Cloud migrations and SaaS adoption have skyrocketed during the pandemic. In fact, a recent survey shows that the pandemic caused 40% of businesses to accelerate their move to the cloud. Companies rely on the flexibility of these platforms and tools to increase productivity regardless of employee location.
Organizations also often connect these applications to critical business processes to transfer valuable customer data, personally identifiable information (PII), financial and other sensitive information to help processes run smoothly. But as more business processes span from on-premises to the cloud, companies are starting to lose visibility into the risk of their interconnected application ecosystem.
The problem is that, in an interconnected environment, one misconfigured system or security vulnerability can put the entire enterprise at risk, and it is becoming increasingly difficult for IT, cybersecurity, development, and audit teams to understand which applications and services support critical business processes, how they interconnect with each other, and how changes impact compliance, security, and availability.
With remote workforces becoming a long-term reality and organizations embracing the power of working from anywhere, now is the time to ask three key questions to ensure every organization understands what’s at stake and how to mitigate risk.
How can misconfigurations create risk?
Digital transformation processes, combined with a steady increase in the consumption of cloud services and APIs, have made it incredibly easy to integrate and connect two or more different systems from different vendors. But whether you’re looking to interconnect Oracle with SuccessFactors or SAP with Salesforce, APIs can introduce significant risk.
This is because many business applications reflect complex workflows and processes built on complex underlying technology. So, while integrations can be easy, companies are now working with two highly configurable applications fused together. And with greater power comes greater risk. The ability to customize these applications can introduce all sorts of different vulnerabilities that could impact areas such as integrations, authentication, auditing, encryption, user authorization, etc.
In order to identify these risks, businesses need to first develop a deeper understanding of the underlying technology. The second step is to create an asset map including cloud and on-premise assets, to understand which applications are connected to what and what data is being transferred.
Finally, businesses need to rely on security and compliance partners to analyze each application and the data it supports to better understand gaps in protection and compliance. For instance, looking at GDPR for Human Resource data, SOX for financial information, or PCI for credit card information becomes an excellent driver to provide some level of control.
At the end of the day, one of these seemingly minor inconsistencies could jeopardize the entire application and integrity of the data – which still falls on the customer to protect regardless of deployment – so gaining control of configurations is imperative.
How can we stay on top of user privileges?
Authorization and access control are the basic building blocks of risk management and internal controls for a business. Who has access to what and Segregation of Duties (SoD) are vital processes to ensure critical functions are dispersed among more than one person or department to mitigate the risk of fraud and error.
However, as businesses shift applications from on-premises to cloud environments and as departments purchase SaaS applications outside of IT’s purview, maintaining an accurate view of privileges becomes difficult. Moreover, bad actors’ ability to impersonate people, which is even more prevalent in the cloud, makes it extremely critical to have tight control of user authorizations across all business applications. From an internal perspective, a lapse in privileges can give an employee or a bad actor the ability to move from application to application with ease.
As some processes span across multiple applications, the ability to correlate users is vital for effective control of authorizations and SoD. To further combat this complexity level, security teams should also consider looking for technology that provides a broad view of user activity between applications with the ability to flag anomalous behavior or raise alarms when privileges have been escalated without permission.
What’s the key to ensuring continuous compliance?
Gartner is projecting a significant jump in data privacy regulations – from 10% of the world covered in 2020 to 65% in 2023. This can be challenging for businesses running a web of interconnected on-premises, cloud-based, and SaaS applications, many of which are heavily regulated to ensure PII and financial data are protected.
Traditionally, audit teams responsible for ensuring regulatory standards perform manual checks to ensure compliance. Today, different business lines such as HR often use SaaS applications like SuccessFactors and Workday, complicating manual processes as audit teams struggle to find one source of truth as each application is often connected. These manual audits can take countless hours between screenshots and Excel spreadsheets, cost hundreds of thousands of dollars, and only show the results of a “point-in-time” check.
Automation is the key to simplifying and streamlining these cumbersome tasks. A good solution can intelligently analyze connections between applications to get the full sense of where compliance errors originate and how to fix them and push organizations to reach a level of “continuous compliance,” allowing them to streamline the most critical controls across business applications to save time and money, while capturing the evidence of different compliance regulations auditors’ mandate.
SaaS and cloud applications have become key factors in digital transformation and enable employees to become more efficient regardless of their working location. However, these same applications open up critical compliance and security risks that could put a company in the headlines and face significant fines if not addressed correctly. As companies continue to rush to SaaS, they must ask themselves these key questions to help mitigate risk, bolster security, and remain continuously compliant.
Cohesity announced the results of a survey of 500 IT decision makers in the United States that highlights critical IT and data management challenges midsize and enterprise organizations are facing as companies prepare for 2021.
The survey included 250 respondents from midsize companies ($100M-$1B in revenue) and 250 from enterprise organizations ($1B+ in revenue).
Some of these challenges came to light as companies answered questions about their appetite for Data Management as a Service (DMaaS). With a DMaaS solution, organizations do not have to manage data infrastructure – it is managed for them.
DMaaS provides organizations with easy access to backup and recovery, disaster recovery, archiving, file and object services, dev/test provisioning, data governance, and security – all through one vendor in a Software as a Service (SaaS) model.
IT budgets are being slashed: Seventy percent of respondents state their organization is being forced to cut the IT budget in the next 12 months. Around a third of respondents have to cut the IT budget by 10-25 percent, a tenth have to cut it by a whopping 25-50 percent.
Verticals facing the largest cuts on average: technology (20 percent), education (18 percent), government/public sector (16 percent).
Many midsize companies are struggling to compete against larger enterprises because of inefficient data management: 27 percent of respondents from midsize companies say they have lost 25-50 percent of deals to larger enterprises because larger enterprises have more resources to manage and derive value from their data.
