Don’t let insider threats rain on your cloud deployment

Rising risk of insider threats in cloud

Perhaps not surprisingly then, given that level of vulnerability, 73% of respondents said insider threats are becoming more common. That’s a significant jump—up from 56% in the company’s 2017 report by the same name.

Another factor that heightens the insider threat is that survey respondents reported “only 50% of organizations provide user trainings about insider threats, and a mere 31% implement secondary authentication to defend against them.”

Yet another factor is the reality that migrating some or all of their applications, storage and workloads to the cloud is already a reality or a near-term goal for the large majority of organizations.

There are good reasons for that. The cloud is now a mature, reliable technology that involves the mega-players—Amazon, Cisco, Microsoft and others. It saves money—storage is easier and less expensive, it is scalable without breaking the budget, it lets organizations do more with less downtime, cost and loss, and it reduces infrastructure overhead.

And besides the economic incentives, it is highly available and allows remote employees access and ability to work online.

Why the cloud is vulnerable to insider threats

But all that comes with risk. A cloud environment interfaces with just about every application and corresponding infrastructure stack in existence.

The list of possible vulnerabilities that are common to both on-premises and cloud environments is well known but worth repeating. It includes weak identity, credential, and access management; insecure APIs; insufficient due diligence; lack of encryption; and yes, malicious/clueless insiders.

All of which should be yet another of the proverbial wake-up calls for organizations to improve their security initiatives for both the cloud and insider threats.

According to the survey, 41% of respondents said cloud migration makes insider attacks harder to detect and defend if organizations don’t have tools for monitoring “abnormal user behavior across their cloud footprints.”

That behavior doesn’t have to be malicious either. Kinnaird McQuade, senior consultant at Synopsys, said while malicious insiders are a legitimate concern, it is far more likely that employees will unintentionally “do something bad or stupid, which is more likely to open up avenues for other attacks.”

How to mitigate insider threat risks in the cloud

But there are ways to mitigate those risks. When it comes to insider threats, organizations should follow the advice experts have been issuing for decades—limit employees’ access and permissions to what they need to do their jobs—the principle of “least privilege.” It’s called identity and access management (IAM), and it’s a security fundamental.

“Organizations should prevent users from having permissions to open up new attack surfaces and time-box access to sandbox environments,” McQuade said. “For instance, opening up a NAT [network address translation] gateway from a hybrid networking environment in AWS isn’t necessarily bad—in fact, it’s necessary in some cases—but it introduces the possibility of a server using that NAT gateway to pull packages or content from any remote resource. Users shouldn’t be the sole bearers of responsibility—the organization should build in preventive measures.”

Among those preventative measures:

Make sure the cloud platform is correctly configured

“Enhancing automation of configuration management and infrastructure provisioning activities significantly reduces vulnerabilities linked to misconfiguration, mismanagement, missing patches and mistakes,” he said.

Put “guardrails” in place

Secure-by-default landing zones can help prevent new attack surfaces from opening in new environments like development, staging and production, McQuade said, “by preventing potentially dangerous calls to the cloud provider’s APIs.”

“Landing zones provide enough guardrails at creation time to support innovation but ensure enforcement of organization security requirements such as network architecture and log aggregation.”

Supplement the guardrails with monitoring

“Have an internal team provide a top-level view of all cloud-related risks, determine visibility and prevention requirements, and turn those requirements into programmatic policies to manage IAM,” McQuade said.

Visibility requires proper monitoring and alerting, while prevention requirements include “programmatic definition of policies per environment, such as service control policies in AWS, and other controls that prohibit potentially dangerous actions,” he said.

Don’t forget detection

Even rigorous IAM—limiting access and enforcing encryption on all portable devices as well as data in transit—won’t entirely eliminate risk. So be prepared to find and mitigate breaches.

Matan Scharf, product marketing manager at Synopsys, said early detection strategies should include controls such as data leak prevention, threat intelligence from third-party vendors that monitor the dark web (Pastebin etc.), and incident response capabilities coupled with business continuity and disaster recovery plans.

This is not a simple process, McQuade said, noting that it is “difficult to put all those controls in place before you give users or operations to a cloud environment. There will always be cleanup activities after embracing cloud as an organization reforms its approach.”

But it is well worth the time, effort and money, to avoid turning your cloud deployment into a nightmare. “If you expand your cloud capabilities without a security story, things will spin out of control very quickly,” McQuade said.

Mitigating insider threats is only one aspect of cloud security. Our new eBook The Ultimate Guide to Securing Your Cloud Apps uncovers many other challenges that organizations face when shifting to the cloud and provides recommendations for addressing them.