The pandemic created a spotlight on how the cloud can benefit enterprises. As employees worked at home, cloud-based workflows and cloud-based workloads helped businesses to survive through the catastrophic 24 months of lockdowns.
Today, this momentum of using the cloud as a platform for business and for work, continues at the same accelerated pace, through the hybrid and multi-cloud platforms. However, IT and security decision-makers are increasingly turning their focus towards protecting the cloud from all sides, including insider negligence and malicious insider activity.
Typically for hybrid patterns of work and to keep cloud-based workflows uninterrupted, team players have multiple security privileges, often elevated more than required from their day-to-day requirements. This creates an internal vulnerability and paves the way for unintentional or intentional incidents and breaches.
Team players are considered as internal and trusted to the organisation by security administrators and policy decision-makers. Since they are inside the organisation, they do not have to breach any login credentials to penetrate the organisation and hence their activity is harder to detect.
However, research by Ponemon indicates, both negligent and malicious insider risks as well as credential theft have grown 44 percent in the last two years. Incidents involving compromised users have racked up costs amounting to over $15 million globally. Cloud infrastructure has been the primary target and 52 percent of enterprise decision-makers name cloud security as one of their greatest risks.
IT and security decision-makers can implement the following best practices that can help to reduce the exposure and risk from insider activity.
Least privileges
The starting point for any initiative to protect against insider threats and negligence needs is implementing the principle of least privilege. In this approach end users, bots, and programs, only have those rights that are sufficient for them to execute their day-to-day roles and no other privileges. An employee who only needs to read data from a folder does not need to have write privileges for that folder and the same applies to an automated routine or application. This approach reduces the exposed attack surface.
Negligence, lack of awareness
Surveys by Ponemon indicate that incidents stemming from negligence amount to 56 percent, in comparison to 26 percent stemming from malicious intent. Negligence is a primary cause in most cybersecurity incidents and covers adding unsecured devices on the network, unprotected passwords, deviating from an organisation’s security policies, not upgrading and patching applications, and so on. It can also cover unknowingly clicking on malicious links and sharing passwords with other team members.
Awareness levels
In most cases, reasons for negligence can be linked to a lack of awareness of the consequences ahead. IT and security decision-makers can implement regular security awareness training programs and a culture of positive cyber hygiene. Security awareness training programs for employees cover a wide range of topics including phishing, password hygiene, social engineering, and reporting anomalous behaviour.
Behavioural analytics
Behavioural analytical tools first build up a behaviour pattern that defines a state of normal user activity across the enterprise. This includes login times, login locations, workflow patterns, data, resource access and so on. Behavioural analytical tools monitor real time activity of workers against this baseline of normal activity and flag deviations when they happen. Using this baseline, user attempts to access unauthorised resources, unauthorised actions, and movement of data, for example, will stand out.
Access and movement of data
Another important best practice to curtail insider threats is to implement a comprehensive approach to data security and data privacy. Data Security Posture Management or DSPM tools can help enterprises prevent data leakage by implementing policies and controls to protect sensitive data from unauthorised access, sharing, and movement.
DSPM classifies data based on sensitivity levels and applies controls to protect it, such as encryption and data masking. DSPM also implements control on who can access the data with measures such as multifactor authentications. DSPM monitors and logs all access to data and its usage, enabling security teams to detect suspicious activity in real time. DSPM can also generate alerts and notifications in real time.
Scheduled audits
How effective the above measures are can be amplified through a process of regular and scheduled audits. Audits should be conducted on a regular basis and cover cloud infrastructure, access controls, user activity, and data transmission. These audits reveal deviations in user behavior and cloud infrastructure activity such as file sharing, copying, or deletions. Security gaps and vulnerabilities are also revealed through audits, that are rectified through recommended actions.
It is important for IT and cloud decision-makers to select the right vendor-led solutions that can protect cloud-centric vulnerabilities from all attack surfaces, including endpoint, identity, and networks, emerging from external and internal threats. Much of this is being driven by AL and ML and decision-makers must look for vendors that are leveraging automation in their solutions.
