Shadow IT, Cloud-Based Malware Increase AppSec Risks
Cloud application security risks continue to rise as malware delivered by cloud applications continues to grow, according to a study by Netskope.
The biannual study also highlighted the potential for critical data exfiltration tied to employees departing their jobs—departing employees upload three times more data to personal apps in the last 30 days of employment, with personal Google Drive and Microsoft OneDrive instances the most popular targets.
The report also found nearly all (97%) Google Workspace users have authorized at least one third-party app to have access to their corporate Google account, potentially exposing data to third parties due to permissions like “View and manage the files in your Google Drive.”
Adoption of cloud applications grew 22% during the first six months of 2021, where the average company with 500 to 2,000 users now has 805 distinct apps and cloud services, of which 97% are shadow IT—unmanaged technology that’s often freely adopted by business units and end users.
Meanwhile, cloud-delivered malware has increased to an all-time high of 68%. Cloud storage apps now account for 66.4% of cloud malware delivery, and malicious Office docs now accounting for 43% of all malware downloads, up from 20% at the start of 2020.
Workloads Exposed
More than 35% of all workloads are exposed to the public internet within AWS, Azure and GCP, with RDP servers—a popular infiltration vector for attackers—exposed in 8.3% of workloads.
Douglas Murray, CEO at Valtix, pointed out that the Netskope report correctly highlights the fact that public cloud security should be front-of-mind for all enterprises.
“In 2020, we saw a massive inflection point as cloud spend exceeded on-prem data center spend,” Murray said. “With this comes the importance of securing cloud access, networks and applications.”
He noted that cloud-delivered malware is at a record high, and even employees come into the mix by copying company data to personal cloud apps.
“This is why policies such as DLP to prevent exfiltration are so important,” he said. “The cloud can be very powerful. But it can also create significant corporate risk if not managed correctly.”
Murray said it is very easy for a departing employee to copy data from corporate storage to personal storage, especially in the context of cloud-based storage like S3 buckets or Google drives.
He noted that these employees usually have legitimate access to the corporate storage – all set in place with resource and identity-based policies.
“What needs to be put in place is the ability to prevent the copying of data to personal cloud storage from corporate assets with access controls enhanced with an additional layer of DLP checks looking for critical data exfiltration,” he said. “Many companies focus on data going into their accounts, and not enough attention paid to what leaves their accounts.”
Focus on Securing Data
Mohit Tiwari, co-founder and CEO at Symmetry Systems, also pointed out the key to the underlying problem organizations care about is to secure data.
“That is, to ensure that specific regulated data doesn’t end up in unauthorized applications, and that allowed data in these applications is tightly access-controlled,” he said. “On the plus side, cloud and SaaS services all provide knobs to control access.”
That means a data security service that can overlay data security with features like access control, classification and monitoring across cloud and SaaS-based services could allay security concerns that stem from using modern enterprise tools.
He noted that offboarding employees clearly is a major problem, as well, since their permissions have to be revoked from all services without breaking things (e.g., if the employee was the owner/admin for certain assets).
“This cannot be an HR-only solution. HR teams can take ex-employees off of HR software, such as Workday, but dangling privileges across the rest of the organization and their cloud services requires tools or engineering support to completely remove identities and their permissions—or deactivate them and retain for compliance,” Tiwari said.
Deprovisioning Processes for Data Security
Murray added that, ultimately, data access lies with the service owners and it is their responsibility to ensure that correct processes and procedures are in place for deprovisioning and removing access for departing employees.
“Of course this process should be coordinated across multiple teams including the HR team, the employee’s manager and the IT security team,” he said.
Those teams need to work together to ensure an efficient and automated process is in place using identity and access security solutions, such as privileged access management, that help identify the access the employee has. This can enable an audit, which, once performed, can disable access prior to the employee’s departure.
Joseph Carson, chief security scientist and advisory CISO at Thycotic Centrify, noted the shift to a hybrid work environment last year meant that security needed to evolve from being perimeter- and network-based, to focus on cloud, identity and privileged access management.
“Organizations must continue to adapt and prioritize managing and securing access to the business applications and data, such as that similar to the BYOD types of devices, and that means further network segregation for untrusted devices that are still secured with strong privileged access security controls to enable productivity and access,” he said.
Organizations are looking to a zero-trust strategy to help reduce the risks resulting from a hybrid working environment.
“This means to achieve a zero-trust strategy, organizations must adapt the principles of least privilege,” he said. “This enables organizations to better control user and application privileges, elevating only authorized users.”
