The Less Known Risks of Running the Enterprise at Cloud Speed

Sekhar Sarukkai

VP & Fellow, Cloud BU, McAfee

of companies experience business

acceleration from their use of cloud

services.

Source: McAfee Cloud Adoption Report: Business Growth Edition, June 2019

87%

3

Customer Drivers for Cloud Adoption

Shadow SaaSApproved SaaS IaaS/PaaS

Faster Collaboration

Faster Time to Market

Higher Employee Satisfaction

4

Mapping ECC To Cloud Computing

• Domain 4 Specifically Covers Cloud Computing

• Other Domains Also Relevant

• You Need Control of Data

• To Clouds

• From Clouds

• Between Clouds

• Cloud Configuration

• Cloud Security Is A Shared Responsibility

5

59%Higher-

performance IT Infrastructure

57%IT Cost

Reduction

52%Improved Security

How Companies Benefit from the Cloud

The three most common benefits:

What benefits does your organization experience from its overall use of cloud services?

6

59%Higher-

performance IT Infrastructure

57%IT Cost

Reduction

52%Improved Security

How Companies Benefit from the Cloud

The three most common benefits:

What benefits does your organization experience from its overall use of cloud services?

7

44%

How Companies Benefit from the Cloud

Business acceleration measures:

43% 41% 37% 33% 30% 29%

More Efficient Collaboration

Improved Employee

Productivity

Business Growth

Faster Time to Market

Higher Employee

Satisfaction

Ability to Launch New

Products

Expansion to New Markets

What benefits does your organization experience from its overall use of cloud services?

8

36%37%36%43%46%47%51%

How Companies Benefit from the Cloudwith Infrastructure-as-a-Service (IaaS)

Business acceleration measures:

More Efficient Collaboration

Improved Employee

Productivity

Business Growth

Faster Time to Market

Higher Employee

Satisfaction

Ability to Launch New

Products

Expansion to New Markets

What benefits does your organization experience from its overall use of cloud services?

9

Companies do more with the cloud when they protect their data with a CASB

Source: McAfee Cloud Adoption Report: Business Growth Edition, June 2019

Excluding Shadow IT

10

Where is enterprise

sensitive data in the

cloud?

