By Dr. Salvatore Stolfo, CTO of Allure Security
What happens to documents once they’ve been downloaded from a cloud share? Enterprises must know the answer to that question.
In their quest to reap the benefits of the cloud — productivity, better collaboration, and lower costs — enterprises have paid a great price: lack of visibility and control. We have reached the point at which organizations are moving data to public clouds faster than they can secure it. According to a recent survey by ESG, more than 40% of data stored in public clouds is considered “Sensitive.” Yet, three-quarters of respondents believe that at least 20% of their public cloud data is insufficiently secured, and 50% of all respondents said they have lost cloud-resident data.
What makes cloud-resident data so vulnerable? There are three key factors that are responsible for data loss risk for cloud-based documents:
- Company security policy violations. Because public cloud architectures are less mature than traditional, on-premises data repositories, it can be difficult for security operations teams to know when users are violating security policies. For example, uploading data classified as sensitive to a public cloud (documents containing personally identifiable information, trade secrets, etc.) runs rampant in public cloud shares. ESG reports that 33% of survey respondents have experienced an incident like this.
- Masqueraders. Internal or external threats caused by individuals who steal or “borrow” legitimate credentials from another user are another source of cloud insecurity. These users pose as individuals with higher security access to poke around in cloud file shares, in search of a treasure trove of documents they can exfiltrate for their own personal gain. Sharing links externally to anonymous users is as simple as a right click bypassing any reasonable access controls.
- Shadow IT/BYOD. 35% of ESG survey respondents said their biggest challenge for the security of data in the cloud is employees signing up for cloud applications and services without IT approval or oversight.
What are the consequences of failing to provide the proper security mechanisms for cloud-resident data? For starters, there’s the risk of your company’s most valuable information falling into the wrong hands. That includes information about your customers, your employees, and even your corporate trade secrets. Then, there’s the myriad of data privacy and security regulations that you could be violating by losing that data. GDPR is the most well-known, but it’s only the beginning. Several states across the U.S. are enacting new laws that carry stiff penalties for companies who fail to adequately protect consumer data.
Where did your documents go?
Although most public cloud providers have a way to log activity by users with access credentials, tracking log analysis is limited and can be hard to sift through. This is especially true after a document is downloaded, copied or shared with a third party. While stored and accessed in the cloud, document activity is logged. But once a credentialed user downloads documents, all bets are off. Cloud logs provide no visibility into where this data goes after it leaves the cloud. No amount of DLP, DRM or CASB will change this.
In its most basic terms, cloud data loss risk monitoring involves dynamic tracking and automated analysis of cloud activity logs. Leveraging telemetry and geofence technology, this approach even allows enterprises to monitor documents after they leave a cloud share. Cloud data loss risk monitoring plugs a visibility gap organizations have been struggling with for years.
Cloud data loss risk monitoring can also be configured to an organization’s established security policy to detect and respond to data loss resulting from stolen credentials, insider threats, malicious third parties, ransomware and human error. AI technology can substantially automate the analysis and detection of data loss and security policy violations.
Building a more secure public cloud
Allure Security offers cloud data loss risk monitoring for Microsoft Office365, OneDrive, Sharepoint, and Teams. The Allure platform continuously watches and analyzes log activity, extends visibility even after a document is downloaded, copied or shared with a third party, and surfaces risks based on unique data loss indicators.
GRA Quantum is an early adopter of Allure’s cloud data loss risk monitoring. The global cybersecurity services firm operates in multiple locations around the world. As a provider of cybersecurity services, GRA Quantum takes the trust of its customers and their security infrastructure very seriously. Most of the tools they sell to their clients are the technologies they themselves use.
The Allure cloud data loss risk monitoring platform gave GRA Quantum a greater understanding of OneDrive use in various locations, given its ability to enrich log activity with geolocation details and provide strategic alerts based on specific criteria. GRA organized its Allure account to issue alerts whenever a document was accessed in a location or region where the company has no office. For other regions, the company arranged for alerts geared more toward informing the security team only when an attempt to access falls outside of the company’s security policy. In these cases, the team sometimes gets “false positives,” but even these warnings can provide beneficial insights and therefore are not a waste of time to investigate. As an example, Allure reported that a GRA administrative assistant working in the United States opened a file in the Philippines. Once the security team was alerted to the unusual activity, a quick phone call confirmed that this person utilized a VPN to access the file.
The asymmetry of attacker and defender continues to plague security operations teams. As more companies push sensitive data into public clouds, the ability to monitor these documents and understand who is accessing them — and where — becomes even more important.
About the author
Dr. Salvatore Stolfo, PhD is the founder and CTO of Allure Security. A professor of computer science and artificial intelligence at Columbia University since 1979, Dr. Stolfo has spent a career figuring out how people think and how to make computers and systems think like people. Dr. Stolfo has been granted over 80 patents and has published over 250 papers and books in the areas of parallel computing, AI knowledge-based systems, data mining, computer security and intrusion detection systems. His research has been supported by numerous government agencies, including DARPA, NSF, ONR, IARPA, AFOSR, ARO, NIST, and DHS. He was recently elevated to IEEE Fellow for his contributions to machine learning applied to computer security.