Even worse, 18 percent of respondents from midsize companies claim to have lost 50-75 percent of deals to larger enterprises for the same reason.
Organizations are spending inordinate amounts of time managing data infrastructure: Respondents say IT teams, on average, spend 40 percent of their time each week installing, maintaining, and managing data infrastructure. Twenty-two percent claim their IT team spends 50-75 percent of time each week on these tasks.
Technology is needed that makes it easier to derive value from data while also reducing stress levels and employee turnover: When respondents were asked about the benefits of deploying a DMaaS solution versus spending so much time managing data infrastructure, 61 percent cited an ability to focus more on deriving value from data which could help their organization’s bottom line, 52 percent cited reduced stress levels for IT teams, and 47 percent are hopeful this type of solution could also reduce employee turnover within the IT team.
“Research shows IT leaders are anxious for comprehensive solutions that will enable them to do more with data in ways that will help boost revenues and provide a competitive advantage at a time when they are also facing budget cuts, burnout, and turnover.”
The growing appetite for technology that simplifies IT and data management
As businesses look to simplify IT operations, be more cost efficient, and do more with data, respondents are very optimistic about the benefits of DMaaS, which include:
- Cost predictability: Eighty-nine percent of respondents say their organization is likely to consider deploying a DMaaS solution, at least in part, due to budget cuts.
- Helping midsize companies win more business: Ninety-one percent of respondents from midsize companies believe deploying a DMaaS solution will enable their organizations to compete more effectively against larger enterprises that have more resources to manage data.
- Saving IT teams valuable time: Respondents who noted that their IT teams spend time each week managing IT infrastructure believe those teams will save, on average, 39 percent of their time each week if their company had a full DMaaS solution in place.
- Doing more with data: Ninety-seven percent of respondents believe DMaaS unlocks opportunities to derive more value from data using cloud-based services and applications. Sixty-four percent want to take advantage of cloud-based capabilities that enable them to access and improve their security posture, including improving anti-ransomware capabilities.
- Alleviating stress and reducing turnover: Ninety-three percent of respondents believe that deploying a DMaaS solution would enable them to focus less on infrastructure provisioning and data management tasks. 52 percent of these respondents say deploying a DMaaS solution could reduce their team’s stress levels by not having to spend so much time on infrastructure provisioning and management. Forty-seven percent believe deploying a DMaaS solution could reduce employee turnover within the IT team.
Choice is the name of the game for IT in 2021
“The data also pinpoints another important IT trend in 2021: choice is critical,” said Waxman. “IT leaders want to manage data as they see fit.” With respect to choice, respondents stated:
- It’s not one or the other, it’s both: 69 percent of respondents stated their organization prefers to partner with vendors that offer choice in how their company’s data is managed and will not consider vendors that just offer a DMaaS model — they also want the option to manage some data directly.
- Avoiding one-trick ponies is key: Ninety-four percent of survey respondents stated that it’s important to work with a DMaaS vendor that does more than Backup as a Service (BaaS). If the vendor only offers BaaS, 70 percent are concerned they will have to work with more vendors to manage their data and doing so is likely to increase their workload (77 percent), fail to help reduce costs (65 percent), and lead to mass data fragmentation where data is siloed and hard to manage and gain insights from (74 percent).
It was an accomplishment for the ages: within just a couple of days, IT departments hurriedly provided millions of newly homebound employees online access to the data and apps they needed to remain productive.
Some employees were handed laptops as they left the building, while others made do with their own machines. Most connected to their corporate services via VPNs. Other companies harnessed the cloud and software and infrastructure services (SaaS, IaaS).
Bravo, IT! Not only did it all work, businesses and employees both saw the very real benefits of remote life, and that egg is not going back into the shell. Many won’t return to those offices and will continue work from home.
But while immediate access challenges were answered, this was not a long-term solution.
Let’s face it, because of the pandemic a lot of companies were caught off guard with insufficient plans for data protection and disaster recovery (DR). That isn’t easy in the best of times, never mind during a pandemic. Even those with effective strategies now must revisit and update them. Employees have insufficient home security. VPNs are difficult to manage and provision, perform poorly and are hard to scale. And, IT’s domain is now stretched across the corporate data center, cloud (often more than one), user endpoints and multiple SaaS providers.
There’s a lot to do. A plan that fully covers DR, data protection and availability is a must.
There are several strategies for protecting endpoints. First off, if employees are using company-issued machines, there are many good mobile machine management products on the market. Sure, setting up clients for a volume of these will be a laborious task, but you’ll have peace of mind knowing data won’t go unprotected.
Another strategy is to create group policies that map the Desktop and My Documents folders directly to the cloud file storage of your choice, no matter if it’s Google Drive, OneDrive, Dropbox or some other solution. That can simplify file data protection but its success hinges on the employee storing documents in the right place. And if they keep them on their desktop, for example, they’re not going to be protected.
And right there is the rub with protecting employee machines – employees are going to store data on these devices. Often, insecure home Internet connections make these devices and data vulnerable. Further, if you add backup clients and/or software to employee-owned machines, you could encounter some privacy resistance.
Remote desktops can provide an elegant solution. We’ve heard “this is the year of virtual desktop infrastructure (VDI)” for over a decade. It’s something of a running joke in IT circles, but you know what? The current scenario could very well make this the year of remote desktops after all.
VDI performance in more sophisticated remote desktop solutions has greatly improved. With a robust platform configured properly, end-users can’t store data on their local machines – it’ll be safely kept behind a firewall with on-premises backup systems to protect and secure it.
Further, IT can set up virtual desktops to prevent cut and paste to the device. And because many solutions don’t require a client, it doesn’t matter what machine an employee uses – just make sure proper credentials are needed for access and include multi-factor authentication.
