As director of information security at Western Union, in charge of emerging technology and cloud security, David Levin has a deep appreciation of the risks attendant to cloud applications. He also recognizes that workers are under tremendous pressure to deliver results, and if a cloud application helps get the job done, they don’t hesitate to deploy it. The security organization at Western Union, headed by CISO Mike Kalac, didn’t want to play the heavy when it came to the cloud computing habits of the company’s 9,000-plus employees. “We understand that people want to get access to certain information to do their jobs,” Levin said. The challenge was how to help business users take advantage of the cloud without putting the wire transfer giant at undue risk.
First steps: cloud discovery
To get the word out to departments that Infosec was prepared to help the business leverage cloud services, the security team created the WISE program — Western Union Information Security Enablement. “The program is geared toward implementing solutions that make people’s lives better and more productive,” Levin said — in a wise, not reckless, manner. That required ferreting out the cloud applications that could potentially put Western Union at risk. “Part of the WISE program was to identify what cloud applications people were using and how they were sharing Western Union data.”
To that end, he turned to Skyhigh Networks, one of a new crop of cloud-based security and analytics startups. These tools help companies discover and monitor internal usage of cloud services (sanctioned and unsanctioned), assess the risks posed by the cloud services, and enforce policies that mitigate the risks. Rather than simply blocking usage, however, corporate enforcers — in this case, the security team working closely with Western Union IT — use the security tool to assess safer, (and here’s the hard part) equally effective alternatives for users.
Use case: MFT
Levin declined to specify how many rogue cloud applications the Skyhigh tool discovered, except to say that it was in line with the vendor’s widely publicized number (700 to 800 on average for enterprises). The first rogue cloud service Levin’s team tackled was managed file transfer— or rather, unmanaged file transfer. The number of vendors out there providing this service was “shocking,” he said. As the Skyhigh tool showed, many of those software as a service vendors operate with no terms and conditions and have data centers in countries that pose a security risk. Levin leaned on IT to help find and test an application that was as painless to use as, for example, a Dropbox, and that integrated well with other enterprise applications; security ultimately chose Accellion as its file-sharing platform and identity and access management vendor Okta for a single sign-on solution that gave users access to all corporate-sanctioned cloud applications.
“We didn’t make it challenging for them; we gave them solutions we really thought were next-generation and they took to that,” Levin said. “In a few months, we had several thousand users using it.”
IT roadmap: room for improvement
The Accellion platform, combined with the Okta interface, had another positive effect, besides more secure file transfer. “People don’t have to call the help desk and ask, ‘How do I send a file that is bigger than such-and-such?’” Levin said, referring to those employees who were not sidestepping IT.
Skyhigh’s ability to identify risky rogue cloud applications has also given security and IT a roadmap for improvement.
“We have learned how most of the organization is using infrastructure as a service, where they are leveraging some of the collaboration suites and project management [platforms]. These are all areas where, if we could do a better job of supplying them with next-generation technologies, they wouldn’t have to go out and find something else,” Levin said.
In addition to using the analytics tool to ferret out and assess shadow IT, the security team is using the tool to help vet its current vendor contracts, Levin said, including whether certifications are up to date and service levels are being met. “Some of that data feeds into our risk management program, which is world class, and then we don’t have to send them a 20-page questionnaire because we already have the information.”
Next-gen security tools
The data analysis delivered by the tools also helps with building a case for next-generation security tools, Levin said. Western Union suffered a breach in 2007 and again in 2013 when its website was down for maintenance. After each incident security gained “visibility at the board level,” Levin said, and his team has a seat at the table when the lines of business make important decisions that involve information technology. “We try to embed ourselves from the beginning whenever possible, so that when decisions are made, we are guiding the along.”
That said, the security threat keeps growing, fueled in part by the employees’ need to use whatever technology they can to get the job done faster. Plus today’s malware is “very effective, and it is evading a lot of older technologies,” he said.
“Five years ago, it was all about prevention,” he said, “Now the new security tools are moving more toward better reactive systems, because there is no silver bullet; you just have to be well prepared.”