Cloud computing is the most cost-effective way to store and manage data and meet growing business demands today. However, the rapid rise of cloud usage means you need to stay alert to potential cloud security insider threats that can compromise your sensitive data and security posture. In this post, we discuss the insider threat landscape, explore several types of cloud insider threats, and examine the best practices to combat these threats.
The rise of insider threats in the cloud
In recent years, cloud adoption has increased due to the flexibility and scalability it provides. So has the risk posed by insider threats. Many organizations focus cybersecurity efforts on external threats such as ransomware or zero-day exploits, but insider threats can be just as damaging and even more challenging to defend against.
According to the Ponemon Institute report, insider threats have grown by 44% over the last two years, and the cost per incident has increased by more than 30% to a whopping $15.38 million. On top of that, the time to contain an insider threat is now less than three months. Mitigating the risks posed by insider threats should be front and center for organizations that want to keep their data and networks safe to avoid the costly fallout of a breach.
Why is the cloud vulnerable to security threats?
Insider threats are often magnified in cloud environments due to cloud-based applications’ inherent vulnerabilities. Cloud-based applications may be accessed from unsecured devices or by using unsecured APIs, and they may suffer from hidden misconfigurations and poor access management. Because of the cloud’s reach, the threat landscape is much larger and cannot be adequately protected by only using firewalls or defined boundaries between the “internal” and “external” corporate network.
Then, there’s the human factor. Not only can malicious insiders use existing cloud security gaps to do damage, but even non-malicious employees can cause harm unintentionally by having insecure passwords, misconfiguring the cloud workload, leaking their credentials to the public such as on GitHub, and so forth. Cloud environments tend to be more complex and often lack visibility, and these threats are much more difficult to identify and remediate.
6 Cloud insider threats you need to look out for
Here we outline six of the most common cloud insider threats you should be on the lookout for.
1. Unrestricted access to sensitive data
One of the biggest threats involves not having proper access management in place. Most employees only need access to specific data; they don’t need unrestricted access to sensitive data. The more people who have access to sensitive information, the greater the probability that something bad happens. This is true whether the breach is intentional, such as a disgruntled employee sharing data for revenge, or unintentional, such as an employee clicking on malware that then gains access to the system.
In some cases, this sensitive data may even be accessible to outsiders who know their way around a system. Cloud environments don’t have a clear barrier between inside and outside the network, so protecting sensitive data requires access management and other security measures instead of just a firewall.
2. Poor password hygiene and lack of multi-factor authentication
This threat is similar to the threat posed by poor access management – the distributed nature of the cloud environment creates a lot of endpoint vulnerabilities. If passwords aren’t strong or regularly updated, they become much easier to hack. Sometimes outsiders are able to gain access because a password was easy to guess or bypass, or the employee used the same password uncovered in a prior data breach. Sometimes employees can gain access they shouldn’t have by guessing the passwords of other employees.
Along with maintaining strong password hygiene, multi-factor authentication (MFA) is another protective measure. Deploying MFA makes it more difficult for threat actors to gain unapproved access because they need a password and access to the other required factor(s) — such as security tokens, biometrics, and knowledge of answers to security questions.
3. Lack of employee training
The weakest link in most cybersecurity initiatives is the human factor. If employees don’t know how to recognize phishing attempts, share their access to sensitive data, or don’t practice good password hygiene, then the probability of compromising the corporate network from the inside increases. This is particularly critical in cloud environments because employees may take less care when accessing work applications from home or elsewhere.
4. Employee bribery
All it takes is one disloyal employee or an employee down on their luck in need of a payout to fall victim to employee bribery. If a bad actor reaches out and finds that one of your employees is willing to give them access for compensation, then they can completely bypass all of your security efforts in one fell swoop. Consider incorporating anti-bribery lessons in your employee training and make efforts to establish a culture of trust within your organization for all employees, whether on-site or working from home.
5. Disgruntled employees
While the saying goes that revenge is a dish best served cold, many seeking revenge like to act while hot and in the moment. This is why many companies immediately remove employee network access at the moment of firing or layoff, or even let employees go immediately once they receive a 2-week notice. An unhappy employee with access to the network can do a lot of damage in a short amount of time. And if that employee has access to the corporate cloud, it’s vital to make sure to remove remote access as well.
But sometimes an employee is disgruntled while still fully employed, and if management is unaware, the damage can happen before anyone even knows there was a threat. This is why cultivating a culture of openness and communication is vital. Keeping tabs on how everyone feels about work and taking steps to maintain morale can go a long way in preventing this threat – which is especially important since all the security software in the world is unlikely to identify it.
6. Accidental data exposure
It’s also possible for employees to share data accidentally. For example, they may include a link or mention of the data in a file or email thread shared with outsiders. Sometimes even typing in company credit card details in an unsafe environment is all it takes for bad actors to gain access. Additionally, it is not uncommon to find hardcoded programmatic credentials of cloud workloads in scripts uploaded to public GitHub repositories. This threat can be mitigated with real-time alerts and a careful review of external file-sharing practices.
Cloud threat protection best practices
Mitigating insider threats in the cloud requires deploying a set of best practices that minimize unnecessary access, educate employees and leadership alike, and help improve awareness of what to look out for. Cloud insider threat best practices include the following:
- Pay attention to multi-dimensional threats: Many less common actions employees perform in the cloud are not indicative of a threat when considered individually. However, some actions when combined should put up red flags. For example, if a user logs in from a new address, downloads more files than usual, and changes security settings, then this is indicative of potentially malicious behavior. Setting up system alerts to notify security teams when certain combinations of actions are performed can go a long way in differentiating between normal employee behavior and a possible breach.
- Monitor all cloud usage: Sometimes threats are only apparent if you correlate actions across different applications. Individual anomalies may appear innocent, but the sum of the parts could tell another story. Monitor all cloud usage and keep an eye out for shadow IT applications.
- Correlate cloud usage with other data sources: You can’t secure what you can’t see. And if you have a hybrid or multi-cloud environment, lack of visibility across the entire landscape could mean you miss threats or anomalous activity. Contextual data can provide a more complete picture from which you can identify anomalies.
- Whitelist low-risk users: To avoid alert fatigue —which can lead security teams to ignore legitimate threats or be unable to distinguish them from the noise —it’s a good idea to whitelist certain events when they are generated by trusted or low-risk users. You can also adjust the threshold to only sound the alarm based on predetermined indicators of risk.
How SecurityScorecard can help manage cloud security threats
SecurityScorecard offers a variety of products and solutions to help you monitor and mitigate threats. Our security ratings use an A-F scoring scale that gives a quick picture of where your weaknesses are and what to tackle first. These ratings cover endpoint security, network vulnerabilities, patching cadence, and more. Being able to identify your organization’s weaknesses at a glance means it’s that much easier to keep your data safe in the cloud.
Want to know more about your security posture or get more tailored intelligence? Speak to an expert today.