By Suhaas Kodagali, Sr. Product Marketing Manager, Skyhigh Networks
The cloud is now a key component of the enterprise IT infrastructure. Recent research by Gartner shows that for new technology purchases, 16% of IT leaders consider the cloud as the first option while another 15% give it serious consideration. Not only are cloud technologies being used for mission critical projects, enterprises are also storing an increasing amount of sensitive data in cloud services. Recent research on Office 365 usage by Skyhigh shows that the average company uploads 1.37 TB of data to Office 365 and 17.5% of the uploaded documents contain sensitive data including personally identifiable information, personal health information, company IP and source code. This increase in sensitive data on cloud services is an indicator of an evolution from productivity-enhancing apps to mission-critical IT services.
95% of cloud security failures are preventable
Gartner states, “Through 2020, 95% of cloud security failures will be the customer’s fault.” This indicates that even if the cloud services have up-to-date security credentials, companies may still be vulnerable from users who leak data willingly or inadvertently and from compromised accounts. So it’s glaringly clear that attention must be paid to how employees/insiders are using cloud services, not just how cloud services are securing their infrastructure. The good news for companies is that, they can directly prevent the vast (95%) majority of cloud security failures.
Addressing user-originated cloud risk with CASBs
Cloud Access Security Brokers (CASBs) are software solutions that act as a control point to secure cloud service usage by providing visibility, threat protection, compliance, and data security capabilities for the cloud. Enterprises are turning to CASBs for threat protection because of their ability to leverage dynamic data science models to analyze real-time cloud activity data in order to detect insider threats and compromised accounts. Gartner now defines CASBs as a “required” technology and says that by 2020, 85% of large enterprises will use a CASB product, up from less than 5% today.
The top cloud security threats detected by CASBs include:
- Threats from insiders/employees
The number of insider threat incidents is growing, with 89.6% of organizations experiencing at least one per month on average. Examples include departing salespeople downloading contact and opportunity information from cloud CRM applications or employees accidentally creating public links to share documents intended for internal teams. A CASB uses machine learning to determine thresholds on parameters such as login patterns or amount of data uploaded, viewed, shared, or accessed and uses these thresholds to identify abnormal or unexpected behavior while minimizing false positives. So, when an employee downloads a piece of information that is not part of the standard workflow, the CASB flags this as an anomaly to the admin for further investigation.
- Threats from privileged users
The NSA information leak by Edward Snowden was an important reminder of the fact that administrators or privileged users, while being an organization’s strongest line of defense, can also be the cause of devastating breaches if they abuse their privileges. A CASB provides details of privileged user activities such as accessing excessive amounts of sensitive data and modifying security settings. It uses this information to detect an anomaly when there is unusual activity. It also identifies users having excessive privileges that can be curtailed and dormant accounts belonging to former employees that should be de-provisioned to eliminate the risk of compromise by an attacker with an account password.
- Threats from third party usage
The Target breach, which lost personal information of more than 100 million customers, was traced back to network credentials stolen from a provider of refrigeration and HVAC systems. Companies make large investments to protect their internal systems, but often neglect vulnerabilities that arise from partners, consultants and third party vendors that have access to critical company cloud systems. A common example is data leakage, caused by compromised credentials or malicious insiders, from folders shared with partners using cloud file sharing services. CASBs flag and remediate these breaches as they offer visibility into data shared with each partner and also detect sudden change in data access patterns from third parties using compromised credentials.
- Threats from compromised accounts
Skyhigh research indicates that 92% of companies have cloud credentials for sale on the Darknet and with a booming underground markets for compromised credentials, hackers are continuously looking for new ways to acquire user login credentials. A CASB is able to use information such as login attempts and geo-location of access to detect compromised accounts. Repeated login attempts to an account indicate a brute force attack and geo-location analytics help identify impossible travel scenarios. In either of these cases, CASBs can provide automatic remediation by blocking access to the accounts or forcing multi-factor authentication, minimizing the risk and impact of a breach.
Cloud and on-premises protection: Businesses need both
Enterprises are facing increasingly sophisticated attacks on both their on premises assets and cloud-based services and therefore need to protect both. The recently announced partnership between Bay Dynamics and Skyhigh Networks enables businesses to do just that. Bay Dynamics analyzes and correlates data from businesses’ security tools and creates cyber risk profiles detailing individuals’ – employees and third party vendor users – behaviors providing visibility into what users are doing on the company’s network. The company also provides remediation options to IT and security teams and comprehensive reports for C-levels and the board. Skyhigh extends these capabilities to the cloud by collecting usage logs, analyzing them and feeding anomaly information back to the Bay Dynamics cyber risk analytics platform for incident remediation. Together they serve to holistically detect information security threats wherever they are targeted so companies can react and protect themselves from the devastating impacts of a data breach.