Why Insider Threat Risk Grows When Moving to the Cloud
As organizations move to the cloud, their enterprise data is increasingly created, used, and stored across a variety of SaaS and cloud-based service providers. While these services certainly bring new efficiencies and, in some cases, improved platform security, they also bring new risks -- and enterprise security teams need to know what goes on behind the curtain of their SaaS and cloud partners when it comes to how their data is protected.
As organizations move to the cloud, their enterprise data is increasingly created, used, and stored across a variety of SaaS and cloud-based service providers. While these services certainly bring new efficiencies and, in some cases, improved platform security, they also bring new risks — and enterprise security teams need to know what goes on behind the curtain of their SaaS and cloud partners when it comes to how their data is protected.
Specifically, the potential for insider abuse and misuse of data in the cloud is a serious risk, but one that is easy to overlook and difficult to measure. When data is moved to the cloud, members of the cloud vendor’s internal staff will often have access to their customer’s data, for such legitimate business purposes as fulfilling DevOps, customer support, and product development functions. As more people have access to sensitive data, there is naturally more opportunity for that data to be improperly accessed, exposed, or otherwise abused. As organizations adopt more cloud-based services, their insider threat risk can easily grow by orders of magnitude. Even worse, this risk is almost completely invisible to the enterprise security team, which has no way to monitor, assess, or reduce it.
These risks are playing out in real-world events today, and organizations need to be able to take action. Documents such as Data Protection Agreements (DPAs) may help to provide air cover for legal and compliance issues, but they do little to address real data risk. Organizations need to be able to ensure that their sensitive data and IP remain safe in the cloud, and this requires organizations to press their vendors on the details of data security.
First, it is important to understand that the insider risk associated with the cloud and partners is already present. Recently disclosed incidents at Internet giants such as Facebook and Google have proven that even the largest, most technically advanced organizations can be vulnerable to insider threats. A new book has alleged that Facebook engineers abused their access to stalk Facebook users. While Facebook data is probably not a major concern for most enterprises, it is a stark reminder that a service provider’s engineers will have access to sensitive data that can be abused in very serious ways.
Likewise, leaked documents have shown that Google fired employees for misuse of internal user and employee data. According to the anonymous source, many of the issues related to the “inappropriate access to, or misuse of, proprietary and sensitive corporate information or IP.” Even ransomware campaigns have begun recruiting insiders at service providers as a way to gain access to organizations’ data.
These incidents require organizations to reevaluate how they think about their data risk. While it is easy to think of “moving to the cloud” in abstract terms, we have to remember that for the vast majority of those services, there are real human beings with access to data and systems that can have a considerable impact on an organization’s security. That risk only mushrooms as enterprises adopt more SaaS apps and services.
Understanding the roles SOC 2, GDPR, and DPAs
Service providers already face a variety of regulations and requirements when it comes to protecting their customers’ data. For example, all providers will need to adhere to GDPR requirements, and most SaaS vendors will additionally choose to pursue SOC 2 certification. It is important to understand what these cover, what they don’t, and how they can be made stronger.
SOC 2 certification is an important step for many SaaS vendors, which provides a way to show they meet certain industry standards for protecting customer data. For example, SOC 2 covers the core areas of security, availability, integrity, confidentiality, and privacy of data. However, while SOC 2 certification is common, it is not explicitly required. Additionally, the scope of the SOC 2 certification can vary for each provider. At a high level, SOC 2 will apply to any infrastructure that directly or indirectly processes customer data.
However, it is also important for providers to understand where data goes after it leaves these systems. For example, if an internal user has access to customer data, the provider needs to have visibility and control over how that data is used or shared. If the customer data is directly or indirectly uploaded to another SaaS system, then that system would be in scope for SOC 2 and would need to be as secure as the system being certified. Or if an employee attempted to copy data to removable media, the provider would need security controls to be able to detect and prevent that removal of data. In short, providers should consider not only the systems related to SOC 2, but also how the data related to those systems can sprawl throughout the organization.
