Cloud computing—a broad term that describes the move to the cloud and a mobile workforce—has brought new security and compliance risks. Cloud account takeover, oversharing of data and usage of unapproved cloud applications present big challenges to security teams. That’s why gaining visibility into and control over IT-approved applications is critical to cloud security. Many organizations are looking to secure Microsoft Office 365, Google G Suite, Box, Dropbox, Salesforce, Slack, AWS, ServiceNow and more.
What is cloud security?
The answer to what is cloud security encompasses an array of technology, controls and practices used to protect people, data and infrastructure from attacks and compliance risks on cloud computing platforms. Cloud security is critical to making the most of cloud computing in a safe and compliant manner.
A key element of cloud security is a CASB, which stands for Cloud Access Security Broker or Cloud App Security Broker. A CASB can be deployed on-premises or in the cloud, sitting between cloud service users and cloud applications. It monitors cloud activity, blocks attacks and enforces security policies1.
How does cloud security work?
Cloud security helps organizations protect users from cloud-based threats by:
- Revealing what cloud computing platforms and services their users are accessing
- Monitoring cloud computing activity to detect attacks and user actions that unintentionally put the organization at risk
- Preventing cyber attackers and other unauthorized users from accessing sensitive data and resources
- Protecting users’ cloud-based accounts from takeover
- Enforcing security and compliancy policy
Why is cloud security important?
Organizations use cloud computing and cloud-based collaboration or messaging tools to share files and information with colleagues and partners. At the same time, they can put regulated data and intellectual property (IP), such as trade secrets, engineering designs, and other sensitive corporate data at risk. Employee negligence or lack of training can create cloud security threats such as oversharing of files via public links, which anyone can access. Data theft by insiders is also common. For example, salespeople who are leaving your company can steal data from cloud CRM services.
Shadow IT refers to the use of cloud apps and services without explicit approval of IT. Users typically use unapproved software-as-a-service (SaaS) applications for file sharing, social media, collaboration and web conferencing. When users upload corporate data to unapproved apps, they may violate data privacy and residency regulations.
And there’s another growing challenge: third-party apps and scripts with OAuth permissions. OAuth-connected third-party apps access IT-approved cloud computing services, such as Microsoft Office 365 and Google G Suite. It is common to see a hundred if not a thousand apps and scripts in an organization’s cloud environment. Some of these pose risks because of poor design, giving them broader than necessary data permissions. Some are malicious or ease to exploit. What’s the danger of OAuth? Once an OAuth token is authorized, access to enterprise data and applications continues until it’s revoked.
Cloud Security Safety Tips
A CASB service provides four key types of cloud security system management:
- Visibility. This is a consolidated view of an organization’s cloud service landscape, including details about the users who access data in cloud services from any device or location.
- Data Security. Some CASBs provide the ability to enforce data security policies to prevent unwanted activity. Policies are applied through data loss prevention (DLP) controls such as audit, alert, block, quarantine, delete and view only.
- Threat Protection. CASBs prevent unwanted devices, users and certain versions of apps from accessing cloud services by providing adaptive access controls. Cloud app access can be changed based on signals observed during and after login.
- Compliance. CASBs help organizations demonstrate that they are governing the use of cloud services. CASBs assist efforts to conform to data residency and regulatory compliance requirements2.
Cloud Security Issues & Threats
A CASB can help organizations with four key cloud security challenges.
People and departments within an enterprise often deploy new cloud apps and services without the approval, or even awareness, of IT security managers. These services may result in data loss, data oversharing, compliance issues and more.
At the same time, many users install third-party apps and scripts with OAuth permissions that access IT-approved cloud services, such as Microsoft Office 365 and Google G Suite.
Many are of these apps are useful, adding helpful features to standard cloud computing apps. But some can create cloud security issues because they’re overtly malicious or just poorly designed with broader-than-necessary data permissions. And once an OAuth token is authorized, access to enterprise data and applications continues until it’s explicitly revoked—even if the user’s password changes.
