One of the things we have seen in the federal space, and taking into consideration FedRAMP requirements, is that government organizations want to have lean operations, especially when it comes to data centers. We have seen a lot of uptick in terms of moving away from the traditional maintenance of data centers by clients, and rather relying heavily on AWS or Azure offerings – more of a public cloud environment.
Another area with an uptick in the federal space is the collaboration space where we are also seeing a lot of movement. The collaboration space includes applications like Office 365 and Google Apps, mainly due to the low licensing costs – in comparison to the more traditional methods. Additionally, some cloud applications, such as Salesforce, are also gaining traction.
Trends Among EMEA Countries in Proactively Implementing Security Checks
There are two trends that we typically see in the EMEA market. In the North America space, there is a lot of openness towards adopting cloud services – especially from a security standpoint. Organizations are more comfortable with externalizing the identity management or security management platform onto the cloud.
In the EMEA space, they are traditionally more reserved with regards to adopting cloud security solutions, and with the cloud itself. They are more comfortable with on-premise solutions. They are also more reliant on some of the complete outsourcing providers, such as Capgemini or IBM Global Services, to whom they have completely outsourced their identity management. Those are the main distinctions between the two markets.
But now, as we speak to our EMEA customers – especially with our providers such as SAP and Oracle – we find that they have started moving their offerings and applications to the cloud. So the EMEA space is just heating up right now, and they are more open to implementing their security solutions on the cloud itself.
The significant thing we are seeing in the cloud industry is that the skepticism that was holding a lot of organizations back from adopting cloud services is subsiding, especially with the availability of new security tools in the market. Cloud adoption is increasing and will continue to increase in the near future.
Impact of IoT and Social
IoT and social have a huge impact when it comes to security within an organization. With regards to an exfiltration scenario, traditionally, individuals would have their own cell point on-premise. The only way for a user to take that data out would be through copying it on a storage device or by emailing it out. As such, there were specific controls and security mechanisms to address that. There were security solutions on the end point and security solutions on the desktop, so that when the individual is copying data to the storage device, an alert goes off.
Alternatively, I might put an agent on the email server and figure out the places the individual was going to. From that perspective, it was much easier to control the flow of data. Now, what happens is that I might use Office 365 or Dropbox, and because that data is sitting out there on the cloud, the data exfiltration use cases are very different.
With IoT, a device on the network may either be an approved device or one that is not approved. The organization has stricter control around the security posture of the approved devices. An unauthorized device might just be an individual’s personal device which has been used to gain access. In either of these two scenarios, what we are seeing – especially from a data exfiltration standpoint – is that the individual might have certain native application apps sitting on their device, for accessing their Office 365 or Dropbox. From there, they can easily download documents, which may be sensitive, and store it on their device.
Also, they can share it with anyone outside the organization, or they can email it to them. In some applications, such as Office 365, individuals can actually copy data from there to their corporate OneDrive, then they can easily copy the data into their personal OneDrive. From their personal OneDrive, the individual can copy the data into their personal Dropbox account, all through that little app that sits on their mobile device.
The complexity is much higher in that scenario, especially with the IoT devices coming in. With regards to this, some of the things organizations are looking at is how to ensure that only authorized devices are able to access their cloud environment and perform transactions.
Additionally, even if individuals are gaining access from their own devices, how do organizations restrict data movement, knowing that they have less control over that device?
Issues With Shadow IT and Unauthorized Devices
There are two aspects to shadow IT, and security is a huge aspect. When individuals are using unauthorized and unapproved cloud applications, inevitably, there are business processes that are being accessed outside of the sanctioned cloud applications. Part of this might become apparent when you start seeing sensitive data moving out of those cloud applications, and the IT department might not have the mechanism to control that.
Additionally, identifying the exact cloud applications that are used by individuals, and IT being able to quickly analyze the risk of those applications is important. IT must streamline the types of cloud apps that are being consumed by different business units, consolidate them, and enable them as sanctioned cloud applications, where appropriate – after doing their due diligence from a security standpoint.
For instance, in some organizations we have seen different business units using One Drive, while others use Dropbox, Salesforce or other duplicate applications. From an IT standpoint, the aim is to analyze the cost factor, security factor and sanction the use of appropriate apps for specific business controls, in order to have better control over them. Definitely, shadow IT is a huge problem for enterprises.
