How to combat insider threats as organisations increasingly rely on cloud computing to telecommunicate

(Image credit: Veriato)

Cloud providers including Microsoft, Google, and others, have recently acknowledged that they are struggling to deal with a spike in remote tools usage.

As organisations hastily adapt for remote working, they might fail to ensure adequate data security. In particular, cloud usage increases the risk of insider threats as 53% of organisations believe detecting insider attacks is significantly harder in the cloud than on-premises, according to a recent report. Therefore, it has never been as important as it is today for organisations to implement proper measures to mitigate the insider threat to protect data in the cloud.

Why do remote workers pose a threat to cloud security?

Firstly, remote employees use cloud applications to exchange data, including sensitive data, and could misplace it in insecure locations which could lead to a compliance violation. For example, sharing sensitive data via Microsoft Teams – an increasingly popular application for telecommunication – will result in data spreading across SharePoint Online storage with a high risk of unauthorised access. In fact, 39% of the UK respondents to our recent survey are sure that employees in their organisations share sensitive data via cloud applications outside of IT’s control.

Secondly, remote employees often work from their personal devices which are not controlled by the corporate IT team, and as such are more prone to data breaches than their corporate PCs. Such devices are often unpatched and, therefore, vulnerable to cyber threats. Once an attacker has a foothold in the employee's device, they have "remote control" and can observe and leverage any outgoing connections from this. Essentially, they can gain access to all corporate cloud services the user connects to or even to the corporate network on-premises as soon as the user establishes their VPN connection or remote desktop (RDP) session to any internal servers.

In addition, an employee might lose his/her device, or let other family members use it, which will result in unauthorised access. In some rare cases, employees copy sensitive data to their personal devices from corporate cloud storage with malicious intent, which also is a serious security risk.

Step 1: Develop security policies for remote employees

In normal circumstances, before asking employees to work from home, an organisation should ideally develop proper security policies with a specific focus on cloud security. First and foremost, it is critical to ensure that all user permissions to storages with sensitive data are granted on a 'need-to-access’ basis to prevent insiders from accessing the information they do not need to do their job.

In addition, it is important to establish effective access controls as well as efficient identity verification methods such as multi-factor authentication, which will also protect organisations’ sensitive data in the cloud from unauthorised access.

And last but not least, it is critical that the IT department trains employees on cloud ‘dos’ and ‘don’ts’, starting from the principles of dealing with sensitive data and ending with instructions for patching and securing their personal devices. All such measures should be implemented on an ongoing basis, with the IT team being ready to support employees with any issue when they work from home, whether it’s an operational problem or security issue.

Step 2: Obtain visibility into sensitive data

If an organisation does not know where its sensitive data resides in the cloud, it cannot ensure that remote employees are following security policies. This is particularly challenging as modern organisations use multiple clouds.

In fact, McAfee has calculated that an average enterprise uses around 1,427 distinct cloud services, while an average employee actively uses 36 cloud services at work. The more cloud services remote employees use, the more challenging it is for an organisation's IT team to track how they handle data. It means an increased risk of misplacing sensitive data and the bad PR and compliance findings that come with that. To reduce data overexposure, it is critical to have technologies in place to automatically discover sensitive data across multiple cloud storages and classify it according to its sensitivity on a continuous basis.

Step 3: Monitor user activity around sensitive data

As the cloud is prone to a broad range of threat vectors for data exfiltration by insiders, it is critically important for an organisation to detect such cases in a timely manner. Is it malware trying to break into the corporate network, or an insider aiming to steal customer database? All these cloud security risks, and many others, are accompanied by anomalies in user activity. Therefore, if an organisation uses cloud computing and cloud storage, it is important to have user behaviour analysis (UBA) technologies in place that can detect deviations from normal user behavior and alert an IT team about potential cloud threats.

Examples of the most common anomalies that indicate a threat include abnormal logon activities (such as attempts to log on from multiple endpoints, multiple subsequent logons in a short period of time, and an unusually high number of logon failures); or data access patterns differing from the user's past behaviour or that of their peers. It is important to note the shift from office work to remote access will probably cause initial changes in users' access patterns. Businesses can expect a higher than normal number of false positives from Machine Learning-based behaviour anomaly detection solutions in the first couple of weeks after users move away from their central offices.

Such measures will help organisations minimise insider threats in the cloud not only during ‘the world’s largest work-from-home experiment’, as Time has dubbed the COVID-19 outbreak, but also when it comes to an end. With the subsequent economic recession that is likely to follow, cloud computing will remain a cost-effective way to run a business. A sustainable approach to cloud security will enable organisations to avoid unwanted data breaches and hefty compliance fines in the long run.

Matt Middleton-Leal is EMEA & APAC General Manager at Netwrix

Matt Middleton-Leal

Matt Middleton-Leal is a Certified Information Systems Security Professional (CISSP®). He is currently EMEA & APAC General Manager at Netwrix, provider of visibility and governance platform that supports both on-premises and hybrid cloud IT environments. Matt has 20 years’ experience in cybersecurity industry with deep understanding of both customers’ and suppliers’ needs.

Netwrix is 100% focused on providing solutions to the industry that enhance their cybersecurity, while simultaneously enabling them to reduce and manage the burdens of IT auditing and compliance.