Pain in the SaaS
As if IT doesn’t have enough to worry about, there’s a potential SaaS issue that can cause a lot of pain. Most providers operate under the shared responsibility model. They secure infrastructure, ensure apps are available and data is safe in case of a large-scale disaster. But long-term, responsibility for granular protection of data rests on the shoulders of the customer.
Unfortunately, many organizations are unprepared. A January 2020 survey from OwnBackup of 2,000 Salesforce users found that 52% are not backing up their Salesforce data.
What happens if someone mistakenly deletes a Microsoft Office 365 document vital for a quarterly sales report and it’s not noticed for a while? Microsoft automatically empties recycle bins data after 30 days, so unless there’s backup in place, it’s gone for good.
Backup vendors provide products to protect data in most of the more common SaaS services, but if there’s not a data protection solution for one your organization is using, make data protection part of the service provider’s contract and insist they regularly send along copies of your data.
When it comes to a significant disaster, highly distributed environments can make recovery difficult. The cloud seems like a clear choice for storing DR and backup data, but while the commodity cloud providers make it easy and cheap to upload data, costs for retrieval are much higher. Also, remember that cloud recovery is different from on-prem, requiring expertise in areas like virtual machines and user access. And, if IT is handling cloud directly and has issues, keep in mind that it could be very difficult getting support.
During a disaster, you want to recover fast; you don’t want to be creating a backup and DR strategy as the leadership grits their teeth due to downtime. So, set your data protection strategy now, be sure each app is included, follow all dependencies and test over and over again. Employees and data may be in varied locations, so be sure you’re completely covered so your company can get back in the game faster.
While IT pulled off an amazing feat handling a rapid remote migration, to ensure your company’s future, you need to be certain it can protect data, even outside of the corporate firewall. With a backup and DR strategy for dispersed data in place, you’ll continue to be in a position to make history, instead of fading away.
Cloud adoption was already strong heading into 2020. According to a study by O’Reilly, 88% of businesses were using the cloud in some form in January 2020. The global pandemic just accelerated the move to SaaS tools. This seismic shift where businesses live day-to-day means a massive amount of business data is making its way into the cloud.
All this data is absolutely critical for core business functions. However, it is all too often mistakenly considered “safe” thanks to blind trust in the SaaS platform. But human error, cyberattacks, platform updates and software integrations can all easily compromise or erase that data … and totally destroy a business.
According to Microsoft, 94% of businesses report security benefits since moving to the cloud. Although there are definitely benefits, data is by no means fully protected – and the threat to cloud data continues to rise, especially as it ends up spread across multiple applications.
Organizations continue to overlook the simple steps they can take to better protect cloud data and their business. In fact, our 2020 Ecommerce Data Protection Survey found that one in four businesses has already experienced data loss that immediately impacted sales and operations.
Cloud data security illusions
Many companies confuse cloud storage with cloud backup. Cloud storage is just that – you’ve stored your data in the cloud. But what if, three years later, you need a record of that data and how it was moved or changed for an audit? What if you are the target of a cyberattack and suddenly your most important data is no longer accessible? What if you or an employee accidentally delete all the files tied to your new product line?
Simply storing data in the cloud does not mean it is fully protected. The ubiquity of cloud services like Box, Dropbox, Microsoft 365, Google G Suite/Drive, etc., has created the illusion that cloud data is protected and easily accessible in the event of a data loss event. Yet even the most trusted providers manage data by following the Shared Responsibility Model.
The same goes for increasingly popular business apps like BigCommerce, GitHub, Shopify, Slack, Trello, QuickBooks Online, Xero, Zendesk and thousands of other SaaS applications. Cloud service providers only fully protect system-level infrastructure and data. So while they ensure reliability and recovery for system-wide failures, the cloud app data of individual businesses is still at risk.
In the current business climate, human errors are even more likely. With the pandemic increasing the amount of remote work, employees are navigating constant distractions tied to health concerns, increasing family needs and an inordinate amount of stress.
Complicating things further, many online tools do not play nicely with each other. APIs and integrations can be a challenge when trying to move or share data between apps. Without a secure backup, one cyberattack, failed integration, faulty update or click of the mouse could wipe out the data a business needs to survive.
While top SaaS platforms continue to expand their security measures, data backup and recovery is missing from the roadmap. Businesses need to take matters into their own hands.
Current cloud backup best practices
In its most rudimentary form, a traditional cloud backup essentially makes a copy of cloud data to support business continuity and disaster recovery initiatives. Proactively protecting cloud data ensures that if that business-critical data is compromised, corrupted, deleted or inaccessible, they still have immediate access to a comprehensive, usable copy of the data needed to avoid business disruption.
From multi-level user access restrictions, password managers and regularly timed manual downloads, there are many basic (even if tedious) ways for businesses to better protect their cloud data. Some companies have invested in building more robust backup solutions to keep their cloud business data safe. However, homegrown backup solutions are costly and time intensive as they require constant updates to keep pace with ever-changing APIs.
In contrast, third-party backup solutions can provide an easier to manage, cost/time-efficient way to protect cloud data. There is a wide range of offerings though – some more reputable and secure than others. Any time business data is entrusted to a third party, reputability and security of that vendor must take center stage. If they have your data, they need to protect it.
Cloud backup providers need to meet stringent security and regulatory requirements so look for explicit details about how they secure your data. As business data continues to move to the cloud, storage limits, increasingly complex integrations and new security concerns will heighten the need for comprehensive cloud data protection.
The trend of business operations moving to the cloud started long before the quarantine. Nevertheless, the cloud storage and security protocols most businesses currently rely on to protect cloud data are woefully insufficient.
Critical business data used to be stored (and secured) in a central location. Companies invested significant resources to manage walls of servers. With SaaS, everything is in the cloud and distributed – apps running your store, your account team, your mailing list, your website, etc. Business data in the backend of each SaaS tool looks very different and isn’t easily transferable.
