By Salvatore Stolfo on Nov 16, 2018 12:20:39 PM
According to a new survey conducted by ESG, 75% of organizations reported that they believe that at least 20% of their sensitive data stored in public clouds is insufficiently secured. Also, 81% of those surveyed believe that on-premise data security is more mature than public cloud data. Yet, businesses are migrating to the cloud faster than ever in order to maximize organizational benefits: an estimated 83% of business workloads will be in the cloud by 2020, according to LogicMonitor’s Cloud Vision 2020 report.
Based on this data, we can see an increasingly urgent situation in which organizations are migrating their sensitive data to the cloud, for productivity purposes, at a faster rate than security controls are evolving to protect that data. Breaches and leaks continue to be a daily occurrence, and traditional tools have not kept pace with the techniques used to steal data. Yet, enterprises feel they have no choice but to invest in cloud migration to enable faster innovation and collaboration among departments, as well as with third-party partners and other stakeholders.
On-prem Security Approaches are Less Effective in the Cloud
Over the years, we’ve seen many attempts to solve the disconnect between cloud-based data storage and related security risks. For example, Data Loss Prevention (DLP) platforms and cloud access security brokers (CASB) were designed to help organizations get a handle on their employees’ use of cloud services – both official and unsanctioned. But neither of these approaches offer the ability to detect data loss once they leave the cloud-share environment. DLP and CASBs are also limited by data classification challenges - namely, structured vs. unstructured data, as well as the requirement for endpoint agents.
Digital Rights Management (DRM) gained popularity, especially with media and entertainment organizations, because of its open-source nature and permission-based approach. However, this approach also requires endpoint agents, and hinges upon the user establishing enterprise-wide document classification ahead of the deployment.
More recently, in the deception technology category, we’ve seen the rise of fake “honey” environments using honeynets and honeypots designed to lure attackers away from real assets and distract them. However, this approach requires considerable up-front investment from organizations to properly construct and maintain these fake environments, and fails to fully address data stored and shared in the cloud.
User behavior analytics (UBA) offer some interesting and useful data on how attackers, including insiders, move around in a system and look for documents to exfiltrate. But most of these products are blind to activities such as downloading files from home, and fail to provide more insight into where these documents may go after the download.
The common threads among all of these approaches is that they can’t detect malicious behavior disguised as legitimate access, they don’t assist with attribution and none track data once it leaves the cloud-based repository.
Masqueraders and Leakers: Two Big Threats to Cloud Security
There are two types of attacks that go largely undetected within organizations:
- Masqueraders: These are hackers that access cloud shares via stolen credentials and masquerade as legitimate users to access sensitive files. These types of attacks can be politically motivated, like nation-state scenarios. Or financially motivated in cases like ransomware, or selling intellectual property (IP) and personally identifiable information on the dark web.
- Leakers: These are either employees or trusted third-parties who have legitimate access to sensitive data in the cloud, and abuse this access to leak information to unauthorized parties. Insiders tend to be motivated by personal gain, such as selling IP to competitors for money or using it as leverage for a job offer. Or they are driven by revenge if they feel wronged, providing confidential information to news outlets or publishing it on public sites to embarrass the company.
Both masqueraders and leakers gain access to sensitive data in the cloud by stealing or “borrowing” user credentials that don’t belong to them. This gives them the power to move unfettered through cloud file shares in search of valuable data to exfiltrate. And to the watchful eyes of a DLP, DRM or UBA-based solution, this looks like legitimate behavior by an approved user.
Securing data in and outside the cloud share
The ESG survey reveals that 50% of survey respondents say they “know” that they have lost cloud resident data; another 22% admit they “may” have lost data, and 3% say they “don’t know” whether they’ve lost cloud-resident data. Clearly, more visibility and insights into documents stored in the cloud, regardless of where they travel, is a top concern (or should be).
By taking an approach that embeds data security into the data itself at the file level, as opposed to securing the system or cloud architecture, organizations can reduce risks associated with storing and sharing documents in the cloud. Even when documents are downloaded and shared with other recipients outside of the cloud, embedded security technology keeps on working, giving enterprises more granular visibility into which users, employees, contractors or third parties, are opening files, and with whom they’re sharing these documents.
This approach can alert security teams to unsanctioned access to sensitive data within the cloud platform, allowing them to investigate alerts more quickly and potentially shut down attempts to exfiltrate documents and revoke access to bad actors. Teams can also use data gleaned from document logs to monitor access patterns and abuse of policy within the corporate cloud share.
As organizations shift data to the cloud for easy sharing and collaboration purposes, organizations should demand new security approaches that provide reliable visibility and security without interfering with those goals.