Data Loss Prevention Step 5: Disable Access to Cloud Storage Services

Monday, January 16, 2012

Rafal Los


I'm writing a series of posts to follow up on my blog post titled "Data Loss Prevention - Without the New Blinky Boxes" which addressed some of the silliness that comes with believing that DLP comes in a box, or is a product you can buy to solve your DLP needs. Welcome to part 5 (part 1 here) (part 2 here) (part 3 here) (part 4 here)...

Some time ago I started a series on Data Loss Prevention in a very frank, matter-of-fact, and un-enigmatic way.  I've been trying to dispel the myth that DLP is a blinking box you can buy, or a 'solution' that you can just drop into your organization that makes the trouble of leaking data magically disappear. 

This is part 5 in that series, and it's all about pulling your data away from the clutches of the cloud.  It's not all as crazy as that sounds though, because the cloud has many real benefits, but it has to be approached with sanity and intent rather than as the ostrich approaches the sandstorm.

What's Wrong with Cloud Storage?

You may be asking yourself what cloud storage has to do with DLP and preventing loss of corporate data - then again you're probably not.  If you listen carefully you can hear a great sucking noise - that's the sound of your corporate data being sucked out from your enterprise into these various cloud storage providers. 

What most users don't understand is that when these services are free that they aren't the customer, they are the product being sold so that means the vendor is doing something with the data being stored. 

Whether it's analytics, usage metrics, something... no one gives away free storage - not even Google.  What's worse is that these cloud storage providers are so enticing!  Who wouldn't get excited about being able to have a single storage place that can be accessed by your mobile phone (iOS, Android), tablet, (iOS, Android), laptop (Windows, Mac, Linux) and even directly via a web browser.  That's sheer genius... or is it?

These too-good-to-be-true value propositions generally come to a screeching halt when the light bulb goes on and someone realizes that the data you're carelessly putting up "in the cloud" isn't encrypted.  Oh but you didn't think of that right, because you just assumed everything is safe and secure. 

Wrong. All those corporate documents you put up on that cloud storage provider can now be pulled down by an attacker with relative ease - that's enough to give any CISO heartburn.  Moving beyond simple cloud storage we have cloud-based backup, cloud-based archiving (almost the same as backup), and now remote-access of local storage through the cloud (a la the new Droid phones... yea this is a great idea.)

Your corporate policy is to encrypt all mobile devices' hard disks because you can't risk losing that critical spreadsheet, and your entire sales department is copying their forecasts to Dropbox to make it accessible from their iPads while they're on the go... how does that work with your security policy?  Am I making my point?

Blocking - It's Easier Than it Sounds

Yep, saying you're going to block access to cloud-based storage is a lot easier than it sounds.  First-off, you have to figure out how to control mobile devices.  Now, if you've got iOS and Android and Exchange, you can at least start to lock down those devices... except that there is no button that says (as far as I know, please correct me if my search skills have failed me) "disable iCloud" on the iPhone or Android. 

Worse yet, even though some basic application control options exist through Exchange policy pushed down to the device, the BYOD (bring your own device) initiative across many enterprises is allowing employees to bring personal devices and push corporate data to them as long as policy is pushed as well. 

Does that mean that you're going to be allowed to control what apps the end-user installs?  I guess that depends on how well-written and enforceable your corporate security policy is, right?

The disaster that is blocking doesn't get any easier from the laptop or desktop.  Installing a product like Dropbox (I'm only picking on them because there was such a huge uproar about them last year) can be managed if you completely control the endpoint. 

Let's be honest with ourselves - few organizations have absolute control over their endpoints - and those that don't are either following the BYOD (bring your own device) paradigm, or are struggling to contain the sprawl of mobile devices and gadgets that are constantly popping up like milk-weeds on their network.  This is not a simple problem to solve, have I said that already?

Let me throw one more wrench into this argument.  What about completely mobile workforces?  I am almost completely mobile and when I'm away from the office for 3-4 months at a time I like to make sure my data is backed up. The end result of this need is that yes, I have chosen a cloud-based backup provider!  I am probably not like most of your users, however, and I carefully vetted the product I had my eye on, tested it, and asked around for exploits. 

Once I was satisfied that the product encrypted data in motion, and at rest and did a reasonable job of protecting my identity too - I purchased the service.  Oh, right... I had to buy the service because it wasn't free.  Most of your users will opt for free.  You know what you get for free?  Yea, you know...

So Why Bring It Up?

Look, just because it's hard doesn't mean it shouldn't be discussed.  Disabling access to cloud storage is essential to data loss prevention.  I hope you don't disagree. 

This is not a blanket statement because you will have agreements and relationships with various cloud storage vendors whom your business will come to rely on - but hopefully you will go into those relationships once your security team has had a chance to clearly understand the vendor, perform their own diligence, and carefully configure the product for deliberate use. 

This likely will not be the 'cool' your users are shooting for.

On the network, utilize proxies. Proxies, IPSs and other devices which can look into packets and inspect destination and packet type are great for this.  Disable access to cloud storage from your proxy device so your users (at least from the office) won't be able to pump the cloud full of your corporate financial statements for the next reporting quarter ahead of that analyst call "on accident". 

Network-based security is far from dead boys and girls, and it shows its usefulness here in this example and continues to demonstrate usefulness in the stream of data loss prevention as devices connect to the corporate network either over physical wire or wirelessly, at the office or virtually... network security is still extremely important.

Finally, policy is your friend.  Remember you have to write sound policy.  Also, if you're going to write a policy that says you can't use unencrypted, unapproved cloud storage providers - don't be the exception to the rule and store your network diagrams on Dropbox so your offshore team can collaborate with them... just sayin'.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Cloud Security
Service Provider
Cloud Security Enterprise Security Storage Application Security Access Control Data Loss Prevention Intellectual Property Managed Services DLP Dropbox Rafal Los BYOD
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.