CASBs provide visibility into and control over shadow IT to limit people-related risk.
Cloud account compromise/takeover
Cyber criminals often use compromised cloud security to gain access to valuable data and even funds. Once attackers get their hands on cloud account credentials, they impersonate legitimate users. They can trick your people into wiring money to them or releasing corporate data. They can also hijack email accounts to distribute spam and phishing emails.
In a study of more than 1,000 cloud service tenants with more than 20 million user accounts, more than 15 million unauthorized login attempts took place in the first half of 2019 alone. More than 400,000 of these attempts resulted in successful logins. In all, about 85% of tenants were targeted by cyber attacks, and 45% had at least one compromised account in their environment3. Attackers typically compromise accounts using one of the following three cloud security threats:
- Brute-force attacks, a trial-and-error technique in which the attacker submits many username and password combinations until something works.
- Credential phishing, in which the attacker uses socially engineered email to trick users into give up their passwords.
- Password recycling, in which the attacker uses passwords is leaked in an unrelated data breach, counting on the user having any other account with the same user name (often an email address) and password is at risk.
Data loss and IP theft
On any typical business day, people share information with colleagues, partners and others via cloud-based collaboration or messaging tools. But lack of employee training on cloud security or worker malice could result in sensitive data being shared with those who shouldn’t be able to see it.
Enterprises face growing cloud compliance risks in the face of ever-changing cybersecurity regulations. Governmental and industry regulations require you to know where your data is in the cloud and how it is being shared. The European Union General Data Protection Regulation (GDPR) affects millions of organizations. That’s why developing a plan to comply with the new rules is critical for all organizations. A CASB can be a key.
Cloud Security Threats
Today’s attacks target people, not technology. This is just as true for the cloud as it is on premises. As businesses move their messaging and collaboration platforms from the corporate network to the cloud, they become vulnerable to attack.
Cyber criminals tend to target popular SaaS applications like Microsoft Office 365 and Google G Suite. Just about everyone at your company uses these applications, and they hold the key to business communication and vital data. Attackers use a variety of techniques to compromise cloud account credentials and take advantage of vulnerable users, including:
- Intelligent brute-force attacks. Automated tools are used to come up with multiple combinations of usernames with passwords exposed in large credential dumps.
- Advanced phishing campaigns. These targeted and well-crafted campaigns come in various forms and trick people into revealing their authentication credentials.
- Malicious file-shares. Phishing links, credential stealers and downloaders are typically used in these types of attacks. Threat actors also distribute malware via cloud services such as Dropbox.
Tips for Cloud Security Protection
A CASB with a broad complement of cloud security solutions with robust detection, remediation and risk-based authentication capabilities offers the best defense against today’s people-centric threats, including brute-force attacks, phishing attacks and malicious file shares.
Protect against cloud-based security threats
Cyber criminals tend to target people, not technology, with popular cloud-delivered SaaS applications such as Microsoft Office 365 or Google G Suite. A CASB with a broad complement of cloud security solutions offers the best defense against today’s people-centric threats.
Stay in compliance
As your employees, contractors and partners share more data in the cloud, the risk of a breach increases. You need risk-aware cloud security that connects the dots to detect and prevent such breaches. In addition, compliance with government regulations and industry mandates is essential. These include the following: personally identifiable information (PII) such as Social Security numbers or date of birth; consumer payment card information (PCI); and protected health information (PHI) such as medical records.
Manage cloud apps in your environment
Given the proliferation of cloud-delivered apps, governance of the use of those apps is essential. The average enterprise has an estimated 1,000 cloud apps in use, and some of them have serious cloud security gaps. They can violate data residency regulations, such as GDPR. In addition, attackers often use third-party add-ons and social engineering to trick people into granting broad access to your approved SaaS apps.
Cloud-app governance capabilities provide important visibility into cloud security threats. They also provide important controls that alert and coach end users and set up automate responses for cloud access such as “allow,” “read-only,” or “block.”