By Lexi Croisdale
Humans eat, sleep, and expose data.
Just in the time it takes you to read this blog, your blast radius will expand meaningfully. As access to sensitive data expands in the cloud, so do the different ways it can be compromised.
With some of your most crucial data living in the cloud environment, how can you keep it protected? Which threats should you be most concerned about?
Let’s discuss it below:
Threat #1: Identity risk
One of the challenges of using the cloud is the sprawl of applications that create a unique set of identities. As the cloud footprint increases, it’s a challenge for security teams to monitor and secure multiple identities in multiple spaces.
Threat actors are also evolving and targeting users specifically through various tactics, like social engineering and compromising personal accounts.
The LAPSUS$ group made headlines when they hacked major companies, including Microsoft, Okta, Samsung, Ubisoft, and Nvidia, using phone-based social engineering and SIM-swapping. The group would call IT departments and impersonate the target, bypass multifactor authentication or password resets, and gain access to the data.
There are two steps to help determine the identities of users inside and outside of your organization who have access to your environment.
- Take stock of all the applications being used in your organization and understand the permissions involved within each of them.
- Conduct reporting on a weekly, monthly, or quarterly basis. The metrics found in your report will identify areas that need attention, such as stale users, personal account use, a jump in external users, or more admin access being granted
It’s also important to set parameters for offboarding employees, as stale user accounts could give former employees the ability to expose your sensitive data and give attackers an opportunity to access your environment.
Threat #2: Configuration risk
A multitude of cloud applications brings a multitude of configuration settings.
When implementing new applications, it takes time to learn how specific settings are configured by default, what the best practices are, and to distinguish if the settings for production environments differ from sandbox or dev environments.
Varonis Threat Labs discovered that anonymous users could exploit misconfigured Salesforce communities to potentially expose sensitive data — such as customer lists, support cases, email addresses, and more — to anyone on the internet.
At a minimum, malicious actors could exploit configurations to perform recon for spear-phishing campaigns, and at worst, they could steal sensitive information about the business, including its operations, clients, and partners.
Many organizations don’t realize that Salesforce, or some of the other file-sharing collaboration platforms, are built by design to share data publicly and that it’s a feature, not a bug.
Auditing your security configurations on a recurring basis can help minimise the amount of unwarranted access to your cloud environments. Some applications, such as Salesforce, also have built-in health checker tools that you can run manually.
Threat #3: Third-party app risk
Third-party apps connect to your SaaS or infrastructure applications, and this often happens without oversight from security teams because users can grant themselves permissions — often without thinking twice about the access they give these apps.
Think of trying to sign up for the latest social networking app, and to bypass filling out a lengthy form, you can simply connect it to your Gmail account, thus opening up access to your information stored within this app.
It can be challenging to understand which apps are configured and what they have access to, which is similar to the identity risks covered in threat #1.
There is also the risk of apps containing vulnerabilities that threat actors could exploit. Through a single click, access can be granted to these malicious applications.
As the usage of third-party apps rises, assessing our connected apps and the risks involved with them is essential. We recommend analyzing the permissions for each app and ranking their risk level as low, medium, or high.
You can assess how many employees are using the app and their activity levels with automation or through manual reporting. For example, users who haven’t opened a high-risk app in the last six months should have their permissions revoked to avoid breaches. You may want to disconnect the app altogether if it’s not being used.
Continually monitoring and cleaning up your third-party app library will ease monitoring and maintaining what apps have access to your data.
Threat #4: Cloud vulnerabilities
Vulnerabilities in the cloud are usually not by design and could be bugs or holes in the code or application.
In 2021, our research team identified a bug in Salesforce dubbed Einstein’s Wormhole, which exposed calendar events that could contain highly sensitive data such as attendee names, emails, meeting URLs, passwords, and replies being sent to organizers. Prior to the bug being patched, meeting information with potentially sensitive information was exposed to the entire internet.
It’s important to monitor and see what’s happening inside applications, regardless of how much control you have over their coding and/or ability to fix bugs and patch appropriately. It’s also important to internally educate teams about the risks involved with applications that are beyond your security teams’ control.
Everyone owns a portion of the risk and should understand that the cloud is more accessible than ever.
Threat #5: Link/permissions risks
Most cloud applications are designed for collaboration and file sharing, which can allow end users to share data externally, organization-wide, or even create public links that could be accessible to anyone on the internet.
While sharing links eases the ability to collaborate and distribute information, they also bring a higher risk of your data getting into the wrong hands and employees having access to information they don’t need.
A classic example of excessive permissions mixed with an insider threat is the U.S. Pentagon document leak. A junior airman had access to classified information that he shouldn’t have had access to and while there were perimeter defenses in place to stop him from downloading the data to an external source, he was able to take pictures of the content and transcribe the information. The employee then hosted the information on a Discord server, spurring a diplomatic crisis.
Having least privilege automation in place can help combat the risk involved with excessive permissions by revoking organization-wide, external, and public link access over time.
The power of automation keeps your information secure and doesn’t require a heavy lift for security teams to constantly analyze link permissions for the thousands of users and files they create.
In closing
Cloud environments are evolving quickly, and so are the threats looking to compromise them. No matter what the risk is or what the attack vector is, the goal is always the same: threats are after the data.
(The author is Lexi Croisdale, Content Marketing Manager, Varonis, and the views expressed in this article are his own)
