Many organizations are making the shift to cloud-based collaboration and productivity tools because they make it easier--and cheaper--to deploy, manage, and use the tools people need. With services such as Google GSuite, Microsoft Office 365, DropBox, or Box, organizations can start small and scale quickly with predictable costs. Mobile device support is a given, and with a central storage facility for documents and other data, sharing is easier and more consistent. These benefits enable a dramatic reduction in organizational friction, driving higher participation, and facilitating better business outcomes.
As significant as these benefits are, however, the ease with which people can share data using these cloud services brings new challenges to security and risk management teams. With SaaS tools, it’s easier for users to make an innocent mistake, sharing data with the wrong people, sharing the wrong data, or providing broader access than necessary, thus creating risk for the organization. At the other end of the spectrum, malicious insiders find it easier to locate and share data with outsiders. Making matters worse, most organizations lack the tooling to find and manage these risks.
In one sense, data leakage of this kind isn’t a new problem. But SaaS collaboration products significantly increase the speed with which risks can accrue and the difficulty of identifying, prioritizing, and responding to those risks. The challenge is managing the risks that SaaS collaboration platforms create without reducing the inherent value these platforms bring to the organization.
While serving as Twitter’s CISO, Michael Coates saw this challenge and realized that he lacked the tools to address it. Traditional data loss prevention (DLP) products are heavy-handed enforcement mechanisms that don’t work well with lighter-weight SaaS products. And while cloud access security brokers (CASBs) can track down shadow IT, they typically don’t help security teams identify and remediate cloud data sharing risks with enough granularity. Coates saw an unmet need for a cloud-native solution for a cloud-native problem, one that could manage risk in real-time without compromising the user experience SaaS platforms provide.
So Coates teamed up with Amir Kavousian, a data scientist who had been working on machine learning for fraud detection on Capital One’s payment platform, and launched Altitude Networks. The result is Altitude’s “cloud-native DLP.”
Altitude Networks is a SaaS security solution, integrating with SaaS collaboration services at the API level. Customers don’t have to deploy client agents or slog through difficult back-end integration work. It applies a spectrum of tools and automation to the problem, ranging from common sense rules to more complex behavioral and relationship analysis, working in the background while giving security teams the tools to manage risks in SaaS platforms. This cloud-native approach was the leading factor in Rain’s investment in Altitude Networks.
The data sharing risks on SaaS collaboration platforms aren’t indications that Google, Microsoft, Dropbox, and Box have failed when it comes to security. Generally speaking, their products include robust authentication and access control capabilities. But as Coates points out, many of the problems crop up when users, who happen to be human beings, fail to meet unrealistic expectations. In fact, SaaS collaboration products lack any guardrails that remind users they are sharing sensitive or notifying them (and security personnel) when sharing data creates undue risk. Those risks fall into these general categories:
Problems like these crop up quickly on cloud collaboration platforms. Finding and dealing with them is much more difficult. Manually digging through logs isn’t scalable, and doesn’t come close to matching the speed at which risks accrue. And given the number of users and potential incidents, reliable automated mechanisms are baseline requirements.
Traditionally, enterprises have deployed on-premise DLP products to address the risks associated with sharing and using sensitive data, often driven by compliance requirements. More recently, CASBs emerged in an attempt to extend an enterprise’s security policies and management capabilities into the cloud. But neither DLP nor CASB products are well-aligned with cloud-native architectures, creating significant mismatches in deployment, management, and usage models. These include:
These mismatches and shortcomings are simply yet more evidence of the mismatch between traditional, on-premise security models and cloud-native systems. As we’ve said before, securing cloud-native systems requires aligning security systems with cloud-native architecture.Altitude ArchitectureAltitude is a cloud-native security service, sold as a SaaS product, operating within the collaboration platform’s environment, according to its rules. Altitude does not create yet another management layer, such as a duplicative access control structure.
As Figure 1 illustrates, Altitude integrates with the SaaS platform’s APIs, gathering the metadata on every file and person in the platform. Altitude discovers the name of every file, who created it, when they created it, its security settings, who has access to it (including third parties), and every action taken on that file (such as renaming, viewing, and editing). (Altitude limits its intake to the metadata, having no need to access the actual data in any file.) Altitude’s Risk Engine operates on that meta-data, performing the following functions:
As Figure 2 illustrates, Altitude puts this information in a dashboard, allowing them to view risks to the organization in an organized fashion, by severity. Managers can see a history for specific files or specific users, allowing them to audit previous activity as part of the remediation process. They can also take action in real-time, including notifying the end-user of the problem, complete with instructions on how to fix it. In severe cases, a security manager can remove access to a file for a third party, or lock the file from sharing completely.
Today, Altitude supports Google’s GSuite offering. The company plans to release support for additional SaaS collaboration platforms in the future.
SaaS collaboration platforms have become popular because they work. They help people get their work done, and their deployment and usage patterns match the speed of the business. Instead of getting in the way of that progress, security systems must keep pace, giving security teams the tools they need to quickly discover, understand, and remediate risks in these SaaS platforms, without degrading their functionality. That’s the goal of Altitude Networks and its product. And that’s why we at Rain Capital invested in the company.
Fill in some contact info below or schedule a meeting so we can reach out to provide more details on how Altitude Networks can protect you from data loss in the cloud.