Culhane Meadows’ Atlanta partner Reiko Feaver was recently interviewed for an article by TechTarget about what CISOs need to consider when using team applications.
Here are a few excerpts from the article:
Since the COVID-19 pandemic drove millions of employees out of corporate offices and into a new era of remote work, team collaboration SaaS adoption has skyrocketed — as have cloud collaboration security concerns. External attacks on enterprise cloud accounts increased by 630% between January and April 2020, with threat actors largely targeting collaboration services, according to security provider McAfee. And, with experts anticipating remote work will continue well past the pandemic, experts warn lax policies and risky behavior on collaboration platforms put companies at significant ongoing risk.
The nature of cloud services requires that enterprises rely on their providers to have good foundational cybersecurity, agreed Patrick Hevesi, analyst at Gartner. CISOs should, therefore, ask questions, such as the following:
- How does a provider monitor and control who enters its server facilities?
- Does the provider have security cameras?
- Is the provider’s network layer secure?
Organizations that, by necessity, rushed to deploy team collaboration software as part of their pandemic response plans should retroactively complete thorough supply chain risk assessments as soon as possible, Simberkoff advised her fellow CISOs. “Know your data, your employees and your vendors. Those are the three pillars of survival in the world we find ourselves in,” she said.
Reiko Feaver, a partner specializing in privacy, data and cybersecurity law at cloud-based, geographically distributed legal firm Culhane Meadows, encourages clients to carefully review providers’ security certifications and, if possible, to independently audit their internal operations. “If they’re having IT consultants access their systems remotely, for example, make sure they’re monitoring that access and cutting it off when it’s no longer necessary,” she said. Culhane Meadows itself has been remote since 2013.
The deep and wide security and engineering expertise of top vendors, such as Cisco and Microsoft, should engender relatively high levels of confidence among users, according to Gartner’s Hevesi. Even smaller SaaS offerings running on major cloud platforms, including AWS, Microsoft Azure and others, benefit from economies of scale and the considerable security resources of those vendors.
Alternatively, Hevesi would look twice at a startup SaaS provider working out of its own small data center. “Say they don’t patch their servers or run on a legacy version of TLS. Maybe they’re susceptible to [the] Heartbleed [bug], or they have no certifications or standards in their infrastructure. That would worry me,” he said.
Even so, enterprise CISOs don’t have to ban all small, up-and-coming cloud collaboration tools, and they don’t have to reinvent the wheel vetting them. According to Hevesi, virtually all cloud access security brokers (CASBs) actively assess an abundance of third-party SaaS applications and compile the results for easy reference. A CASB customer can also often submit a ticket requesting that the broker vet an app not yet in its database.
Even after initial vetting and adoption, organizations should periodically reassess their providers’ security, experts urged. “You can’t just throw your hands up in the air and assume they are doing the right thing,” Feaver said. “You have to have your own systems and checks in place.”
Research from Metrigy suggested that opening collaboration platforms to external users helps drive ROI. But prematurely flinging open the doors of a newly deployed collaboration app could invite catastrophic data leaks. With that in mind, Hevesi recommended that CISOs initially limit or even block users’ ability to invite outside parties.
“First, set [the collaboration platform] up, lock it down and make sure your security team knows how to manage it,” he said. As the cybersecurity team successfully adds layers of controls, such as multifactor authentication (MFA) and data loss prevention (DLP) policies, they can then slowly expand user permissions and extend third-party access.
Culhane Meadows has adopted a similarly measured approach to cloud collaboration security, according to Feaver. The firm relies heavily on Microsoft Teams for internal communications and plans to add external clients to the platform in the near future — but only after the security team finishes implementing a variety of identity-driven controls. “There will be security around who you can invite, what you share, who has access to what [resources] and for how long,” Feaver said.
To view the article, click HERE.
About Culhane Meadows – Big Law for the New Economy®
The largest woman-owned national full-service business law firm in the U.S., Culhane Meadows fields over 70 partners in ten major markets across the country. Uniquely structured, the firm’s Disruptive Law® business model gives attorneys greater work-life flexibility while delivering outstanding, partner-level legal services to major corporations and emerging companies across industry sectors more efficiently and cost-effectively than conventional law firms. Clients enjoy exceptional and highly-efficient legal services provided exclusively by partner-level attorneys with significant experience and training from large law firms or in-house legal departments of respected corporations. U.S. News & World Report has named Culhane Meadows among the country’s “Best Law Firms” in its 2014 through 2020 rankings and many of the firm’s partners are regularly recognized in Chambers, Super Lawyers, Best Lawyers and Martindale-Hubbell Peer Reviews.
The foregoing content is for informational purposes only and should not be relied upon as legal advice. Federal, state, and local laws can change rapidly and, therefore, this content may become obsolete or outdated. Please consult with an attorney of your choice to ensure you obtain the most current and accurate counsel about your particular situation.