Insiders can easily be more of a cyber threat to organizations than outside attackers, for the obvious reason—they’re already inside. Whether malicious or simply clueless or careless, they can pose a bigger risk since they don’t have to breach external security barriers and simply being present won’t raise any red flags—they’re supposed to be there.
But apparently those threats aren’t as obvious as they should be for some organizations—especially when it comes to the cloud.
In the recent Threatbusters: Bitglass’ 2019 Insider Threat Report, the cloud access security broker (CASB) company found that 68% of 437 IT professionals surveyed considered their organizations to be moderately to extremely vulnerable to insider threats.
Survey respondents came from Cybersecurity Insiders, a community of 400,000 information security professionals.
Perhaps not surprisingly then, given that level of vulnerability, 73% of respondents said insider threats are becoming more common. That’s a significant jump—up from 56% in the company’s 2017 report by the same name.
Another factor that heightens the insider threat is that survey respondents reported “only 50% of organizations provide user trainings about insider threats, and a mere 31% implement secondary authentication to defend against them.”
Yet another factor is the reality that migrating some or all of their applications, storage and workloads to the cloud is already a reality or a near-term goal for the large majority of organizations.
There are good reasons for that. The cloud is now a mature, reliable technology that involves the mega-players—Amazon, Cisco, Microsoft and others. It saves money—storage is easier and less expensive, it is scalable without breaking the budget, it lets organizations do more with less downtime, cost and loss, and it reduces infrastructure overhead.
And besides the economic incentives, it is highly available and allows remote employees access and ability to work online.
But all that comes with risk. A cloud environment interfaces with just about every application and corresponding infrastructure stack in existence.
The list of possible vulnerabilities that are common to both on-premises and cloud environments is well known but worth repeating. It includes weak identity, credential, and access management; insecure APIs; insufficient due diligence; lack of encryption; and yes, malicious/clueless insiders.
All of which should be yet another of the proverbial wake-up calls for organizations to improve their security initiatives for both the cloud and insider threats.
According to the survey, 41% of respondents said cloud migration makes insider attacks harder to detect and defend if organizations don’t have tools for monitoring “abnormal user behavior across their cloud footprints.”
That behavior doesn’t have to be malicious either. Kinnaird McQuade, former Synopsys cloud security practice lead, said while malicious insiders are a legitimate concern, it is far more likely that employees will unintentionally “do something bad or stupid, which is more likely to open up avenues for other attacks.”
But there are ways to mitigate those risks. When it comes to insider threats, organizations should follow the advice experts have been issuing for decades—limit employees’ access and permissions to what they need to do their jobs—the principle of “least privilege.” It’s called identity and access management (IAM), and it’s a security fundamental.
“Organizations should prevent users from having permissions to open up new attack surfaces and time-box access to sandbox environments,” McQuade said. “For instance, opening up a NAT [network address translation] gateway from a hybrid networking environment in AWS isn’t necessarily bad—in fact, it’s necessary in some cases—but it introduces the possibility of a server using that NAT gateway to pull packages or content from any remote resource. Users shouldn’t be the sole bearers of responsibility—the organization should build in preventive measures.”
Among those preventative measures:
“Enhancing automation of configuration management and infrastructure provisioning activities significantly reduces vulnerabilities linked to misconfiguration, mismanagement, missing patches and mistakes,” he said.
Secure-by-default landing zones can help prevent new attack surfaces from opening in new environments like development, staging and production, McQuade said, “by preventing potentially dangerous calls to the cloud provider’s APIs.”
“Landing zones provide enough guardrails at creation time to support innovation but ensure enforcement of organization security requirements such as network architecture and log aggregation.”
“Have an internal team provide a top-level view of all cloud-related risks, determine visibility and prevention requirements, and turn those requirements into programmatic policies to manage IAM,” McQuade said.
Visibility requires proper monitoring and alerting, while prevention requirements include “programmatic definition of policies per environment, such as service control policies in AWS, and other controls that prohibit potentially dangerous actions,” he said.
Even rigorous IAM—limiting access and enforcing encryption on all portable devices as well as data in transit—won’t entirely eliminate risk. So be prepared to find and mitigate breaches.
Matan Scharf, former product marketing manager at Synopsys, said early detection strategies should include controls such as data leak prevention, threat intelligence from third-party vendors that monitor the dark web (Pastebin etc.), and incident response capabilities coupled with business continuity and disaster recovery plans.
This is not a simple process, McQuade said, noting that it is “difficult to put all those controls in place before you give users or operations to a cloud environment. There will always be cleanup activities after embracing cloud as an organization reforms its approach.”
But it is well worth the time, effort and money, to avoid turning your cloud deployment into a nightmare. “If you expand your cloud capabilities without a security story, things will spin out of control very quickly,” McQuade said.
Mitigating insider threats is only one aspect of cloud security. Our new eBook The Ultimate Guide to Securing Your Cloud Apps uncovers many other challenges that organizations face when shifting to the cloud and provides recommendations for addressing them.