Governance Without Management in the Absence of a Perimeter - One CISO's Opinion

There are two trends in IT that have steadily grown for several years now, and, when combined, have served to attack our notions of cyber security governance. These two trends are cloud-based Software as a Service (SaaS) applications and Bring Your Own Device (BYOD). Between them, any hope we have of actively managing the entirety of our own enterprise data is gone. Some of our data resides on personally owned devices that leave our campus every night, or that never were present on our campus at all. Some resides in the cloud, managed by vendors who can give us all manner of assurances (99+% uptime, NDA’s, etc.), but who ultimately have taken management away from us. And let’s be honest with ourselves: some of it resides in SaaS applications for which there is no enterprise contract in place at all. Our users and sometimes even our own IT colleagues may leverage free cloud services right under our very noses – and not just for personal files. As CISOs we need to redefine our concepts of data management and to introduce degrees of control that better allow us to sleep at night.

Re-Thinking Terminology

Integral to this change of mindset is some revisiting of definitions and terms. In the above paragraph, “management” and “governance” were used interchangeably. Perhaps this is where the trouble begins in our attempts to address the problem. Some delineation might be in order.

“Management” is an active word, connoting our ability to perform meaningful and comprehensive changes to our data.  In the enterprise, we manage the data on our own on-premises servers, but we might have to reach out to the SaaS vendor to manage our data on our behalf. We can perform small changes, perhaps, but a wholesale management of our data requires calling the vendor into the process.

“Governance” is a far more interesting word than the other two. Governance is less active than management, and yet not necessarily a weaker concept either. Governance means that we have awareness, and even authority, without necessarily having the active control of management. And in many cases, that’s enough.

Real-World Example

Several users have copied several critical documents into a free online file storage service. Engineering diagrams, product management roadmaps, slide decks for an unreleased marketing campaign, financial data, etc. all now reside on the servers of a vendor with whom no enterprise contract is in place. An enterprise cannot necessarily even request a purge of the data in some cases like this one, because whatever contract is in place is between the SaaS vendor and the individual who signed up for the account. But that is getting ahead of the story.

First and foremost, a CISO must have an awareness that the file sharing service is in use in the first place. A good Cloud Access Security Broker (CASB) solution should serve as the beginnings of this awareness phase. Isolating individual users and identifying their usage of individual SaaS services is a great first step that CASB can provide. Now that the CISO is aware, the next step is a choice: management or governance?

Some CASB solutions also provide the ability to block data from leaving the enterprise, though this is a function also performed by a Data Loss Prevention (DLP) solution. In either case, this capability, in conjunction with a strong data classification policy (and, ideally, a data classification tool as well) is the next step on the path to governing the file sharing scenario. Company data X is heading out the door to the file sharing service, but gets blocked, all without the SaaS file sharing service being actively managed by the enterprise.

Add User & Entity Behavior Analytics (UEBA) to these other tools, and now full and dynamic awareness is in place, with analytics driving a risk-adaptive policy enforcement: UEBA determines that a user is behaving in a riskier manner versus an established baseline, and informs the DLP tool, which increases its response to the data flow on a sliding scale – quarantining what appears to be a work-related file, or even a full and instant block are possible reactions, and all in immediate response to what the UEBA is observing. Does this user normally export data to this file sharing service at 2AM on Saturday night? Has this user migrated documents of a type that are not her normal .jpg photographs? Has a user who has given their two weeks’ notice to leave the company suddenly begun using this file sharing service? A risk-adaptive governance model controls these situations without adding the burden of actual, active management. And at the end of the day, isn’t stopping your data from leaving your control the real goal?

Alternatively, one could expand the governance model into active management by doing the following:

1.      Continue using all governance tools and processes from above

2.      Perform the usual security and privacy assessments of each SaaS vendor; spend analyst time

3.      Negotiate an enterprise contract with each SaaS vendor; spend time from Purchasing and Contracts teams as well as money on the service itself

4.      Integrate each SaaS application into SSO/I&AM; spend IT Operations time

5.      Possibly perform some DNS changes as well and/or some firewall and VPN rules; spend more IT Operations time

6.      Work with the SaaS vendor to perform a purge of data from the scattered personal SaaS accounts. Perhaps work with the vendor to migrate data from personal accounts to the new enterprise account; spend time from the Contracts department and possibly Legal as this is all sorted out

7.      Cut off access to the personal accounts and begin management of the enterprise account; ongoing IT Operations time is now spent for the duration of the contract as well as Helpdesk time

Final Thoughts

Once the above steps are taken, transitioning from governance to active management, what is really gained? We see the costs of this transition, but what are the benefits? We still are ultimately doing only one thing – blocking our data from going to a place we don’t have jurisdiction. Only the costs of fulfilling that goal, both hard and soft, have increased notably. Perhaps active management should no longer be the default, go-to solution. Perhaps we need to let go some control, free up some costs, and embrace the governance model. After all, if we are stopping the bad from happening, while still allowing the innocuous to happen, then the governance model gives us all we need.

This article is part of my "One CISO's Opinion" series, and does not necessarily reflect the opinions of my employers. #CISO #BYOD #ZeroPerimeter #SaaS #datagovernance #howto @AllanAlfordinTX