When was the last time you heard about a data breach? It wouldn’t be surprising if you said “just recently” or “last week”. According to the IBM-sponsored 2017 Cost of a Data Breach Study by Ponemon, one out of four organizations will experience a breach. As companies move to the cloud, so does sensitive data. It’s now more important than ever to make sure the right security checks are in place to secure your information.
It all starts from a single point of failure
Verizon’s 2018 Data Breach Investigation Report (DBIR) indicates that, in the last year, 48% of breaches used hacked credentials and 12% were a result of privilege misuse. Take for example an incident from earlier this year in which hackers were able to access sensitive data, including the personal information of millions of users stored in AWS S3. The hackers got the credentials to access that company’s AWS server via one of their employee’s GitHub accounts. This demonstrates multiple points of failure across their security infrastructure:
Login credentials for their AWS server were kept in the source code.
Multi-factor authentication (MFA) was not enabled for AWS.
Sensitive personal data was stored in plaintext in AWS S3.
It’s very common for users to login from remote locations, using a device of their own (connected to a public network) to access information in your cloud applications. Events of this type could include a public link to your intellectual property stored in Box, an HR admin downloading another employee’s personally identifiable information (PII) from Workday onto a personal device, or a member of your sales team downloading contract assets from Salesforce. When appropriate security planning is not in place, any of these events could pose a serious threat to your organization.
So what do you do? It wouldn’t be practical to “just say no” to the cloud or cloud solutions, as that would negatively impact productivity. Additionally, employees frequently find ways around this type of restriction and use applications they want, without organizational visibility or awareness. A better alternative would be to build in multiple layers of security, which ensure the right user gets access to the right data—and malicious users are blocked. As the leading independent provider of identity for the enterprise, Okta can help. And in order to secure your sensitive data, we recommend combining Okta’s enterprise-grade identity and security solutions with a CASB.
What is a CASB?
The cloud access security broker (CASB) market has been defined as products and services that provide visibility into general cloud application usage, data protection, and governance for enterprise-sanctioned cloud applications. This technology is the result of the need to secure the rise of cloud services and how they are accessed by users both within and outside of the traditional enterprise perimeter.
The key challenge addressed by a CASB is the security of enterprise data exposed outside of the visibility and control of enterprise IT. Cloud services make it easier for users to access data from any device and from networks that are not owned or controlled by IT. These services also make it easier to share data both within and outside an organization—leaving IT and information security teams blind to cloud usage and sensitive data exposure. Using different deployment methods, CASBs provide critical control and visibility into the access and usage of cloud services.
Okta integrates with several CASBs, including Netskope. As a market leader in the CASB space, Netskope supports the most comprehensive deployment options. The Netskope Security Cloud provides customers with visibility and control over activities across thousands of SaaS and IaaS services (both sanctioned and unsanctioned) as well as millions of websites—ensuring 360-degree data protection, everywhere.
Here’s how using Okta and Netskope together can help provide complete security for your users and data:
Secure login to applications such as GitHub and AWS by enforcing the use of multi-factor authentication (MFA). When it comes to securing logins using MFA, one size doesn’t fit all. For example, admins with access to AWS S3 may require crypto-based physical tokens for extra assurance. Whereas developers accessing GitHub could present secure, yet easy-to-use, Okta Verify with Push to authenticate themselves. Okta MFA, with support for a broad range of factors spanning all assurance levels, gives you complete flexibility to use factors based on your security and usability needs.
Get a step ahead of hackers by using Okta’s Adaptive Multi-Factor Authentication (AMFA). User and risk levels are always changing; your security should be able to stay ahead. Okta’s AMFA allows for dynamic policy changes and step-up authentication in response to changes in user behavior, device, location, or other contexts. Adaptive MFA supports detection and authentication challenges for riskier situations—such as use of weak/breached passwords, brute force attacks, new or untrusted devices, new geographical locations, and other indicators of anomalous behavior. In the example referenced earlier, AMFA would have identified the hacker logging in to GitHub or AWS using an unknown device, from an unknown location or IP address, and prompted them to present a second factor—thus failing their login attempt.
Scan for sensitive data in cloud applications using Netskope’s data loss prevention (DLP) solution. It’s important to understand where your most sensitive data resides, how it is being used, and who has access to it. Netskope Cloud DLP can discover sensitive data at rest (in sanctioned cloud services) and en route to and from all websites and cloud services (sanctioned or unsanctioned). It also helps protect sensitive company data from loss and exposure by using automated workflows to encrypt, quarantine, remove public links, restrict access, and block. In the example incident, Netskope Cloud DLP could have helped proactively prevent the breach by scanning source code in GitHub for user IDs and passwords, and notifying admins to ensure that appropriate action could be taken. Similarly, Netskope Cloud Encryption could be used to encrypt sensitive customer data stored in cloud storage services, like Box.
Securely enable applications by limiting access and activities from managed and unmanaged devices with Netskope’s inline policies. With enterprises supporting bring your own device (BYOD), it can be challenging to determine if the unmanaged device used to access an application is legitimate. For such scenarios, in addition to using Okta’s Adaptive MFA, security teams should consider employing a reverse proxy deployment method. While Okta AMFA can step up authentication at the time of login when an unknown or unmanaged device is used, Netskope’s reverse proxy enables customers to monitor and control activities performed and applications accessed from an unmanaged device after a user logs in. This level of protection can block access to applications with sensitive data or restrict the download or upload of data to and from unmanaged devices, securing you from external as well as insider threats.
Prevent data exfiltration and cloud threats. According to the Verizon DBIR, over a quarter of attacks (28%) last year involved insiders. Netskope Security Cloud is a platform that can track movement of data from one application to another, identifying data exfiltration and preventing it automatically. This means that, if a user downloads PCI data from Box and then uploads the same file into their personal Dropbox account, Netskope’s inline policies will block the upload to Dropbox and also generate an instant alert to the admin. Netskope also provides multiple layers of threat detection including static and dynamic anti-virus inspection, user behavior anomaly detection, heuristic analysis, sandbox analysis, and more.
Identity is the key to our digital world; a world that is made up of data. Okta defends your end-users’ identities and controls access to cloud applications. Netskope protects the sensitive data going into and out of your cloud applications. Together, the two solutions can ensure your users and data are secure—helping you strengthen your customers’ trust in you and grow your reputation.
To learn more, contact us.
Group Product Manager, Adaptive Authentication