Going under the radar

04 June 2021

Paolo Passeri, cyber intelligence principal at Netskope

It is no secret that cloud is at the heart of modern IT and digital transformation, enabling a lot of freedom – freedom to do things when we want, where we want.

However, it does come with a price. Opening systems up to be accessed anywhere, from any device, has meant that the lines of control and access have blurred and 50% of traffic can go unseen by legacy security defences.


From technological concept to technical reality

According to findings in Netskope’s February 2021 Netskope Cloud and Threat Report, the number of cloud apps in use per organisation increased 20% in 2020. It found that organisations with 500 - 2,000 employees now use, on average, 664 distinct cloud apps per month.

This mass adoption of cloud was well under way a year ago, but over the past 12 months, cloud services have proved themselves to be invaluable. When 2020 arrived, CIOs found cloud to be a conveniently rapid and outsourced method of responding to the immediate challenges of mobility and the multichannel provision of resources and business tools – critical just to enable business as usual to continue during the pandemic. The result of lockdown, and the hasty adoption of cloud, is an unprecedented number of people working outside of traditional organisational IT perimeters and therefore outside of the protection of traditional security defences.

At the beginning of the pandemic, the primary concern was to provide business continuity and enable everyone who could to work from home; security considerations were secondary.  Traditional security strategies tend to focus on protecting the data centre and the network, and so the overnight relocation of employees and applications outside of that perimeter left sensitive data at serious risk of falling into the wrong hands.

Cybercriminals are smart and move quickly if they spy a weakness or opportunity. The rapid growth in cloud adoption without cloud security strategies being implemented at the same pace, has left the door open for cybercriminals to abuse popular cloud services. They have used many techniques over the past year to successfully evade legacy security defences and target trusted cloud apps that are open to phishing and malware attacks; 61 per cent of all malware is delivered via a cloud app, up from 48% year-over-year and cloud apps are now the target of more than one in three (36%) phishing campaigns.

Because the endpoint is at risk of being compromised via personal traffic such as a phishing email received via a personal mailbox, or malware injected visiting a non-business website, these types of attacks can have devastating consequences for businesses. Put simply, a compromised endpoint can be used as a foothold to break into an organisation’s systems.

Another danger is that, as work and home life continue to blend, it is now much more common for employees to use the same device, whether it’s personal or corporate, to access both personal and business content in both personal and business instances of cloud applications. Some 83% of users are accessing personal apps on corporate devices, and the average enterprise user uploads 20 files to personal apps each month from the same managed devices. This is leading to a growth of sensitive data in personal apps, greatly increasing the likelihood of data being mishandled or leaked.

Behind these risks is a very simple technical reality - the Internet has changed. Cloud activity now represents 53% of secure web gateway traffic and uses a new API or JSON language. It is everywhere, and to be effective, any security tool needs to be able to interrogate API and JSON data (which is not the case for most legacy systems) and it needs to be able to make sense of both content and context.


What needs to be done?

Today, the majority of companies subscribe to, or maintain, security solutions that secure less than 50% of traffic. They are limited to policing html web traffic but if we are to secure the cloud, we need an understanding of these new languages.  And because of the nature of cloud access, this is something that can only be done in the cloud, via the cloud (you simply cannot police the movement of data between a personal and a corporate instance of the same cloud app). Businesses need to ensure that they have visibility of the content and context of cloud application use, and that they are able to apply granular policy controls if they want to make use of the productivity tools that are central to their IT, without leaving themselves exposed to risk of attack by cybercriminals.

It is clear that the lines of control and access have blurred and the user is the new perimeter. This new approach is the primary driver behind the growing adoption of a SASE (Security Access Service Edge) architecture - a paradigm that sees the convergence of the network-as-a-service and security-as-a-service concepts and aims to enforce security policies at the edge, where users access and manipulate data, whether it’s a website or cloud application, regardless of the access method. 

Now that this remote working trend has consolidated, business stakeholders and IT teams must work together to enable an agile remote workforce without sacrificing productivity, user experience or security. The shift from thinking that the perimeter is a physical boundary to taking a user-centric approach does not need to pose new risks to organisations. That’s why in the new architectural model, security is enforced at the access edge, regardless of the access method or device classification (corporate or personal), and organisations are able to secure 100% of their data.