GDPR poses many challenges – not least because the penalties are high! In amongst all the discussion and the rush for compliance, many businesses are not really focusing on the use of Cloud Applications. Cloud apps undoubtedly deliver real benefit to business, whether that is Office 365, Dropbox, Quickbooks etc. In many cases, using trusted cloud apps can actually aide compliance.
A key challenge for many organisations is the unknown unknowns. What Cloud Apps are being used by their staff and business – that they do not know about. This type of unapproved cloud usage is often described as Shadow IT. Apps that bypass IT, bypass procurement and often bypass the business. A CRM used by a key sales guy. Someone throwing files into Box to work from home. Someone else installing an app that accesses their contacts. The challenges are endless (which is a common theme with GDPR).
In the context of GDPR – the first question is simple:
What Cloud Applications are used by the business, and in what location is the data stored?
Is this a straight forward question? Yes. Do you really know all of the apps being used by your business? I am doubtful.
So the real first question should be
What Cloud Applications are being used by my business and staff right now
‘Cloud Application Discovery’ is the first part of the solution.
How can I detect Cloud Applications?
There are a number of ways you can detect cloud applications.
- Ask your IT department. A simple one, but take the answer with a pinch of salt. They may know about Office 365 and similar core productivity apps. But in our experience, this knowledge generally diminishes when you venture into other departments; accounts, sales, marketing, etc.
- Ask your suppliers. You cannot overlook your supply-chain, particularly when they too may handle data.
- Ask your staff.
This will uncover the authorised and sanctioned cloud apps, but there will always be outliers (the Shadow IT apps).
So how do you identify them? The ones you do not know about.
Detecting cloud apps and SaaS services
- Next Generation Firewalls (with content inspection). Modern firewalls with the relevant feature set are able to profile traffic flows and spot the unique signatures of apps – which enables them to identify the apps in use. We do this with Fortinet firewalls but many others have a similar feature set. However, the accuracy and completeness of their identification capabilities can vary.
- Cloud Gateway / Cisco Umbrella / DNS. Before an app can function, the user will need to either access a website or the app will need to connect back to some form of API or control server. The DNS lookup is an integral part of this. A service like Umbrella will inspect DNS traffic and be able to make an accurate assessment of the service the user is accessing.
To block or not to block
Once you have identified all of the cloud apps used by the business, the question is – what do you do now? Block them? Permit them? Ignore them?
There is no single answer.
- Approve the app. If the app has a legitimate use and is compliant with your data protection policies – document its usage and approve the app for use within the business. The process of this is outside the scope of this article, but you would follow a workflow that addresses personal data, data processing agreements, location, security measures, etc.
- Block the app. Whether you do this immediately then handle Step 1 is your choice. The NGFW and Umbrella solutions can both block access immediately. Users complain. You can then look to adopt the app or permanent block it.
- Ignore it. Not really recommended for a host of reasons!
How can MTG help?
The sort of questions (and the solutions we offer) are listed below.
- How can I block Office 365 / Dropbox / Box?
- What cloud applications are being used by my business?
- Can my business use Office 365 / Quickbooks / Sage?
- We use <application>, where is that data stored?
- How do I enforce an approved list of cloud applications, and block everything else?
MTG can supply a range of solutions that can aide GDPR compliance and help reduce your exposure to unauthorised cloud app usage within your business. In addition to the technical solutions, we can help guide you towards workable policies and approaches to security that benefit the business, but don’t become onerous and unworkable. Contact us today to find out more.