All the data has become decentralized, and most backups can’t keep pace. It isn’t a matter of “if” a business will one day have a data loss event, it’s “when”. We need to evolve cloud backups into a comprehensive, distributed cloud data protection platform that secures as much business-critical data as possible across various SaaS platforms.
As businesses begin to rethink their approach to data protection in the cloud era, business backups will need to alleviate the worry tied to losing data – even in the cloud. True business data protection means not worrying about whether an online store will be taken out, a third-party app will cause problems, an export is fully up to date, where your data is stored, if it is compliant or if you have all of the information needed to fully (and easily) get apps back up and running in case of an issue.
Delivering cohesive cloud data protection, regardless of which application it lives in, will help businesses break free from backup worry. The next era of cloud data protection needs to let business owners and data security teams sleep easier.
Vectra released its report on Microsoft Office 365, which highlights the use of Office 365 in enterprise cyberattacks. The report explains how cybercriminals use built-in Office 365 services in their attacks.
Attacks that target software-as-a-service (SaaS) user accounts are one of the fastest-growing and most prevalent problems for organizations, even before COVID-19 forced the vast and rapid shift to remote work.
Microsoft dominating the productivity space
With many organizations increasing their cloud software usage, Microsoft has dominated the productivity space, with more than 250 million active users each month. Office 365 is the foundation of enterprise data sharing, storage, and communication for many of those users, making it an incredibly rich treasure trove for attackers.
“Within the new work-from-home paradigm, user account takeover in Office 365 is the most effective way for an attacker to move laterally inside an organization’s network.” said Chris Morales, head of security analytics at Vectra.
“We expect this trend to magnify in the months ahead. Attackers will continue to exploit human behaviours, social engineering, and identity theft to establish a foothold and to steal data in every type of organization.”
Cost of account takeovers
Even with the increasing adoption of security postures to protect user accounts such as multifactor authentication (MFA), 40 percent of organizations still suffer from Office 365 breaches, leading to massive financial and reputational losses.
In a recent study, Forrester Research put the cost of account takeovers at $6.5 billion to $7 billion in annual losses across multiple industries.
Highlights from the report
- 96 percent of customers sampled exhibited lateral movement behaviours
- 71 percent of customers sampled exhibited suspicious Office 365 Power Automate behaviours
- 56 percent of customers sampled exhibited suspicious Office 365 eDiscovery behaviours
The report is based on the participation of 4 million Microsoft Office 365 accounts monitored by Vectra researchers from June-August 2020.
A rise in SaaS adoption is prompting concerns over operational complexity and risk, a BetterCloud report reveals.
Since 2015, the number of IT-sanctioned SaaS apps has increased tenfold, and it’s expected that by 2025, 85 percent of business apps will be SaaS-based. With SaaS on the rise, 49 percent of respondents are confident in their ability to identify and monitor unsanctioned SaaS usage on company networks—yet 76 percent see unsanctioned apps as a security risk.
And when asked what SaaS applications are likely to hold the most sensitive data across an organization, respondents believe it’s all apps including cloud storage, email, devices, chat apps, password managers, etc.
Concerns when managing SaaS environments
Respondents also highlighted slow, manual management tasks as a prime concern when managing SaaS environments. IT organizations spend over 7 hours offboarding a single employee from a company’s SaaS apps, which takes time and energy from more strategic projects.
“In the earlier part of the year, organizations around the world were faced with powering their entire workforces from home and turned to SaaS to make the shift with as little disruption to productivity as possible,” said David Politis, CEO, BetterCloud.
“Up until this point, most companies were adopting a cloud-first approach for their IT infrastructure — that strategy has now shifted to cloud only. But SaaS growth at this scale has also brought about challenges as our 2020 State of SaaSOps report clearly outlines.
“The findings also show increased confidence and reliance on SaaSOps as the path forward to reigning in SaaS management and security.”
SaaS adoption risk: Key findings
- On average, organizations use 80 SaaS apps today. This is a 5x increase in just three years and a 10x increase since 2015.
- The top two motivators for using more SaaS apps are increasing productivity and reducing costs.
- Only 49 percent of IT professionals inspire confidence in their ability to identify and monitor unsanctioned SaaS usage on company networks—yet more than three-quarters (76 percent) see unsanctioned apps as a security risk.
- The top five places where sensitive data lives are: 1. files stored in cloud storage, 2. email, 3. devices, 4. chat apps, and 5. password managers. But because SaaS apps have become the system of record, sensitive data inevitably lives everywhere in your SaaS environment.
- The top two security concerns are sensitive files shared publicly and former employees retaining data access.
- IT teams spend an average of 7.12 hours offboarding a single employee from a company’s SaaS apps.
- Thirty percent of respondents already use the term SaaSOps in their job title or plan to include it soon.
For the report surveyed nearly 700 IT leaders and security professionals from the world’s leading enterprise organizations. These individuals ranged in seniority from C-level executives to front-line practitioners and included both IT and security department roles.
Enterprise resource planning (ERP) systems are an indispensable tool for most businesses. They allow them to track business resources and commitments in real time and to manage day-to-day business processes (e.g., procurement, project management, manufacturing, supply chain, human resources, sales, accounting, etc.).
The various applications integrated in ERP systems collect, store, manage, and interpret sensitive data from the many business activities, which allows organizations to improve their efficiency in the long run.
Needless to say, the security of such a crucial system and all the data it stores should be paramount for every organization.
Common misconceptions about ERP security
“Since ERP systems have a lot of moving parts, one of the biggest misconceptions is that the built-in security is enough. In reality, while you may not have given access to your company’s HR data to a technologist on your team, they may still be able to access the underlying database that stores this data,” Mike Rulf, CTO of Americas Region, Syntax, told Help Net Security.
“Another misconception is that your ERP system’s access security is robust enough that you can allow people to access their ERP from the internet.”
