In her third installment of the In-House Legal Security series, senior director of product at Zapproved, Victoria Blake, explores five key cloud features that address security threats regarding governance, risk and compliance.
User Privilege, Identity and Risk
As the legal office moves more and more into the Governance, Risk, and Compliance (GRC) space, legal departments are more and more being asked to understand and move fluidly in the GRC functions. At the heart of the GRC function is security: protecting against liability, protecting against threat, protecting against chaos. And at the heart of security is the concept of privilege and identity, e.g., some users can do what others can’t. Many of the most common security threats come via compromise of a privileged user. Each additional node of privilege increases the risk to the entire system.
Consider this use case:
Somebody in the legal department clicked on the link in that phishing email. They unwittingly installed malware on their machine, which tracked keystrokes and captured their passwords. In the background, a malicious third-party signs into their account as a fully accredited user. Deepening on the level of access the person had, the malicious actor can now download huge amounts of data, can see and export personally identifiable information (PII), and might even be able to access the communication layer by digging into the API (a method of communication between two different software systems).
5 Key Cloud Features That Address the Risks
The use case is relatively common. According to Phishing Box, 29% of breaches involve stolen credentials, and 94% of malware is delivered over email. How can a cloud vendor help mitigate the threat? A vendor can’t control the outcome of a phishing attempt, but we can control the risk with the following features:
1 - Multi-factor authentication (MFA)
By setting up multi-factor authentication, with or without SSO, you can make sure the user is who they say they are. With MFA enabled, phishing campaigns are not as effective. Even if credentials are stolen in the phishing attempt, the thief wouldn’t be able to use them without also compromising the user’s cell phone, or Google authenticator.
2 - Trusted IPs
This is the cousin of something your IT team is already using, the corporate IT allow-list / deny-list. The list establishes trusted IPs, which can be manually entered into an application interface, and blocks traffic from any IPs not listed. So, in the case of the successful phishing attempt, if the incoming traffic isn’t coming from a listed source, the phisher would be blocked.
3 - Session management
If a phisher got the credentials and was able to access the application, mature session management can limit the exposure. Mature session management includes limiting active sessions to one, allowing customization on session expiration, and adding alerting to multiple active session requests.
4 - Password controls
Corporate IT has good reasons for setting their password requirements. And, every corporate IT department is a little bit different. Cloud vendors can build fine-grained password controls–including length, special characters, cadence of reset, using commonly compromised passwords, password reuse, etc–that allows the vendor to be in compliance with the customer’s internal policies.
5 - Inherited privilege
Near and dear to our hearts in the concept of “least privilege,” or “you only get access to the least amount of information needed to do your job.” Least privilege controls the amount of data that’s exposed by limiting the number of people who have access. Cloud vendors can control breach exposure by making sure their privilege and inheritance structure accomplishes two goals: getting the right users access to the right data, and keeping sensitive data out of the hands of the wrong users.
Privilege is like secrets, the more people who know a secret, the more likely the secret will spread. Controlling privilege and building controls on access and identity will allow you to keep your secrets secret.
Published August 18, 2020.