The most widely advertised risks to data in the cloud typically focus on vulnerability to external attackers, but in private conversations security teams frequently voice concern over threats from within their own organizations.
When you think of insider threats, you probably worry about headline-grabbing incidents in which whistle-blowers expose data to the media, as in the case of Edward Snowden. The reality is that these highly visible yet rare cases are only the tip of the iceberg. The bulk of insider threats are either well-intentioned but careless employees or rogue insiders in pursuit of personal gain. These cases fly under the radar: While only 17% of security professionals were aware of an insider threat within their organization in the past year, usage data from Skyhigh’s latest Cloud Adoption and Risk Report revealed anomalous activity highly indicative of insider threat in 85% of organizations.
The cloud has vastly expanded the scope of insider threat. The sheer number of cloud applications (over 8,000) and immature auditing and governance controls relative to on-premises applications result in lack of visibility and governance. Read on, if you dare, for harrowing tales of insider threats -- cloud edition.
The salesperson jumps ship
In one of the most common insider threat scenarios, a sales representative leaves the company for a competitor, taking sales leads with him. Concern over defectors leaving with data is prevalent in organizations of all industries and sizes, especially in competitive markets. Stealing leads is difficult to detect, not only because it occurs on sanctioned corporate services, but also because it adversely affects business.
Cloud services have made this type of event unrecognizable from the classic theft of a physical stack of leads, à la Glenngarry Glenn Ross. Salesforce makes a huge number of leads accessible to employees at the click of a button. The challenge for enterprises that can easily have thousands of Salesforce users logging in each day is identifying unusual, anomalous activity against a background of typical everyday activity.
When admins go rogue
Employees at all levels of an organization rely on cloud services to do their jobs, including the C-suite. Privileged users, however, have unique authority: administrative access to data housed in a cloud service.
A large technology company I spoke with voiced concern over internal administrators for their CRM software. These admins were responsible for managing users’ permissions and security policies. At the same time, they personally had access to business data stored in the cloud service, constituting a security liability. Another example: an administrator for a cloud-based storage service can access executive-only financial projections and conduct insider trading with the confidential information.
Danger from within
Insider threat is typically discussed in the context of enterprise employees, but cloud-service-provider employees present another vector for the exfiltration of data from within. Take, for example, a cloud service used internally by Human Resources. An employee of the cloud service provider has access to sensitive corporate data hosted in that service. Depending on the user agreement, the cloud service provider may not even be liable for lost data. This scenario illustrates how enterprise cloud use must involve a level of protection in security controls against both external and internal threats.
The virtual globetrotter
Cloud services enable worldwide collaboration, but the same trait allows data to wander where it shouldn’t. In a famous episode of unprecedented audacity, a developer at an unnamed company outsourced his own job to a Chinese counterpart. He paid a worker in China to complete his assignments and kept the margin. Legality aside, the creatively devious workflow obviously exposed his employer to an array of security concerns, as corporate data was openly shared with a third-party.
Shady services stand out
Some cloud services flat-out mean trouble for businesses. Violating company cloud usage policies constitutes another type of insider threat, and can range in severity from illicit Facebook use to illegal file sharing. On the more drastic side of the spectrum is the employee who uploads data to a development site such as CodeHaus, which claims ownership of uploaded intellectual property in its user agreement terms. The infamous worst user in the world used 182 high-risk cloud services at work, uploading 9.3GB to code-sharing site SourceForge and 3GB to file-sharing site ZippyShare. Sending data to these services may have legal ramifications and may even hurt the business if sensitive intellectual property is leaked.
Paved with good intentions
Not all insider threats come from malicious perpetrators. The wealth of consumer applications in the enterprise makes it possible for employees to inadvertently leak data to outsiders with just one click. One hapless worker at a financial services organization accidentally uploaded sensitive customer data to Facebook -- definitely worse than your average case of “oversharing” on social media. Employees accidentally commit security missteps in the process of doing their jobs. At a hospital, one team set out to foster collaboration and improve patient outcomes by storing patient medical records in a consumer-grade file sharing service. When the service suffered a breach, HIPAA regulations forced the hospital to notify patients and exposed it to a lawsuit.