In actual fact, the technical complexity of ERP systems means that security researchers are constantly finding vulnerabilities in them, and businesses that make them internet-facing and don’t think through or prioritize protecting them create risks that they may not be aware of.
When securing your ERP systems you must think through all the different ways someone could potentially access sensitive data and deploy business policies and controls that address these potential vulnerabilities, Rulf says. Patching security flaws is extremely important, as it ensures a safe environment for company data.
Advice for CISOs
While patching is necessary, it’s true that business leaders can’t disrupt day-to-day business activity for every new patch.
“Businesses need some way to mitigate any threats between when patches are released and when they can be fully tested and deployed. An application firewall can act as a buffer to allow a secure way to access your proprietary technology and information during this gap. Additionally, an application firewall allows you to separate security and compliance management from ERP system management enabling the checks and balances required by most audit standards,” he advises.
He also urges CISOs to integrate the login process with their corporate directory service such as Active Directory, so they don’t have to remember to turn off an employee’s credentials in multiple systems when they leave the company.
To make mobile access to ERP systems safer for a remote workforce, CISOs should definitely leverage multi factor identification that forces employees to prove their identity before accessing sensitive company information.
“For example, Duo sends a text to an employee’s phone when logging in outside the office. This form of security ensures that only the people granted access can utilize those credentials,” he explained.
VPN technology should also be used to protect ERP data when employees access it from new devices and unfamiliar Wi-Fi networks.
“VPNs today can enable organizations to validate these new/unfamiliar devices adhere to a minimum security posture: for example, allowing only devices with a firewall configured and appropriate malware detection tools installed can access the network. In general, businesses can’t really ever know where their employees are working and what network they’re on. So, using VPNs to encrypt that data being sent back and forth is crucial.”
On-premise vs. cloud ERP security?
The various SaaS applications in your ERP, such as Salesforce and Oracle Cloud Apps, leave you beholden to those service providers to manage your applications’ security.
“You need to ask your service providers about their audit compliance and documentation. Because they are providing services critical to your business, you will be asked about these third parties by auditors during a SOC audit. You’ll thus need to expand your audit and compliance process (and the time it takes) to include an audit of your external partners,” Rulf pointed out.
“Also, when you move to AWS or Azure, you’re essentially building a new virtual data center, which requires you to build and invest in new security and management tools. So, while the cloud has a lot of great savings, you need to think about the added and unexpected costs of things like expanded audit and compliance.”
Could organizations recoup their share of more than $1 billion per quarter by moving away from legacy solutions to cloud-native patch management and endpoint hardening? A new report from Sedulo Group says yes.
The 2020 TCO Study of Microsoft WSUS & SCCM report shows organizations using Microsoft endpoint management for patching and hardening spend nearly 2x as much as organizations using SaaS-based patch management platforms.
Microsoft System Center Configuration Manager (SCCM) and Microsoft Windows Server Update Services (WSUS) currently manage over 175 million endpoints and cost organizations more than $625 million per month to manage versus a cloud-native approach.
The report defines the hidden costs of legacy patching, analyzing several factors that can impact TCO such as the hardware, software, licensing, training, and personnel unique to an organization. Based on this analysis, the hardware requirements and operational costs for WSUS and SCCM have the ability to push the total organizational cost burden to over $6.6 million, or $11 per endpoint per month for typical customers.
The report found that the most significant cost savings were prevalent in “scenarios where multiple OS are in use, or workforces consist of heavily virtualized or entirely remote-based staff.”
“It’s not just operating systems that need to be regularly patched. Almost any piece of software can serve as an attacker’s entry point to a network, and each has its own patching or updating mechanism. It’s almost impossible for an administrator to learn in a timely manner when one of these apps has become vulnerable, and it’s very time-consuming to apply a patch on all instances of an app on the network,” Mitja Kolsek, co-founder of 0patch, told Help Net Security.
“I believe the optimal patching model for today’s organizations with complex, ever-changing network topology, countless software products, and attackers with 0-day and N-day vulnerabilities targeting them, comprises a cloud-based patching service for official vendor updates, combined with a cloud-based micropatching service for fixing critical 0-day vulnerabilities and N-day vulnerabilities on end-of-support systems. I envision future patching services to merge these two complementary concepts and even provide micropatches as an alternative to official vendor updates.”
The report highlights that “selecting a SaaS-based patch management solution over a legacy provider minimizes the risk of financial impact.” Cloud-native patching and endpoint hardening platforms reduce the impact of unplanned expenses and the total cost burden over time while providing greater value than WSUS or SCCM solutions by being able to rapidly deploy patches and easily meet the security needs of hybrod and remote workforces.
“Many organizations lack the ability to properly manage endpoints and are often paying too much for tools that simply cannot deliver enough value,” said Jay Prassl, CEO, Automox. “This study puts a spotlight on the cost burden that on-premise patching solutions create, and how making the switch to a cloud-native platform enables cost savings, increased capabilities, and the scalability today’s ever-changing businesses need to properly secure their workforces.”
Application performance, impacted by network complexity at the edge and in the cloud, is the key enterprise concern this year for organizations implementing SD-WAN, according to Aryaka.
The study surveyed over one thousand global IT and network practitioners at companies across all verticals, headquartered in NA, APAC and EMEA. The survey asked respondents about their networking and performance challenges, priorities and their plans for 2020 and beyond.
“Modern applications are being distributed across on premises data centers, multiple public clouds (IaaS & SaaS) and edge locations. This is creating more complexity and greater dependency on the network to ensure optimal application performance as confirmed by the Aryaka report,” said Bob Laliberte, Sr. Analyst and Practice Director at ESG.
“Organizations need WAN solutions that deliver performance, flexibility and simplicity to overcome that complexity. This is driving interest in managed SD-WAN offerings that combine application optimization and secure connectivity, to any location, from any location, including access and support for remote workers.”
