Roman Sakhno - Fotolia
Cloud services can introduce more risk into an enterprise, especially in the financial services industry, but financial services company Western Union has embraced cloud services full bore.
Rather than block employees from using third-party cloud applications and services, Western Union rolled out a strategy to help its workforce take advantage of them. The strategy, dubbed Western Union Information Security Enablement, or WISE, involved bringing shadow cloud services into the light, approving them for official use and adding the necessary controls and policies to secure them.
Mike Bartholomy, senior manager of information security at Western Union, spoke at Black Hat 2016 about WISE and the Western Union security philosophy. Information Security magazine caught up with Bartholomy at the show and discussed how his team works to secure cloud services and decides which services are worth approving and implementing, and which ones aren't. Here are excerpts from the conversation.
Western Union has embraced the use of secure cloud services and decided not to systematically block them. How did the company come to this approach?
Mike Bartholomy: You can't block everything. I know some companies do block a lot of cloud apps and services, but different companies have different risk appetites. I've always been a believer in helping the user. We have a staff that is about 60% millennials right now. They're using Snapchat in their personal lives, and they want to use that kind of stuff in their jobs. We felt that was a better approach than to try to ban and block everything. So part of my job is to make sure they can use those cloud services in a safe and secure way.
Financial services companies are big targets for cybercriminals and APT [advanced persistent threat] groups. And they don't always have the biggest risk appetites. So how do you convince management that it is a better approach to approve and secure cloud services instead of rejecting and blocking them?
Mike Bartholomysenior manager of information security, Western Union
Bartholomy: It's a challenge. A big part of what my team does is evangelize. We try to explain that adding these services will help employees and help productivity. And we also explain there are a lot of options that we can work with. A lot of cloud services started at the consumer level and have worked their way up to the enterprise. And they have enterprise security features now; you look at cloud services like Salesforce, Box and others, and you see how they've built up their security services to help enterprise adoption. So we tell them it's better to approve these cloud services and enable them for users rather than block them because [users] may move to something newer that isn't blocked and is a lot less secure.
How does the Western Union security program work in terms of approving and implementing cloud services?
Bartholomy: We started WISE a few years ago, and the idea behind it was to have information security drive what was happening with technology within the company. And WISE has a cloud security component that's focused on making it easier for the user to take advantage of cloud services while securing those services and protecting the data that moves through them. This covers both the cloud apps and services that we approve and shadow IT.
That's actually where we started -- we looked at where our risk was in terms of employees using shadow IT in the cloud. And, sure, a lot of cloud services have built up their enterprise security capabilities, but there are a lot of cloud services that don't have any terms and conditions, for example.
After looking at the shadow IT services, we then moved to services we wanted to sanction as approved cloud services. We look at the individual service and determine what kind of security controls it already has and what it may need. We also look at what kind of data might be flowing through that app, what data would be considered sensitive and how we want to govern that sensitive data. So we develop a policy for that cloud service, and we use our CASB [cloud access security broker] as a control point for that policy. And depending on the cloud service, we may layer our internal DLP [data loss prevention] system on top of that if there are compliance requirements, for example.
Again, the idea is to quickly get these services approved and secured so that employees can be productive and we can make sure they're using secure cloud services instead of ones that are [riskier].
When it comes to employee usage of cloud services, what are you seeing in terms of risk? Do you see accidental insider threats such as employees unintentionally exposing data through a cloud service, or do you see instances where they are intentionally misusing a service and putting data at risk?
Bartholomy: We see both. We see malicious insider threats and we see accidental insiders that are just users who do dumb things. That's part of the reason we use a CASB like Skyhigh [Networks]. We want to be able to monitor employee usage of cloud services to make sure people aren't misusing them or accidentally doing something they shouldn't be doing. And having a CASB platform gives us that visibility and granular data we need to protect against both kinds of insider threats.
What about mobile devices? If employees are interacting with those services via mobile apps, does that make usage harder to monitor?
Bartholomy: It does. And it's even more complicated with employee-owned devices because then we can't have a mandatory application on a personal device. And if it's a company-owned device, you can have some type of agent on it. But an agent is difficult too because it can affect performance. So it's a complicated issue, and it's something we're working on right now.
Find out how to add a cloud security policy to your enterprise
Read more on the importance of enterprise cloud identity access management policies
Discover how the cloud access security broker space is evolving