As a part of GDPR, service providers may need to establish data protection agreements or DPAs with their customers. However, such agreements may only apply to regulated GDPR data, such as customer PII, while doing almost nothing for an organization’s trade secrets or intellectual property. Additionally, DPAs are often used by service providers to mitigate their legal risk in relation to data. However, customer organizations need to make sure that security measures are in place that focus on mitigating their data risk, not just the legal and regulatory risk of the provider. Also, it is often difficult for a SaaS customer to audit or verify that their provider is adhering to the DPA. SaaS vendors and their customers may want to work together to establish reporting tools that can document the efforts related to the DPA on an ongoing basis.
Making data security a cloud differentiator
Enterprises may not have direct control over the insiders at their service providers, but that does not mean that they are powerless to protect their data. As customers, enterprises are in a position to drive their service providers to implement strong data security controls that are appropriate for the type of data being stored in the cloud service.
Cybersecurity is already a priority for almost every enterprise SaaS and cloud vendor, and many treat security as a key differentiator. However, many of these security efforts focus on external threats, while risks from insiders remain a comparative blind spot. Many such services will be eager to bolster their insider threat protection and data security if they know it is a priority for their customers.
However, as with all security topics, the details are important. It isn’t enough for providers to throw out general security platitudes about adhering to security best practices. Most service providers will likely have user-based access controls to ensure only a limited number of users are allowed to access data. However, enterprises should also require verifiable policies and controls that follow their specific data and assets. While the details will naturally vary from provider to provider, we have included a few common considerations to help security leaders drive constructive discussions with their cloud providers:
1. Are data controls appropriate for the data being protected? Traditional data security tools such as DLP products are often limited to controlling highly structured data such as databases of user information.
However, SaaS and cloud vendors are increasingly in possession of a wide variety of data types such as financial data, intellectual property, source code, design documents, and project plans, just to name a few. Any of this data could have value to a malicious insider, and service providers need to ensure that controls are available to accurately track and control the usage of any sensitive customer data regardless of type. For example, a vendor may need to export data to run reports or perform troubleshooting, and this could include many different types of content or file formats. Providers need to be able to control and subsequently track what happens to all types of content or files that are used.
2. Can the solution detect and block risky data usage? A service provider’s staff naturally may need to access enterprise data in order to do their job. However, security controls need to be able to identify and prevent data from being used in risky or unapproved ways. This introduces a critically important point: a user may be allowed to access sensitive data, but controls need to be in place to ensure it isn’t misused after it has been accessed.
For example, an administrator may need to be able to access a customer’s design files to troubleshoot a problem. However, security controls need to remember that those files are sensitive based on the fact that they came from a customer’s data set. Controls should be in place to ensure that data isn’t forwarded, copied, or shared using any unapproved or risky applications or features. Likewise, security teams need to be able to identify any abnormal access, sharing, or usage that could indicate malicious insider behavior.
3. Can data be tracked and controlled on a per-user or per-customer basis? Many providers simply control access to specific repositories where customer data is held. However, this broad level of visibility may not be able to tell a specific customer if their data is being misused. Particularly when it comes to intellectual property and sensitive data, a service provider may want to consider data protections that can track, enforce, and document the flow and usage of data on a per-customer basis. Once again, this requires a granular and persistent understanding of where data comes from. The SaaS vendor needs to be able to track and document exactly where a specific customer’s data has traveled, not just all customer data.
4. Can the solution provide auditing and reporting covering all the capabilities listed above? Ultimately cloud customers will want to be able to verify that their provider is living up to their security responsibilities. As a result, security tools should make it easy for providers to audit risks to their data and validate that controls were properly applied.
Naturally, this is not an exhaustive list that service providers and their customers will want to consider when it comes to their data security in the cloud. However, it provides a good start that can help cloud vendors and customers work together on a security strategy that keeps data in the cloud protected from all manner of risks, including those caused by malicious or accidental actions. To learn more about how Cyberhaven can protect your data across the enterprise and cloud, contact our team.