Cloud infrastructure has transformed organizations’ infrastructure forever. With almost instantaneous access to much needed computing power, as well as advanced technologies such as artificial intelligence, organizations were quick to adopt these services, propelling the companies behind them towards trillion-dollar valuations. The cloud revolution has enabled SaaS services, dramatically simplifying how companies and individuals do business. Therefore, it is not surprising that cloud and SaaS have been adopted not only by large enterprises, but by smaller companies and individuals as well. Despite the many advantages, including ones specifically in the cyber security space, this mass migration to the cloud also opened up doors to previously-nonexistent security threats.
Before the cloud has exploded into our lives, organizations had very clear perimeters. To access a company’s internal information, one needed to VPN into the organization’s intranet. With the cloud, for the very first time, sensitive information was put on external resources. This move wasn’t only done for convenience and money, but for extra functionality. Among other features, cloud service providers made it possible for their customers to determine whether some (if not all) of the hosted information could be made public. Making content publicly available enables organizations to make marketing materials and other non-essential, non-classified, material available at ease and ready for use by anyone in the field. You could even deploy simple websites quickly and painlessly. Or, at least, that was the intent of this feature.
As many recent data leaks have shown, accidentally setting sensitive materials as public, essentially leaking them out, is quite common. Employees that were unfamiliar with the various options available when deploying cloud servers simply set them up with erroneous access permissions settings. Other access permissions mistakes also occurred, such as enabling anyone to upload files to a storage service (what could go wrong, I wonder?). By offering this feature, cloud service providers have essentially increased the frequency of insider threats.
This issue wasn’t limited only to cloud services. Certain SaaS solutions, such as source code repositories, also increase insider threats. By giving an option to create either private or public code repositories, they open up the door to honest mistakes with dire consequences, of exposing a company’s source code to the web.
Seeing how common these data leaks have become, cloud service providers made access permissions settings clearer to users, warning them that their information will become publicly accessible when set up that way. Thus, making it harder for their users to make these mistakes. So, if extra measures were taken to ensure this won’t happen again, all is well, right? Unfortunately, that is not the case. Despite being a smaller door, some users still manage to go through it.
The issue here is bigger than isolated insider threat incidents. Everyone has moved to the cloud, including the vendors, partners and customers of those large enterprises. Not all of them are large companies, not all of them have the ability to properly secure the cloud or hire a company to do so. This leads to a scenario where your own cloud configuration may be secure – but your information may still be leaking out from insecure cloud resources of other companies. While vendor reviews may reduce some of the risk, it is still a practice not employed by everyone (especially smaller organizations), and the data isn’t exclusively leaking out through vendors, but through other third parties.
This is not a hypothetical scenario, it is what we have observed in many incidents in the wild. In one such case, we have found documents with Personal Identifiable Information of one of the world’s largest banks, in a server belonging to a third party they worked with. In another, we’ve identified an invoice of a known cyber security company on the insecure server of a SaaS service provider they were using. While an invoice may sound innocuous, the document contained the details of their customer, a CISO of a large organization, along with his contact information, as well as the pricing and specifications of their product. The information could have been invaluable for this company’s rivals.
To make matters worse, data may leak from third parties with no affiliation to the organization whose information is leaking. Meaning, any type of process to assess third party risk would not identify these threats. For example, we have found that payroll slips of multiple international companies could be found on an insecure server, publicly accessible to anyone who knows its location. The server belonged to an insurance company and the slips were submitted by the employees of these companies as part of the insurance application process. The insurance company had nothing to do with the companies who issued those slips, yet information on exactly how much they paid their employees (along with each employee Personal Identifiable Information) is something they would definitely not want to be publicly available.
The new reality is that the risk of insider threats is higher than ever, thanks to the additional functionality, where information can be turned from private to public with a click of a button. However, no matter how much you invest in your internal and cloud security, the “insider” part may not even be in your company. Even if you have not moved to the cloud, even if you are completely secure, your company is not isolated and your data may still leak from dozens of potential third parties. Since some data leakage incidents cannot be realistically prevented, even when vendor reviews and cloud security measures are properly applied, organizations should expand their focus to include after-the-fact detection and remediation.