Cloud adoption can help satisfy a strong demand for cost optimization, but it also imposes constraints due to local and global regulations. Cloud use also introduces a host of security concerns.

No Easy Answers

First, it is important for IT teams to determine whether the organization does, in fact, use any cloud services. The easy answer may be that the company uses no authorized cloud services, but this is insufficient in today’s complicated and interconnected IT landscape.

A configuration management database can be helpful in understand the relationships between various services. However, this requires a wide, accurate and complete set of attributes and relationships, and is often inadequate on its own.

What if an authorized service houses portions of its workloads in the cloud? You may be able to control it when the service is adopted, but the service, or some library in the service, can always change sometime thereafter. A complete change management process can prevent this problem, but it’s important to consider the speed and complexity of changes and transactions.

A pure configuration management database lacks visibility into the security risk of a given application. It is, of course, possible to consider the risk as an attribute of configuration items, but this is not very practical.

Enforcing Cloud Security

The endpoint offers another layer of complexity. If the organization has a bring-your-own-device (BYOD) policy, how can it be sure these devices do not access cloud services? This can be controlled to an extent by establishing and enforcing security policies, but these should leave room for future changes.

IT professionals can use cloud security tools to detect the use of cloud applications, including shadow IT. This service enables IT teams to correlate cloud activity with employees, identify suspicious activity, and leverage analytics and risk reports while responding to priority alerts.

Whether your organization decides to adopt cloud as a delivery model, the right cloud security solution can provide the necessary visibility to sustain your long-term plans.

Learn more about Cloud Security

Security Intelligence