Security Manager's Journal: On the lookout for rogue IT
A seemingly innocent request leads to the discovery of an unapproved, customer-facing SaaS application.
Computerworld - In the age of software as a service, when just about anyone in a company can spin up an enterprise application with just a credit card and an email address, it can be tough for the security manager to keep on top of things.
At issue: The chance discovery of a rogue enterprise applications suggests that others might exist.
How do you know, in a globe-spanning enterprise, that no one has instituted some cloud-based service in a way that threatens the company's intellectual property? Last week, luck led me to one such application, but that has me thinking that there has to be a more comprehensive way to uncover these things.
I have the authority to sign off on changes to the IT infrastructure. Because I like to have a life outside of that activity, I have established criteria for what sorts of changes need my approval. For example, I don't need to OK adding memory or a CPU to a server, but I don't want any publicly facing Web servers installed in our DMZ without my knowledge. Some of the changes that I retain oversight on might seem trivial, but last week's incident illustrated why they aren't.
What happened was that I received a request to white-list a particular domain so that it wouldn't be identified as spam. On the rare occasions when we receive such a request, we evaluate the domain, running it through some Web-based validity checkers. If it's not identified as hosting malware or other risky content, and if there's a business justification for releasing the domain from the spam filter, we allow such email to be delivered to the employee making the request.
The domain in question didn't set off any alarms and didn't appear to be malicious. OK, so what's the business justification? The request was from our customer service operations center in Hyderabad, India. The folks there told us they were deploying a new Web-based tool to give our customers access to certain knowledge-base data held on our internal servers. But our IT enterprise applications team knew nothing about this application. In other words, we had stumbled upon the deployment of a customer-facing application that was bypassing our strict review process.
What more could India tell us? Plenty, and none of it good. The SaaS vendor has eight employees and is run out of a small apartment. It has one Web server, hosted at Amazon. It has no U.S. presence. As for the application architecture, authentication requires a username and password, but there are no requirements for password complexity, and users aren't forced to change their password on first log-on. Passwords are stored in clear text, and sessions aren't encrypted. But this vendor is security-conscious, we were assured: It offers two-factor authentication. Um, yes, but the second factor is the user's date of birth.
We immediately put a halt to work with this vendor. It could have been a very embarrassing situation. After all, we are a publicly traded company, and many of our customers are banks, healthcare providers, utility companies and government organizations with complex compliance requirements.
This was an embarrassment that we barely avoided, and only by chance. Now I'm wondering how many other rogue enterprise applications have been implemented. What to do?
Luckily, all outbound network traffic must pass through our new Palo Alto Networks application-layer firewalls. A nice feature of these firewalls is that they can capture the destination of all network traffic as well as the actual Web addresses that are being accessed. I plan to filter out all the valid applications that we have approved or know are not risky. Whatever falls out will be evaluated in hopes of identifying other rogue SaaS applications being used in the enterprise.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
Join in the discussions about security! computerworld.com/blogs/security
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts