Humans eat, sleep, and expose data.
Just in the time it takes you to read this blog, your blast radius will expand meaningfully. As access to sensitive data expands in the cloud, so do the different ways it can be compromised.
With some of your most crucial data living in the cloud environment, how can you keep it protected? Which threats should you be most concerned about?
In a recent webinar, Ryan O’Boyle, Senior Manager of Cloud Architecture and Operations at Varonis, and Nathan Coppinger, Product Marketing Manager at Varonis, discussed the top five cloud threats present today. They covered where these threats stem from, how they can be used against you, and what steps you can take to ensure your data is secure.
Here’s what they found:
Threat #1: Identity risk
One of the challenges of using the cloud is the sprawl of applications that create a unique set of identities. As the cloud footprint increases, it’s a challenge for security teams to monitor and secure multiple identities in multiple spaces.
Threat actors are also evolving and targeting users specifically through various tactics, like social engineering and compromising personal accounts.
The LAPSUS$ group made headlines when they hacked major companies, including Microsoft, Okta, Samsung, Ubisoft, and Nvidia, using phone-based social engineering and SIM-swapping. The group would call IT departments and impersonate the target, bypass multifactor authentication or password resets, and gain access to the data.
There are two steps to help determine the identities of users inside and outside of your organization who have access to your environment.
- Take stock of all the applications being used in your organization and understand the permissions involved within each of them.
- Conduct reporting on a weekly, monthly, or quarterly basis. The metrics found in your report will identify areas that need attention, such as stale users, personal account use, a jump in external users, or more admin access being granted
It’s also important to set parameters for offboarding employees, as stale user accounts could give former employees the ability to expose your sensitive data and give attackers an opportunity to access your environment.
Threat #2: Configuration risk
A multitude of cloud applications brings a multitude of configuration settings.
When implementing new applications, it takes time to learn how specific settings are configured by default, what the best practices are, and to distinguish if the settings for production environments differ from sandbox or dev environments.
Varonis Threat Labs discovered that anonymous users could exploit misconfigured Salesforce communities to potentially expose sensitive data — such as customer lists, support cases, email addresses, and more — to anyone on the internet.
At a minimum, malicious actors could exploit configurations to perform recon for spear-phishing campaigns, and at worst, they could steal sensitive information about the business, including its operations, clients, and partners.
Many organizations don't realize that Salesforce, or some of the other file-sharing collaboration platforms, are built by design to share data publicly and that it’s a feature, not a bug.
Auditing your security configurations on a reoccurring basis can help minimize the amount of unwarranted access to your cloud environments. Some applications, such as Salesforce, also have built-in health checker tools that you can run manually.
Varonis goes beyond visibility with intelligent remediation capabilities built into our Data Security Platform. Our platform continuously assesses your data security posture, automatically surfacing critical misconfigurations and presenting them to you in a real-time, customizable DSPM dashboard.
Threat #3: Third-party app risk
Third-party apps connect to your SaaS or infrastructure applications, and this often happens without oversight from security teams because users can grant themselves permissions — often without thinking twice about the access they give these apps.
Think of trying to sign up for the latest social networking app, and to bypass filling out a lengthy form, you can simply connect it to your Gmail account, thus opening up access to your information stored within this app.
It can be challenging to understand which apps are configured and what they have access to, which is similar to the identity risks covered in threat #1.
There is also the risk of apps containing vulnerabilities that threat actors could exploit. Through a single click, access can be granted to these malicious applications.
The Varonis Threat Labs team created an attack scenario in which we created a realistic-looking app and used a phishing technique to get a user to install an app and grant full access to their Microsoft 365 environment. While our scenario was a simulation, most hackers and ransomware groups wouldn't stop there and would further exploit the information they find.
As the usage of third-party apps rise, assessing our connected apps and the risks involved with them is essential. We recommend analyzing the permissions for each app and ranking their risk level as low, medium, or high.
You can assess how many employees are using the app and their activity levels with automation or through manual reporting. For example, users who haven’t opened a high-risk app in the last six months should have their permissions revoked to avoid breaches. You may want to disconnect the app altogether if it’s not being used.
Continually monitoring and cleaning up your third-party app library will ease monitoring and maintaining what apps have access to your data.
Threat #4: Cloud vulnerabilities
Vulnerabilities in the cloud are usually not by design and could be bugs or holes in the code or application.
In 2021, our research team identified a bug in Salesforce dubbed Einstein's Wormhole, which exposed calendar events that could contain highly sensitive data such as attendee names, emails, meeting URLs, passwords, and replies being sent to organizers. Prior to the bug being patched, meeting information with potentially sensitive information was exposed to the entire internet.
It’s important to monitor and see what’s happening inside applications, regardless of how much control you have over their coding and/or ability to fix bugs and patch appropriately. It's also important to internally educate teams about the risks involved with applications that are beyond your security teams' control.
Everyone owns a portion of the risk and should understand that the cloud is more accessible than ever.
Threat #5: Link/permissions risks
Most cloud applications are designed for collaboration and file sharing, which can allow end users to share data externally, organization-wide, or even create public links that could be accessible to anyone on the internet.
While sharing links eases the ability to collaborate and distribute information, they also bring a higher risk of your data getting into the wrong hands and employees having access to information they don’t need.
A classic example of excessive permissions mixed with an insider threat is the U.S. Pentagon document leak. A junior airman had access to classified information that he shouldn’t have had access to and while there were perimeter defenses in place to stop him from downloading the data to an external source, he was able to take pictures of the content and transcribe the information. The employee then hosted the information on a Discord server, spurring a diplomatic crisis.
Having least privilege automation in place can help combat the risk involved with excessive permissions by revoking organization-wide, external, and public link access over time.
The power of automation keeps your information secure and doesn’t require a heavy lift for security teams to constantly analyze link permissions for the thousands of users and files they create.
In closing
Cloud environments are evolving quickly, and so are the threats looking to compromise them. No matter what the risk is or what the attack vector is, the goal is always the same: threats are after the data.
Watch the full session with Ryan and Nathan to learn more about identity risk, configuration risks, third-party app risks, cloud vulnerabilities, sharing links, and how Varonis can help mitigate these risks to keep your data protected.
What should I do now?
Below are three ways you can continue your journey to reduce data risk at your company:
Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.
See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.
Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.