Enterprise complexity at the edge and within the cloud are creating a challenging environment for IT organizations. IT managers identify complexity and slow performance of both on-prem and cloud-based applications as their biggest concerns.
Complexity (37 percent) replaces cost as the number one concern, followed by slow on-prem performance (32 percent) and slow access to cloud and SaaS apps (32 percent). Security (31 percent) and long deployment times (30 percent) are also in the top four.
With so many applications in use, many of which are cloud-based, IT is consumed by managing application performance and access to the cloud. And it’s only getting more complex, highlighting the need for a managed service for many organizations.
The biggest IT time consuming issues identified by respondents were remote and mobile (47 percent), application performance at the branch (43 percent) and accessing the cloud, which doubled from 20 percent in 2019 to 42 percent in 2020.
Challenges surrounding UCaaS
The survey showed that while network managers have high expectations as performance, UCaaS is still challenging to deploy globally, and, once again, complexity is the culprit.
Respondents identified set-up and management as the number one challenge for voice and video (48 percent in 2020; 27 percent in 2019), highlighting the need for managed solutions that hide the complexity. Lag/delay was a close second (43 percent in 2020; 30 percent in 2019), which illustrates network performance issues. This was followed by dropped calls (39 percent).
It’s all about the apps and where they’re connecting from
Most of the enterprises surveyed are leveraging over 10 SaaS applications (51 percent in 2020 versus 23 percent in 2019), which speaks to the criticality of cloud performance. In terms of where these SaaS apps are hosted, it’s a multi-cloud world, with AWS, Azure, Google, IBM, Oracle, and Alibaba Cloud all well represented.
What’s more, enterprises are continuing to increase the number of applications deployed. A growing number of companies are deploying 100+ applications: 59 percent in 2020 compared to 43 percent in 2019. Please refer to the report for more detailed, per-vertical data and year-on-year comparisons.
What’s being done to reduce complexity
To address increased complexity and the time spent managing the WAN, enterprises regardless of size are undergoing major initiatives that include automation, the cloud and newer areas of interest such as IoT, AI/ML and blockchain.
For broad IT initiatives, automation grew substantially to 41 percent of respondents in 2020 from only 31 percent in 2019, as did IoT (29 percent in 2020 from 18 percent in 2019), AI/ML (27 percent in 2020 from 12 percent in 2019), and blockchain (21 percent in 2020 from only five percent in 2019).
On the cloud front, regardless of company size, upgrades and management are important as well as a keen interest in 5G. This last initiative reflects the interest in 5G as a future primary connectivity option for SD-WAN.
Respondents identified cloud upgrades (37 percent) and management (38 percent) as top networking initiatives. A whopping 42 percent of respondents also named 5G as a top initiative for this year.
Barriers and expectations for today’s SD-WANs
Buyers are at various stages of their SD-WAN evaluation, but most are still gathering information or evaluating vendors. Forty-four percent of respondents are gathering information, 23 percent are evaluating SD-WAN vendors, 11 percent are building a business case, 13 percent are in the middle of deploying, six percent have deployed and assumed to be happy while only two percent are deployed, but not happy.
When evaluating SD-WAN, the top three potential barriers include application performance, knowledge gaps and complexity. Overall, cost seems less a consideration this year versus performance and complexity, with SD-WAN ROI better understood and valued than in previous years.
Beyond the barriers mentioned above, SD-WAN planners have certain expectations they’d like met. Respondents said, the cloud and WAN optimization are still key requirements to a successful SD-WAN solution, but NFV, support for remote workers and the desire for a managed service have grown substantially. Add in security, and all of these features illustrate the many moving parts critical to a successful SD-WAN deployment.
Their top SD-WAN features wish lists included expected responses such as security, cloud and WAN optimization, but also network functions virtualization (NFV), which more than doubled from 2019 (35 percent in 2020 from 13 percent in 2019) and support for remote employees, which also grew by over 50 percent (33 percent in 2020 from 21 percent in 2019). Organizations are increasingly expecting the mobile workforce to be included as part of the total SD-WAN solution.
The desire for a fully managed SD-WAN also increased to 37 percent in 2020 from 28 percent in 2019. This aligns with a growing acceptance for managed offerings, likely in response to the increasing complexities and challenges detailed earlier, with 87 percent of respondents saying they would consider a managed SD-WAN as compared to 59 percent in 2019.
“We are living in a complex multi-cloud and multi-SaaS application world. As global enterprises continue to innovate by embracing new technologies and migrating to the cloud, they also face new challenges, and the network is increasingly a strategic asset” said Shashi Kiran, CMO of Aryaka.
“Whether it’s an increasing number of global sites through expansion, poor performing cloud-based applications, increasing costs or the time it takes to manage multiple vendors, many organizations are at an inflection point: transform the WAN now or risk falling behind and losing out to competitors.”
With the COVID-19 pandemic, working from home has moved from a company perk to a hard requirement. Social distancing government mandates have forced complete office closures completely transforming how and where people work. With people working from home and connected to business applications running in the cloud, the notion of an office building representing the company network has vanished overnight.
The reality is the notion of a fixed company network being defined by network connections within the company buildings was just a mere illusion. Take a look at the modern laptop. Does it have a wired ethernet port? Unless it’s in a museum, more than likely the only network connection on the laptop is a wireless one.
If that’s the case, why would it matter whether that laptop is being connected to video conferencing in the company’s conference room or a video conference being held from home? There is no more of a guarantee that the laptop in the company conference room is connected to the company’s network than the one connected at home. The laptop in the company conference room is just as likely to be connected to the neighbor’s wireless network making it remote when in fact the user is physically in the office.
