Detecting and managing unauthorized use of cloud computing

Want to know if developers or sales executives are moving data to the cloud? Here are three tools that can help.


While most of you might know if you've deployed any applications or data into the cloud, here's a little tip: If you have developers with credit cards, you're in the cloud. Here's another tip: If you have any sales executives who call the helpdesk less than once a month, and they have a credit card, you are in the cloud.

One of the top issues facing organizations today isn't necessarily if they should adopt some degree of cloud computing services or not, but if they can effectively, and safely, manage their migration to the cloud. Too many organizations find out too late that some business unit or developer transferred important enterprise data or applications to the cloud without going through "proper channels."  And it's hard to blame them when a developer can spin up a test system in a few minutes with their credit card vs. spending months provisioning a new system in a data center they probably won't be able to directly manage anyway.

As for those sales executives: Never underestimate the appeal of free online services that help them more easily exchange and manage information while they're on the road or working from their home computer.

These challenges can be broken up into two categories: Developers and IT professionals leveraging the cloud as an extended data center/test environment, and users adopting free/easy cloud services to help them more efficiently tackle their day-to-day work. Neither are bad, and users aren't necessarily purposely violating policies (if they exist), but for those of us in security, it's important to gain visibility into -- and where needed, control of -- these migrations.

There are three tools that are particularly helpful in detecting and potentially managing use of cloud computing:

* URL filtering.  While most organizations use this tried and true technology to control inappropriate Web browsing like adult materials or unauthorized social media services, the tools can easily detect many forms of cloud access. Effectively all cloud services use the Web as their primary management interface. Even most API calls go over HTTP to known URLs and are thus straightforward to detect. This is true across the SPI (SaaS, PaaS, IaaS) tier, and since the management interfaces are different from those that merely connect to a site hosted at the service, you shouldn't be inundated with false positives. URL filters can give you a good sense of who is hitting these management consoles and API interfaces, at least for major services.

* Data loss prevention. DLP is less concerned with the destination, and more concerned with the content. And all full DLP tools support analysis of HTTP, even looking inside SSL sessions if you have the supporting platform and configuration. Basic DLP rules should easily detect sensitive data leaving your organization, to the cloud or otherwise. You can further tune these for cloud-specific concerns by accounting for the context, such as the destination.

* Database activity monitoring. Many of you are less concerned with an employee posting a document or two onto Google Docs, and are far more concerned with a developer moving production data into a cloud-based development environment. Database Activity Monitoring can detect dumps of major production databases, which could indicate a potential move to either an internal or external test environment. Anytime you see a new, large data extract, it's probably something to look at. If that user has also hit a URL for a cloud provider, it's time for a closer look.

These are just the basics; there are probably plenty of other tools in your existing quiver to help improve visibility into cloud usage and migration of sensitive data. Anytime you see someone hitting cloud services management consoles, or pulling big data extracts, it's time to track the smoke and see if there's fire.

About the author:
Rich Mogull has nearly 20 years experience in information security, physical security, and risk management. Prior to founding independent information security consulting firm Securosis, he spent seven years at Gartner Inc., most recently as a vice president, where he advised thousands of clients, authored dozens of reports and was consistently rated as one of Gartner's top international speakers. He is one of the world's premier authorities on data security technologies, including DLP, and has covered issues ranging from vulnerabilities and threats, to risk management frameworks, to major application security.

Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices