In July 2015, Andrew Skelton was sentenced to eight years for a data breach at supermarket group Morrisons. But what’s that got to do with running a cloud services business?
Actually, it’s highly relevant when you consider who Skelton is. He was the company’s senior internal auditor and how he stole and published sensitive employee data is a dramatic example of an insider hack by a trusted member of staff.
While cloud service providers like data centre and hosting companies have little to do with in-store bakeries, shopping trolleys with wonky wheels and the price of baked beans, they too could risk being blindsided by the threats posed by employees with privileged access rights. This can include senior administrators who, like Skelton, have legitimate access to sensitive data and systems. And, like Skelton, they could go rogue and cause financial and reputational damage on a huge scale.
[easy-tweet tweet=”We have tended to visualise the hacker as the outsider, but this isn’t always the case” user=”Courion and @comparethecloud” hashtags=”security”]
We have tended to visualise the hacker as the outsider. But, serious data breaches like Morrisons are more likely to be the work of a disgruntled or criminal employee and highlight the importance of controlling access to employees in any position who have access to sensitive data or systems.
Thankfully, awareness of internal threats is becoming better understood.
According to the authoritative Verizon 2015 Data Breach Investigations Report, 55 percent of all insider breaches in the last 12 months were examples of privilege abuse. In other words, any employee account could be the subject of an outsider taking control for malicious motives. Of these cases, financial gain and convenience were reported as the primary motivators.
[easy-tweet tweet=”55% of all insider breaches in the last 12 months were examples of privilege abuse” user=”courion” usehashtags=”no” hashtags=”cloudsecurity”]
So what are the best strategies?
While monitoring employee behaviours might be one place to start, it would be impossible and invasive to monitor employee behaviours. What’s more, with the vast amounts of complex access privileges assigned to a large number of employees, the problem is a technical one.
It’s also likely that an insider hacker will be as, if not more, sophisticated and capable as an external one. Indeed a senior administrator within a cloud business will have access to more techniques and opportunities to hide their exploit. They may be able to operate within the business using multiple accounts under different identities. Some might possess access privileges from previous roles that are no longer appropriate or have conflicting permissions and should have been terminated long ago.
Whether their staff are a risk or not, cloud businesses should be determined to get on top of identity and access management. Indeed, a prime strategy should be to undertake a regular and deep audit and clean up of how access privileges are being assigned with ongoing management and control through identity governance and management.
This vital exercise can reveal some nasty surprises. For example, my company did an analysis of one global business and discovered 1000+ abandoned contractor accounts, 100+ terminated employee accounts that needed to be de-provisioned, 14,000 inactive user groups and over 25 or so users with access in excess of their role. And, this was a business that had otherwise very robust data security and a large IT function.
doing a thorough houseclean of access privilege is an extremely sensible first step
For businesses that might rely on temporary or contractor workers, a similar hidden set of risks may be lurking even behind an otherwise well run IT operation. Therefore, doing a thorough houseclean of access privilege is an extremely sensible first step. But this high standard needs to be sustained by choosing processes and systems that significantly reduce the risks by making access management and governance much easier to enforce and do.
Complementing other HR and technology strategies like perimeter protection and encryption should be how the chief information security officer (CISO) has access to the very best intelligence about who has access to what; and a clear view of the anomalous behaviours that could be the precursor or immediate evidence of an insider hack.
Users tend to leave footprints wherever they go on the network, and their activities can be collected and scrutinised using predictive analytics. New intelligent identity and access management tools are able to sift through huge volumes of user activity and pinpoint and analyse the greatest access risks in real time. This enables businesses to quickly identify misuse of access privileges and take appropriate actions to mitigate the potential damage for their organisation before the insider hack occurs.
With the use of real-time access insights, organisations will be able to detect not only existing security vulnerabilities but also potential risk areas and identify the actual causes for these risks. For example, hidden Active Directory Group Nesting is a leading cause of inappropriate access that is usually under the radar of native Access Management. This new visibility of access privileges will result in improved control over how sensitive data is being used and shared by employees, and a better understanding of access risk.
[easy-tweet tweet=”With the use of real-time access insights, organisations will be able to detect existing security vulnerabilities ” via=”no” usehashtags=”no”]
Ultimately, the best practice for protecting your organisation against privileged access misuse may come down to a much more holistic approach that blends technology with the skills of an organisation’s human resources leadership in overseeing and controlling processes for new joiners, leavers and internal movements of staff and changes in roles and responsibilities. With the next generation access intelligence solutions now available, enterprises can weigh the risks to vital assets such as intellectual property and customer information and settle them instantly.
Matt Allen, Solution Architect, Professional Services & EMEA Operations, Courion
Matt joined Courion in 2015, where he now leads the design and delivery of enterprise scale IAM projects across EMEA. He has over 10 years experience working in the IT security industry, specialising in Identity Governance, Access Management, Direct Provisioning and Federation focussed solutions.