SaaS business applications have transformed the world so quickly that most have missed the fact that the notion of having buildings define a secure network perimeter is no longer possible. All users need to use cloud applications is a network connection. That network connection can be anywhere.
If you could force users to connect to the secure office network to access those applications that would be ideal. But the reality is that a network security strategy focused on forcing data through a company network is not only challenging, but most likely counterproductive. How productive can users be sending all of their data from their homes to the office, just to forward that data to cloud applications? Certainly, that would result in slow cloud applications and poor video conferencing due to the unnecessary transfers of data to the office when in fact the applications lives in the cloud.
The reality is that the laptop is the network perimeter. The network begins and ends at the laptop or device itself. What network the laptop connects to is irrelevant and should be considered untrusted. The same network connections used to connect to cloud business applications are the ones the hackers use to infect devices and hijack data. The laptop itself is the new network perimeter, not the traditional office buildings that once defined them.
All of the strategies used to securely connect network devices is fundamentally changing too. Much like the physical office once defined the network, physical network security appliances defined the network cybersecurity strategy. Those network security appliances are moving to cloud network security services. With devices being the new network perimeter, those devices connect to the cloud network security service to access business applications that live in the cloud. This makes connections to cloud business applications faster and more efficient, which of course increases productivity.
Given the laptop is the new office, did the office ever close? All applications are available in the cloud and users can access those applications from anywhere. The cloud has enabled productivity in a world where physical offices are inaccessible. The only thing that needs to catch up is our mindset that the office is not a building, it’s sitting on your lap while you work from home.
Recently, some of the biggest names in SaaS have experienced customer support data breaches. With data playing an important role in the success of customer support, companies must ensure information security is top of mind to build relationships and develop trust with customers.
But, in addition to being secure, B2B customer support teams need customer information to be easily accessible so they can help resolve tickets quickly and efficiently. In this article, I’ll walk through three strategies customer support teams can utilize to improve customer data security.
Equip agents so they can easily and quickly verify customer information
Agents typically spend more time than anyone else working with your customers – which is why they need to be equipped with the best technology and procedures to verify customer information when they’re working on a legitimate issue.
When selecting technology solutions, customer support software should include key security features that are built in and easy to work with, letting customer support agents dedicate more of their time and energy on solving the issues at hand. Customers will also have assurance knowing their communications with your team are secure in real-time and will remain secure for as long as your team stores their information.
Features can include SSL user authentication, two-factor authentication, and Service Level Agreement (SLA) management. For example, a simple way to prevent fraudulent logins and impersonations is to require customers to use their mobile device as a part of the support portal login process. When someone tries to login to an account, the mobile number associated with the account will receive a text message containing a security code. This quick form of authentication can be a strong first defense and they can immediately chat or send a ticket once they login.
Control internal and external data access
It can be frustrating when you’re locked out of information for which you need access and going through a chain of colleagues to find the right person to give you proper permissions can take time. But, what’s just as important as ensuring the proper teams and agents have access to customer information is keeping internal data locked away from those within your organization who don’t need access.
Your customer support team has access to a lot of customer information because it’s critical to their job, and this data needs to remain safe and secure. To better protect customers and the organizations as a whole, B2B customer support teams must know granting too much access even to internal colleagues can leave data in a vulnerable position. To combat this, companies must enforce practices to ensure data is kept in the hands of those who truly need access to it.
The same code of ethics for customer information should definitely be followed when working with an external vendor who might be involved in a support ticket. For example, if a support agent is working with a customer and their third-party vendor, it might seem only natural to give both parties access to all information and communication regarding the ticket. However, the vendor should be removed from any communications sharing personal information such as a product ID code or confirmation number that could potentially convey sensitive customer information.
Just because a vendor is “green lit” to act on behalf of the customer doesn’t mean you have a relationship in place to share personal information about the customer with the vendor. Tread carefully here and check your contract if necessary.
Collaborate with development teams in a secure manner
Customer support should be a part of the development process since they understand customer frustrations the most, but the two teams must collaborate on a secure platform, especially when sharing customer information.
Many teams rely on inexpensive or free collaborative platforms to communicate because the upfront cost of building their own collaborative environment can be expensive. However, a well-built environment fully integrated with your existing systems is a worthwhile investment considering the risk you and your customers face with their sensitive information when using less secure platforms.
SaaS customer support can be a secure channel for your customers, but you should consider what customer information your agents and employees can access. By properly training your B2B support agents and equipping them with software built to encourage and enforce security best practices, you and your customers will be safer.
IoT is barreling toward the enterprise, but organizations remain highly vulnerable to IoT-based attacks, according to Extreme Networks.
The report, which surveyed 540 IT professionals across industries in North America, Europe, and Asia Pacific, found that 84% of organizations have IoT devices on their corporate networks. Of those organizations, 70% are aware of successful or attempted hacks, yet more than half do not use security measures beyond default passwords.
The results underscore the vulnerabilities that emerge from a fast-expanding attack surface and enterprises’ uncertainty in how to best defend themselves against breaches.
Organizations lack confidence in their network security
9 out of 10 IT professionals are not confident that their network is secured against attacks or breaches. Financial services IT professionals are the most concerned about security, with 89% saying they are not confident their networks are secured against breaches.
This is followed by the healthcare industry (88% not confident), then professional services (86% not confident). Education and government are the least concerned of any sector about their network being a target for attack.
Enterprises underestimate insider threats
55% of IT professionals believe the main risk of breaches comes mostly from outside the organization and over 70% believe they have complete visibility into the devices on the network.
But according to Verizon’s 2019 Data Breach Investigations Report, insider and privilege misuse was the top security incident pattern of 2019, and among the top three causes of breaches.
Europe’s IoT adoption catches up to North America
83% of organizations in EMEA are now deploying IoT, compared to 85% in North America, which was an early adopter. Greater IoT adoption across geographies is quickly expanding the attack surface.
