Trusted or Untrusted, It’s Still Your Data!
I’ve been thinking about Slacks recent comments that maybe, just maybe, the security of their platform may not be where it should be – my favourite part of the statement (and if you’ve not read it, you can get to it here: https://www.helpnetsecurity.com/2019/04/29/slack-potential-threats/) “The security measures we have implemented or integrated into Slack and our internal systems and networks (including measures to audit third-party and custom applications), which are designed to detect unauthorised activity and prevent or minimise security breaches, may not function as expected”
Could you imagine Mercedes, or Volvo making a statement about the brakes on your car like that! The breaks on your vehicle may or may not function as expected!
To me it begs the question – if Slack weren’t going public, and subsequently being forced to disclose this, would it ever have come to light? Then you ask yourself, if a company like Slack – trusted by firms like NASA – have insufficient security, what about those app’s that have less investment, that are less enterprise ready?
I don’t want to turn this into a discussion about whether the Cloud is secure, or the fact that Cloud services operate a shared risk model – I would hope that argument is long past – but what this issue highlights is that it’s not just about the risk of unknown, untrusted applications.
Trusted Vs. Untrusted – Is There a difference?
People for a long time have made a big deal about Shadow IT, and don’t get me wrong it’s a problem, but it doesn’t mean you can neglect the security of the app’s that you knowingly use – Slack’s a great example of this.
To put this into context we recently did a study for one customer identifying their known and unknown Cloud app’s through our Smart Discovery service, before we started there were circa 30 cloud based app’s that were known/trusted app’s. Through the process of our assessment we identified over 3000 cloud services in use. Now the services that that customer didn’t know about pose an obvious risk, but the trusted app’s have risk too.
To give you an example this customer uses Slack and as part of a web project that has been connected to a front end web service by an outsourced developer as part of a project driven by the marketing department. The terms of this API connector software states that if you use it, they have the right to use the data processed by it. Both trusted / known applications but with huge risk.
The ability to create an interconnected set of applications, through API services like Zapier, makes controlling your data all the harder. Statistically, for every anchor tenant e.g. Office365, there will be around 25 eco-system applications connected to it. They may be enterprise ready, they may not, but it becomes irrelevant when you don’t even know you’re using them.
I guess my point is that these services, whether known or unknown, should be treated the same.
Data Leakage, Viruses and Malware Exist In Trusted Platforms
Malware, Viruses and Data Leakage aren’t new problems. Organisations have spent billions on endpoint security technologies to protect from this sort of thing, so why is it acceptable to download data from a 3rd parties Dropbox to yours without taking the same precautions?
I’m all for using things like O365 and G-Suite – I mean really who wants to managed something like Microsoft Exchange – but it’s a really soft entry point for malicious content that most people don’t have covered off. Likewise DLP around Cloud storage services like OneDrive are weak for most firms, sharing data out of the business intentionally or otherwise is simple. If you’re using O365 for example, ask yourself – do you stop the use of things like publicly accessible links? Do you screen for Malware on downloaded content to OneDrive?
This same issue is now extending to IaaS platforms like Amazon S3, though Malware here is, for now at least, less of a risk in my opinion, data leakage is absolutely an issue; particularly when you consider how many third parties are employed by large enterprises for app development functions that have poorly controlled access to Cloud infrastructure.
These are known, trusted services by the worlds largest firms, yet if not managed correctly can carry just us much risk as any unknown app.
It comes back to a really basic point – you can’t stop what you can’t see! It doesn’t matter whether the application that you’re using is trusted or not, whether you know about it or not, you need visibility into what those applications are doing, where they pose risk and and who’s doing what with them.
Ultimately we can’t take for granted the fact that these so called enterprise grade applications, like Slack, are securing our data effectively. Your data is still your data, your risk is still your risk regardless of whether it’s in a platform you’ve knowingly invested in, or an app being used outside of the governance of the IT department.