What Unique Cloud Document Indicators Can Reveal About Data Loss Risk
The enterprise is in the midst of massive cloud migration, as more companies seek the advantages of scalability and simplicity of storing and sharing documents in the cloud. For the last decade, the focus has been on how to easily facilitate this migration. This makes sense, as it’s not easy for companies to replicate years and years of enterprise network file structures and data tagging in the cloud. An entire cottage industry of cloud transformation companies cropped up that enables this. But until recently, little emphasis has been placed on the question, “How secure are my documents once they are in the cloud?”
Based on years of data-loss detection research and talking to customers who have found themselves in the middle of a nightmarish data breach, I can tell you most organizations have no idea where their confidential information goes or who has access to it. And it’s causing a lot of concerns for security teams and risk managers. We have now reached an inflection point at which businesses are migrating sensitive data to the cloud faster than they can secure it. In ESG’s recent report, “Trends In Cloud Data Security,” 75% of enterprise security professionals said that 21% of their company’s sensitive data (PII, intellectual property, etc.) is now residing in a public cloud storage platform and is not properly secured. And 22% of security pros say they suspect they’ve lost data in a public cloud, while 50% know they have. Almost all are concerned that they have lost cloud-resident data, but they aren’t able to confirm it with the security tools they have in place.
Think Before Sharing That Link
Link sharing is a major risk that is growing in the enterprise. It’s far too easy for users to share an unsecured link that leads to a document stored in a cloud share, while IT teams have no way to monitor where the link has gone, who accesses that link and what happens to the document once it’s been downloaded or forwarded outside of the organization. Permission-setting mistakes are almost always the result of human error when it comes to sharing links. Users don’t check their security settings unless something goes wrong or someone from IT alerts them. Sharing document links without the proper permissions allows unauthorized views and may be visible to automated crawlers, which can result in search engine indexing by a bot. These linked files have even been known to turn up in Google searches.
Beware the Masked Imposter
Another major threat to cloud documents: masqueraders. These are individuals either inside an organization or external adversaries who have acquired legitimate user credentials and are now free to explore the treasure trove of documents stored in a cloud share, unfettered. On the surface, they look like legitimate users who seem to have the proper permissions to access files, but in reality, they’re casing the joint, looking for the crown jewels of data to exfiltrate, and are able to do so easily. Worse, uploading of executables is often as easy as right-clicking a file.
Harnessing the Power of Cloud Activity Logs
There is a way for security operations teams to improve monitoring, detection and response to risky behavior in cloud shares. Most, if not all, cloud platform vendors offer their users access to cloud activity logs. Cloud activity logs contain information of distinct time-stamped events from which one can extract meaningful temporal information about document flows, including how users are interacting with files and whether documents have been downloaded, uploaded or shared. Such log analytics can alert personnel to a range of different kinds of risks, possibly misconfigured cloud-share access controls or user security violations, where a shared link gives access to a broad collection of documents to an unsanctioned user.
What are some of the activities security teams can uncover by leveraging cloud activity logs? Here are some top behaviors that should raise eyebrows and warrant a deeper investigation.
- Sudden download of files not needed to perform day-to-day work. This can include files that are out of the ordinary, such as documents an individual doesn’t need to do their daily work or documents that are the domain of another department. It could be a sign that an insider is snooping for data or that a legitimate user’s credentials have been stolen and the masquerader is poking around for valuable data to exfiltrate.
- Downloading volumes of files in bulk. This could be a sign that an employee is preparing to share trade secrets or intellectual property or that a legitimate user’s credentials have been compromised. An overly diligent employee may be synching a large cache of corporate documents “for safekeeping,” which extends the risks to the employee’s “out of band” home machine, for example.
- Accessing documents from atypical or impermissible geolocations. When an individual is suddenly downloading or accessing files from locations where your organization doesn’t have an office, or where no employees are traveling, it deserves your attention.
- Changes in device types. This one is all about context. If an individual who has always used a company-issued device is now suddenly accessing files from a different or unrecognized device, this is a good indicator of a masquerader at work.
- Renaming of corporate files or changing file extension types. Legitimate users whose credentials have been stolen by masqueraders may upload executable files (.exe) that could contain malware or spyware. Such uploads are good indicators of credential theft and are clearly risky events.
Responding to Risky Behaviors
If security teams are seeing risky behaviors, the first step is to investigate the user directly to learn if they indeed performed the notable events. It may be necessary to suspend user accounts until the issue is resolved. With some cloud security solutions, IT teams can actually revoke access to files. Sometimes the behavior can be a false alarm, but it’s never a waste of time or resources to investigate it.
Upon investigation, if your user indicates that they have not to their knowledge been accessing unusual files, uploading executable files or downloading bulk volumes of files, it’s likely that they’ve lost their credentials. The user’s account must be suspended and new credentials need to be issued. Any uploads by that user account should be quarantined for investigation. Any downloads by those user accounts are likely examples of specific data loss. My advice is to gather all of the information, including download locations, to investigate the extent of the loss.
Applying AI to Cloud Security Risk Monitoring
Sifting through the behavior data captured in cloud activity logs isn’t an easy process. That’s where artificial intelligence could provide some help. It’s possible that the information in cloud activity logs could be automatically analyzed using AI, machine learning or other technologies to lessen the workload of security professionals. Rather than spending resources digging through cloud logs, it is possible to send teams real-time notifications when cloud security policies are violated or when unsanctioned users open or download cloud-resident files that weren’t meant for them. AI can be applied to enterprise cloud-shares to learn what constitutes normal behavior for each user. Once a normal baseline has been established, security teams can set up parameters so that any activity outside of that baseline sends an alert.
Finding an approach that offers the right balance between productivity and security is important when it comes to the cloud. Organizations won’t forgo the benefits that motivated them to migrate to the cloud in the first place, but at the same time, they need safeguards that will protect confidential information in the cloud. Visibility must be at the core of any cloud security strategy. Security operations teams will struggle to control access to cloud documents until they make end-to-end visibility a priority. A key component to any cloud security solution is the ability to track the flow of information, detect early breach activity and respond with countermeasures.
