Do you know who is accessing your data in the cloud?
According to a study conducted by Laminar, one in three respondents didn’t know if a third-party actor was able to successfully compromise their data in the public cloud. Nor did respondents have much insight into the behavior of insiders, who could be accidentally accessing sensitive data without permission.
“It has become more challenging than ever for companies to have visibility into where their data resides, who has access to what and why,” explained Laminar CEO Amit Shaked.
Even if they have procedures in place like MFA to protect information, business leaders and security teams have to assume that bad actors, both inside and outside the organization, are gaining access.
But even if they know this is happening, the problem is the lack of visibility. That’s due, in part, to how we think about how data is accessed.
“Data access is often not via user accounts,” said Shaked, “but by system accounts that use tokens or API keys to get access where MFA may not be practical.”
Why Are Security Teams Still in the Dark about the Cloud
Cloud security has plagued security teams for years, and understanding data access is only one part of the problem. The inability to log critical datasets that would show abuse, exploitation or data exfiltration techniques creates an environment that keeps security teams from having a clear vision into how data is accessed and used in an API infrastructure.
As cloud use becomes more ubiquitous in organizations, scale and complexity will continue to challenge security teams.
“It is hard for security teams to manually maintain a clear picture of who has access to their cloud; when access to each component of the cloud, even down to a single data object can be configured separately,” said Mohit Tiwari, co-founder and CEO at Symmetry Systems, in an email interview.
“No organization even has a single cloud anymore, but a connected mesh of public and private clouds,” Tiwari continued. “The scale and complexity of millions of data objects across thousands of data stores in multiple clouds, multiplied by a seemingly infinite combination of roles, permissions for thousands of user and machine identities would be pretty challenging for CISOs to secure even if it stayed constant; however, the billions of objects form over months or years and change constantly.”
Identity and access management is necessary to administer permissions but, in reality, to group and manage permissions based on the chunks of data, least-privilege access is pushed aside. This results in organizational churn, resulting in access to data that is far from ideal.
Hybrid Work’s Impact
Hybrid work environments have further accelerated, making an already aggressive plan for enterprise cloud adoption even more challenging.
“By outpacing the necessary security coverage, organizations are under the gun to deploy solutions that can secure new use cases as well as tie into their existing security solutions,” said John Yun, vice president, product strategy, at ColorTokens. “The ease-of-use offered by the cloud, in some cases, can be perceived as high risk due to the compromised credential scenarios or, in the case of third parties, over-privileged users having more access than they should. Relying heavily on user logins without the layers of security checks often found in on-premises environments makes many security analysts nervous.”
Risks Around Credentials
When it comes to cloud security and access, it all comes down to protecting credentials. Privilege creep is setting up companies for greater insider risk from credential misuse and abuse, but what is most damaging to an organization is credential theft.
“Credential-stealing malware can be more damaging to an organization if credentials are shared among employees–compromising multiple accounts from a single endpoint infection,” said Davis McCarthy, principal security researcher at Valtix, via email. “It can also be more difficult to identify who abused a set of credentials during an insider threat investigation when the whole development team is in question. Security teams investigating these types of events need visibility to build context that leads to mitigation and remediation.”
The best way to address access into the cloud and to know who is doing the accessing–legitimately or not–is to build visibility into cloud projects from the start, not later when it could impact compliance.
While there are still relatively very few regulations targeted specifically at cloud security, anything that promotes poor cybersecurity posture in the cloud, especially the inability to track access and permissions, inevitably leads to data breaches—as evidenced by increases in incidents attributed to cloud misconfigurations.
“The resultant fines and penalties under existing privacy regulations will only continue to increase as international, state and federal privacy and data protection legislation emerges and matures,” said Tiwari. “Inevitably, continued lack of compliance will require regulators to become more rule-focused in their approach to security; providing stricter rules to follow for data security in the cloud.”