Skills shortage and implementation complexity cause NAC deployments to fail
NAC is critical to protect networks from vulnerable IoT devices, yet a third of all NAC deployment projects fail.
The top reasons for unsuccessful NAC implementations are a lack of qualified IT personnel (37%), too much maintenance cost/effort (29%), and implementation complexity (19%).
SaaS-based networking adoption grows
72% of IT professionals want network access to be controlled from the cloud. This validates 650 Group’s prediction that more than half of enterprise network systems will transition to SaaS-based networking by the end of 2023.
“Enterprise adoption of IoT, coupled with the fast rise of cloud and edge computing, is massively expanding the attack surface. But the single greatest cybersecurity threat today is inertia,” said David Coleman, Director of Product Marketing, Extreme Networks.
“This data shows that across sectors, IT professionals are not confident in their own network security. Yet so many organizations still rely on the same legacy security tools they’ve been using for decades. It’s critical for enterprises to demand multi-layered network security solutions purpose-built for the modern, hybrid enterprise.”
Seventy-nine percent of companies store sensitive data in the public cloud, according to a McAfee survey.
Anonymized cloud event data showing percentage of files in the cloud with sensitive data
While these companies approve an average of 41 cloud services each, up 33 percent from last year, thousands of other services are used ad-hoc without vetting. In addition, 52 percent of companies use cloud services that have had user data stolen in a breach.
By leaving significant gaps into the visibility of their data, organizations leave themselves open to loss of sensitive data and to regulatory non-compliance.
Cloud services have replaced many business-critical applications formerly run as on-premises software, leading to a migration of sensitive data to the cloud. Use of personal devices when accessing cloud services, the movement of data between cloud services, and the sprawl of high-risk cloud services drive new areas of risk for companies using the cloud.
For organizations to secure their data they need a thorough understanding of where their data is and how it is shared – especially with the rapid adoption of cloud services.
As part of this report, McAfee surveyed 1,000 enterprise organizations in 11 countries and investigated anonymized events from 30 million enterprise cloud users to gain a holistic view of modern data dispersion.
Shadow IT continues to expand enterprise risk
According to the study, 26 percent of files in the cloud contain sensitive data, an increase of 23 percent year-over-year. Ninety-one percent of cloud services do not encrypt data at rest; meaning data isn’t protected if the cloud provider is breached.
Personal devices are black holes
Seventy-nine percent of companies allow access to enterprise-approved cloud services from personal devices. One in four companies have had their sensitive data downloaded from the cloud to an unmanaged, personal device, where they can’t see or control what happens to the data.
Accessing cloud services: Intercloud travel and risk
Collaboration facilitates the transfer of data within and between cloud services, creating a new challenge for data protection. Forty-nine percent of files that enter a cloud service are eventually shared.
One in 10 files that contain sensitive data and are shared in the cloud use a publicly accessible link to the file, an increase of 111 percent year-over-year.
Anonymized cloud event data showing percentage of files shared in the cloud with sensitive data using a public access link
A new era of data protection is on the horizon
Ninety-three percent of CISOs understand it’s their responsibility to secure data in the cloud. However, 30 percent of companies lack the staff with skills to secure their Software-as-a-Service applications, up 33 percent from last year. Both technology and training are outpaced by the rapid expansion of cloud.
“Security that is data-centric, creating a spectrum of controls from the device, through the web, into the cloud, and within the cloud provides the opportunity to break the paradigm of yesterday’s network-centric protection that is not sufficient for today’s cloud-first needs.”
IT executives have rising SaaS security fears, and worry about cloud security, proprietary data encryption, as well as the loss of independent control due to access limitations, according to Archive360.
SaaS security fears
The research surveyed more than 100 enterprise IT executives worldwide, to identify the leading security challenges they face with their SaaS vendors.
Overall, those surveyed said they are troubled by the current level of security and accountability provided by their SaaS vendors. Nearly two-thirds are so concerned that they intend to retire applications that do not provide the level of security control they want.
Further, nearly all executives surveyed stressed the importance of maintaining ownership of their own encryption keys. Yet in third-party SaaS private cloud deployments, the SaaS vendor (not the enterprise) maintains access to and ownership over encryption keys. In fact, only 26 percent of those surveyed stated that they have control of their encryption keys, and 74 percent stated that control is maintained entirely by their SaaS vendors.
This risk is compounded by the fact that many vendors often use the same encryption keys for multiple customers. When companies unlock data for one customer using keys that also protect other customers’ archives, they are exposing other tenants’ data to potential risk.
As one Director of IT at a large U.S.-based manufacturing company commented, “I’ve seen too many strong companies go out of business, and have also audited our vendors and seen great vendors fall out of compliance. Having them in control is just one more additive risk.”
Encryption key ownership and access worries
When asked about their top worries when it comes to encryption key ownership and access, IT executives listed the following:
- Loss of independent control of data security.
- Concern of my privacy.
- Past history of compromises.
- Trust for data breach and confidentiality of data.
- Potential conflict with my company’s standards.
- Without internal controls, you do not know where the information goes.
“In light of the widespread threats of increasingly sophisticated malicious cyber groups, and corporate risk relating to global data privacy laws, IT teams are under immense pressure to plug any holes in their security practices and mitigate all vulnerabilities,” said Tibi Popp, CTO at Archive360.
“The positive news is that our survey shows that IT executives not only understand the importance of security as it relates to today’s SaaS applications, but that they are taking swift and necessary steps to protect their enterprises by retiring these applications as quickly as possible.”
- Nearly all executives surveyed (92 percent) believe they will require SaaS vendors to provide more tailored and flexible security options in the future.
- Only 19 percent of respondents said 75 percent or more or more of their SaaS vendors meet all of their security requirements.
- Seventy percent of companies said they have made at least one security exception for a SaaS vendor.