Salesforce

Office 365

Google Docs

Slack

AWS

Custom Apps

Box

ServiceNow

High-Risk

Shadow

Med/Low-Risk

Shadow

31%

13%

11%

16%

8%

5%5%

7%

2%

2%

11

2. Traditional Solutions don’t Work

Traditional ways of identifying threats

and breaches are not sufficient

Cloud Data Breaches - Why 1. Not Malware

Cloud based data breaches are not

typically due to Malware

3. Data Loss

Cloud Speed Attacks Result in Cloud

Scale Data Loss

Collaboration

SaaS,

42%

12

The Cloud (First) Enterprise Challenges

Data Creation and Access in

the Cloud Bypasses Existing

Network Security

Infrastructure

1

Network Controls

SaaS IaaS/PaaS

Cloud-to-Cloud traffic

95

% o

f N

etw

ork

Tra

ffic

13

Data Classification & Accountability

Client & End-Point Protection

Identity & Access Management

Application Level Controls

Network Control

Host Infrastructure

Physical Security

SaaSPaaSIaaS

The Cloud (First) Enterprise Challenges

Service Provider Responsibility

Customer Responsibility

Customers Are Still

Responsible for Security2

Cloud Shared Responsibility Model

14

Data Classification & Accountability

End-Point Protection

Identity & Access Management

Application Level Controls

Network Control

Host Infrastructure

Physical Security & Connectivity

SaaSPaaSIaaS

Cloud Security 3600 Shared Responsibility Model

Service Provider Responsibility

Service Provider feature, enterprise

configuration

Enterprise Responsibility

User Responsibility

User/Device/Data control

Collaboration control

© McAfee 2019. OK for reuse if unedited

“Through 2020, 95% of cloud security

failures will be the customer’s fault.”Gartner Magic Quadrant for CASB—2017

How Data Exfiltrate from the CloudSome Examples

17

Partner Office 365

Maria—Sharing and Collaboration

GetItDone Office 365

Collaboration puts

confidential data

at risk

18

Sensitive Data in the Cloud – When Sharing isn’t Caring

17%

18%

22%

16%

17%

18%

19%

20%

21%

22%

23%

2016 2017 2018

22% of cloud users share files

19

Sensitive Data in the Cloud – When Sharing isn’t Caring

43%

47%

48%

40%

41%

42%

43%

44%

45%

46%

47%

48%

49%

2016 2017 2018

48% of all files in the cloud are shared with at least one other person

20

2. Advanced Threat Protection

Detect Malware, compromised

accounts, insider/privileged threats

Collab SaaS Use Cases1. Data Protection

Prevent sensitive data from being

stored and shared externally

3. Contextual Access Control

Block sync/download of corporate

O365 data to personal devices

31%

13%

11%

16%

8%

5%5%

7%

2%

2%

Collaboration

SaaS,

42%

21

Maria—Using Connected Apps

Connected Apps are potential vehicles for

Data Leaks

EasyCast

22

Business SaaS Use Cases

31%

13%

11%

16%

8%

5%5%

7%

2%

2%

2. Data Exfiltration

Protect report data from being

exfiltrated and enable encryption

with customer managed keys

1. Compliance Management

Discover where your confidential

data is inside structured

applications

Business

SaaS, 24%

3. Threat Protection

Identify insider and external

threats

23

Sam—Shadow IaaS

IaaS/PaaS

Account 1,2 3Account 4,5

Account 6,7,8

Account drift as

developers create dev and test accounts over time

24

The average company has 70 custom apps running in IaaS

Please estimate how many applications your organization runs in IaaS

25

Sam—Unsecure IaaS/PaaS Configuration

IaaS/PaaS

Configuration drift as developers

misconfigure their IaaS/PaaS instaces

Storage Bucket Encrypted

Storage Bucket Closed

Port Configuration

Firewall rules

…

26

Sam— Top 10 Unsecure IaaS/PaaS Configuration Problems

IaaS/PaaS

1. EBS Data encryption is not turned on

2. There’s unrestricted outbound access

3. Access to resources is not provisioned using IAM roles

4. EC2 security group port misconfigured

5. EC2 security group inbound access misconfigured

6. Unencrypted AMI

7. Unused security groups

8. VPC Flow logs disabled

9. Multi-factor authentication not enabled for IAM users

10. S3 bucket encryption not turned on

Average organization has 14 misconfigured IaaS

services running at a given time

Source: McAfee Cloud Adoption Report, Nov 2018

28

3. Advanced Threat Protection

Detect compromised accounts,

privileged user threats, malware

IaaS Security Use Cases

31%

13%

11%

16%

8%

5%5%

7%

2%

2%

2. Visibility of Confidential Data

Visibility of regulated/high-value

data stored in S3/Azure Blobs

1. Managing Drift

Identify IaaS resources with

security settings that are non-

compliant

IaaS,

24%

29

Shadow IT Use Cases

31%

13%

11%

16%

8%

5%5%

7%

2%

2%

Shadow

IT

1. Discover & Govern

Discover & Coach on use of high

risk

3. Data Loss Prevention

Prevent data exfiltration to

medium risk services

2. Conditional Access Control

Activity and Instance based

access control

30

MVISION Cloud—

100% Cloud Security

Coverage

Source: McAfee Cloud Adoption Report, Nov 2018

5%5%Shadow

IT, 10%

Business

SaaS, 24%

Collaboration

SaaS,

42%

IaaS,

24%

31

McAfee MVISION Cloud protects ALL customer data in the cloud

MVISION Cloud

Enterprise SaaS

Long Tail SaaS

32

McAfee MVISION Cloud protects ALL customer data in the cloud

Common Security Services

Compliance & Risk Assessment

ShadowApps

Reporting Orchestration

DLP

Access Control Encryption

Config Audit Classification

Data Protection

Activity Monitoring

Malware ProtectionUEBA

Threat Protection

Enterprise SaaS

Long Tail SaaS

CASB Connect APIs

Cloud Native IaaS/PaaS

Lift & Shift Apps

CASB Reverse Proxy

33

Unified Cloud Edge

Unified Data and Threat Protection

DLP

SWG CASB

MVISION ePO

DEVICES

FEATURES

CLOUD

DATA

BENEFITS

Centralized Policy Definition

For threat prevention and data protection

Unified Incident Management

Access Control

Over managed and unmanaged devices

Cloud Data and Permission Controls

Via APIs integrations

Acceptable Use Policy Enforcement

With advanced malware protection.

Other names and brands may be claimed as the property of others.

34

MVISION Cloud

Unmanaged Managed

SaaS IaaS/PaaS Shadow

▪ Data Security

▪ Threat Protection

Control

▪ What: Data, Device, App

▪ Who

▪ Where

▪ When

Visibility

Adopt a CASB Platform

35

Companies are more likely to experience business acceleration when they protect their data with a CASB

Source: McAfee Cloud Adoption Report: Business Growth Edition, June 2019

+15%+11%

+32%

+36%+45%

+40%+38%

With CASB

Without CASB

36

Mapping ECC To Cloud Computing – Paper Available

37

Cloud Security Recap

Cloud require new thinking and platform

for data security

Embrace a cloud native approach

Do it now!! Get a cloud security

assessment done

1

2

4

McAfee, the McAfee logo and are trademarks or registered trademarks of McAfee LLC or its subsidiaries in the U.S. and/or other countries. Other names and brands may be claimed as the property of others.

Copyright © 2018 McAfee, LLC.