Standards for IoT Devices
Right now, there are no binding mandates, although there are best practices, recommendations or guidelines coming out. Cloud Security Alliance has a few of those around how to manage your IoT devices and secure them. Similarly, FedRAMP might have a few, but those are not mandates, and those polices need to be enforced from an organization standpoint.
The policies are currently too broadly worded, so organizations and device manufacturers can interpret them whichever way they want. The definition of an IoT device itself could mean different things. It could be a sanction or something that follows an organization’s BYOD policy. That means that corporations actually control those policies.
On the flip side, there might be a whole set of devices that are not even authorized for use by the corporation, but because the individual is using known credentials, such as user ID and password, there is really nothing to stop them from using another device. People will definitely find ways to circumvent rules around that, especially with regards to IoT and BYOD.
Healthcare Data Breaches
One of the things we have observed in the healthcare space is that the security mechanisms that are usually put in place are from the compliance standpoint only. IT and security is not part of their core business, and they usually implement only what is mandated by legislation or regulation. It is a very heavily regulated industry and as long as there are regulations guiding a certain aspect of their business, they will only do that and no more.
That has been one of the biggest shortcomings in the healthcare sector, which has left them vulnerable to cyberattacks. We are trying hard to educate the health business owners to seriously look at their IT security because as an organization, they are completely accountable for any risks that would lead to the compromise of their patients’ personal information. They also have to take a deeper look at where the security exploits come from, and consider ways of implementing additional best practices, such as those the manufacturing industry and other industries have already put in place.
Dark Web Impact
Stolen credit card information usually goes for less than health care information on the Dark Web. As such, hackers will intensify their efforts to get that information that will get them the maximum value. There had definitely been an uptick, with regards to the healthcare sector. Hacks have been occurring with more frequency in that sector, and others. Organizations are also starting to be more forthcoming with information regarding data compromise or hacks.
We have just started our push into the federal space and we are speaking to a number of customers. Right now, we are at different stages of implementation. With some of them, we are at the pilot stage, where we are going live with our solutions.
We have different types of offerings for our federal and enterprise customers. Currently, we are seeing more opportunities around cloud security, for our federal customers. From the enterprise standpoint, our customers include Cool Logic, Sabre and Kimberly-Clark – those kinds of customers. The federal space is where we are looking to expand aggressively. The solutions that we have right now are exactly what federal organizations are looking for.
We are working towards FedRAMP compliance, but we support it from a products standpoint and a managed service standpoint. From a compliance management standpoint, as other organizations want to implement our solutions, our products already support the FedRAMP regulations.
This means when organizations adopt a particular cloud security provider, we help them figure out the types of security controls they need to implement. They need a mechanism to control privileged access, one to ensure strong authentication – we have built all those control mandates into our system.
We are still working towards FedRAMP compliance from a products standpoint, and it will be available in the next one to two quarters, at the most.
Speaker: Amit Saha , Chief Operating Officer at Saviynt
Amit manages Business Development at Saviynt that includes driving the technology strategy, alliances and go-to-market planning. He also manages strategic customer and partner relationships. He comes with over 16 years of experience in IT Security, Identity & Access Management and GRC and has participated in various thought leadership forums at SAP Insight, Oracle Open World, CA World, Novell Brainshare, etc. He has previously held Security and IAM practice leadership positions at Infosys Limited and HCL Technologies where he engaged several Fortune 100 clients to develop solutions that address their enterprise security and compliance objectives. He was also responsible for driving the practices’ growth strategy and partnerships.
Saviynt is an innovative leader in providing application, data and infrastructure access governance and intelligence platform for Cloud and Enterprise. Saviynt uniquely delivers IGA 2.0 by integrating advanced usage & risk analytics with fine-grained privilege management. The solution secures critical apps and data on Cloud (Office 365, Box, Salesforce, Workday), Enterprise (SAP, Epic, Oracle EBS) and IaaS platforms (AWS, Azure). Saviynt’s completely managed IDaaS platform ensures a worry free adoption of IAM services such as data access policies, privilege user monitoring & management, advanced Role & SOD management, risk-based access request & certification, fire fighter & emergency access management, controls library to secure critical enterprise assets.