More businesses around the globe are moving their data to cloud-hosted environments than ever before. In fact, Gartner predicts the worldwide public cloud services market will grow to $246.8 billion this year, an increase of 18 percent from $209.2 billion in 2016. With this migration comes an increase in concern for information security. After all, shifting company data, processing and systems to an environment controlled by a third party doesn’t relieve a data owner from its obligation to protect the data, nor from the fallout of damages that follow data breaches.
In response, cloud service contracts now commonly include extensive provisions addressing data use and ownership, confidentiality, required security controls, liability, and audit and monitoring rights. Due diligence in the vendor selection process also now routinely includes a full review of all third-party attestations regarding security controls and related certifications.
While these measures are helping, they often create a false sense of security, leaving several other key areas overlooked. Beyond ensuring that their vendors’ environments are secure, companies must also ensure that they themselves have implemented controls for data movements in and out of the cloud environments and for user access to these environments. With regard to the latter, the inability to detect, protect and respond to unauthorized access to cloud-hosted systems, especially through compromised, spoofed or forged credentials, can increase risk significantly. Companies need to carefully monitor how their employees are interacting with the hosted services to proactively detect improper access by malicious actors and take remedial measures.
Unfortunately, doing so isn’t always easy. While many cloud applications offer some level of logging user access and activity, the logs require active review by a system administrator. This is a manual task that is both time-consuming and tedious. Furthermore, the shift to cloud services is often accompanied by a shift in the responsibility for system administration from IT to the business unit managers whose functions align with that service. These managers are not usually trained in IT system security and rarely (if ever) review these logs except, perhaps, in response to an adverse incident. This ad hoc manual review by untrained administrators often leaves anomalies in access patterns or inappropriate data exports completely undetected.
The challenges don’t end there. It may be difficult to tell whether employees are accessing cloud apps from unmanaged or unsecure personal or public computers. It may also be difficult to detect access from known suspicious hosts, devices, countries or locations, at unexpected times of day, or with anomalous access patterns. The company may also have little insight into which users are sharing data, what data they are sharing and with whom. The result may be a failure to distinguish between routine and anomalous user activity, and a failure to then deny access when needed to stop data loss. A malicious actor who has acquired valid user credentials through malware or social engineering can go undetected for months. Given that even midsize companies now often deploy several hundred, or even thousands, of cloud systems, this can create a massive security gap.
The problem is exacerbated by the common habit of employees using the same passwords for multiple systems, both personal and business. This means that when less secure systems are compromised, such as an employee’s personal social media account, so too are your business systems – if that employee was using the same credentials for both. Further, lost or forgotten credentials are often easily recoverable through authorized email accounts, which means that a malicious user who gains access to an employee’s email can easily gain access to cloud systems by requesting a password reset. New passwords are sent to the employee’s compromised email account, and the hacker is then free to steal or modify data, lock out users or simply lurk and collect sensitive information over time. If the targeted employee had administrator rights, the damage could be compounded significantly.
All is not lost, however. As more and more companies adopt cloud-based services in their IT models, a new set of cloud-based security solutions has emerged to address the gaps. These solutions are interchangeably referred to as cloud access security brokers (CASBs) or cloud security gateways (CSGs). By leveraging the data feeds of company cloud platforms, these solutions serve as a single monitoring and control portal for company security managers. They also commonly allow for visual reporting and trending of use, activity and incidents in user-friendly dashboards. Functionality differs across solutions, but common elements often include personal device access control and policy enforcement, user identity management across cloud provider platforms and single sign-on control using company issued and managed credentials. They may also give companies the ability to proactively detect and intercept unusual or fraudulent activities. While such solutions are still quite new, counsel for any company leveraging cloud services should be considering how these tools fit into their cyber risk management strategy.
David White is a director at AlixPartners, where he advises clients on information governance, information security and electronic discovery. He can be reached at [email protected].
Published September 21, 2017.