“Defense in depth” is the mantra for information security departments dealing with the cloud. With so many applications, entry points, users, servers, and more to manage, the security tech stack is expanding. So what must security and IT professionals look out for when managing their organizations’ cloud landscape?
The Cloud Security Alliance’s most up-to-date Treacherous 12 list details some of today’s most common cloud security threats, as noted by industry experts. These threats are:
- Account hijacking
- Data breaches
- Denial of service
- Insufficient due diligence
- Insufficient identity credential access management
- Malicious insiders
- System vulnerabilities
- Abuse and nefarious use of the cloud
- Data loss
- Insecure interface and APIs
- Shared technology vulnerabilities
- Advanced persistent threats (APTs)
Security professionals must pay attention to all layers of cloud data, from the data center and database to middleware, applications, and networks and communications. Application security in particular can be tricky, as many users may believe that a cloud platform or service provider handles all security, compliance, and privacy requirements, even for the user’s own data. The truth is that providers are only responsible for the actual security of their platform (and may still fall short even in that area). The user is responsible for their own data security, even within an application.
So how can application security measures help manage some of the largest looming cloud security threats? Let’s look at a few threats that can emerge at the user level.
It takes an average of 206 days to discover a data breach. By that point, it can be too late.
Threat #1: Data breaches
“Data breach” is a phrase that strikes fear into the heart of any information security professional, and with good reason. According to Kaspersky, a data breach can cost an enterprise company an average of $1.23 million – 24 percent more than in 2017 and 36 percent more than 2016. This tally includes:
- Infrastructure improvements ($193,000)
- Insurance premiums ($180,000)
- Lost business ($131,000)
- Training ($137,000)
- External resources ($126,000)
- New staff ($106,000)
Data breaches can come through almost any layer, from external or internal sources. It may be malicious or simply the result of human error, application vulnerabilities, or poor security protocol. And they can decimate an organization’s bottom line and its reputation.
When your organization uses cloud technology to store any type of sensitive information – credit card data, PII, PHI, etc. – there’s the possibility that the data could be exfiltrated and used for personal financial gain, blackmail, and more. Applications like Salesforce, which hold vast amounts of data for many companies, can become vulnerable when insiders, whether colluding with external attackers or acting on their own, can access and export data unchecked. Compromised credentials can also factor into data breaches, giving external bad actors wide berth to cause damage.
It takes an average of 206 days to discover a data breach. By that point, it can be too late. But with a proactive monitoring program, organizations can get an unprecedented level of visibility. Certain solutions, like a CASB or DLP, may block access or prevent data from being removed altogether. Others can monitor access and usage, relying on behavioral analytics to determine potential breaches in the making. Then, you can be proactively notified of any unusual behavior, like users logging in from restricted locations or after hours, or a high number of exports.
Threat #2: Insufficient identity, credential and access management
One cause of data breaches may be a lack of scalable identity access management systems, lack of multifactor authentication, weak password use, or a failure to implement ongoing automated rotation of cryptographic keys, passwords, and certificates. Many different approaches, from basic security policies to CASBs, can help button up identity, credential, and access management.
Specific solutions may also complement these tactics. For instance, a proactive monitoring and alerting platform may be able to tell you when a privileged user modifies passwords to applications like Salesforce or Dropbox, potentially making them less secure. You could also receive alerts when an administrative user downgrades password requirements, eliminating the need to frequently change an application password or to include specific formatting intended to make the password more secure.
You might also look for a solution that integrates identity intelligence, allowing you to correlate user identities across applications for a full picture of user access of your cloud applications.
Finally, security professionals will often want an identity management system that supports the immediate de-provisioning of access upon job termination or role changes. But when that de-provisioning does not occur, proactive monitoring solutions can monitor for former employees or contractors attempting to log into a cloud instance.
Threat #3: Insecure interfaces and APIs
Applications like Salesforce, Office 365, and Google Drive will often interact with application programming interfaces (APIs) to enhance the features and usability of core cloud applications. These APIs, however, will also gain access to your organization’s data, effectively doubling your attack surface (or more, depending on how many APIs you run).
A good security program will include guidelines and workflow for authorizing and managing APIs, but employees may still make judgment calls that can expose valuable company resources to bad external actors. A proactive monitoring solution for cloud applications can monitor for the unauthorized installation of APIs, ensuring that any missteps can be corrected and employees retrained on proper protocol.
Threat #4: Account hijacking
Another major cause of data breaches is account hijacking, which can include phishing, fraud, or exploitation of software vulnerabilities. According to the CSA, cloud solutions add a new threat to this age-old, yet still highly effective, landscape.
In addition to prohibiting the sharing of account credentials and leveraging strong 2FA where possible, “all accounts and account activities should be monitoring and traceable to a human owner, even service accounts,” the Alliance recommends. A monitoring program can look for cases where a user may be logging in from a suspicious or prohibited location or IP, or during hours when they’re not normally working. These may be signs of a hijacked account, and can trigger an internal incident response that mitigates the damage.
Threat #5: Malicious insiders
Sixty percent of data breaches are caused by malicious insiders. U.S. CERT defined an insider threat as “a current or former employee, contractor, or other business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems.”
Insider threats may also be due to human error, rather than only being attributable to bad actors. Employees just trying to “get the job done” may authorize an insecure API, export a customer list and store it in a vulnerable location, or change security controls in an application, leaving it open to vulnerabilities.
In a couple of recent examples, employees at gaming company Zynga copied a large volume of highly confidential data from the company’s Google Drive account to a local USB – then left the company and joined a rival startup.
And a T-Mobile company in the Czech Republic caught an employee who was “part of a small team that worked with customer data” trying to sell 1.5 million customer records on the black market. Similar stories have come out of Morgan Stanley, the FDIC, and Tesla. By monitoring and setting up alerts on specific user behavior, like an unusually high number of reports accessed or exported in Salesforce, companies can broaden their safety net by catching malicious insiders in the act.
Threat #6: Insufficient due diligence
When it comes to choosing a solution to enhance your cloud security tech stack and target application vulnerabilities, it’s important to conduct due diligence. How is your data accessed and stored? What are your responsibilities, and what does the provider handle? What security certifications does the company hold? What frameworks does it map to? There’s a lot to consider when adding a cloud provider – even a security provider – and due diligence is essential to not introducing new threats into the organization.