Cloud-based infrastructure is clearly the gold standard today and the way of the future, with 77% of enterprises having a minimum of one application or part of their enterprise computing infrastructure in the cloud. But the reality is that most companies—especially large enterprises—will be running their infrastructure on a hybrid model of on-premise and cloud (private and/or public) for the foreseeable future.
Accepting the reality of a hybrid computing paradigm is key to building a security program that actually works. In particular, it’s important to recognise that insider threats take on different guises in the cloud vs. on-prem worlds. Additionally, as infrastructure becomes more complex and diverse, insiders’ identities and credentials multiply, which can make it hard for security teams to keep tabs in a centralised manner.
Today, a successful insider threat program is one that can identify and stop risky behaviour, whether it takes place on an endpoint, on a local network, in the public cloud, or anywhere else.
Let’s take a look at what organisations need to understand about hybrid computing to protect against insider threats.
New Avenues for Insider Threats in the Cloud
The cloud brings many benefits to organisations, ranging from rapid scalability to cost savings. However, by its nature, the cloud also opens up far more vectors for accessing data and thus more opportunities for insider threat incidents to take place.
The cloud has also, in many ways, made it easier than ever for organisations to use third-party contractors to get work done, which has led to an increase in this practice. For example, organisations can now bring contract MSSPs into a shared SIEM portal, just as they would an employee. While using contract labor can be a very smart business move, it also means there is a larger pool of people who can potentially become insider threats. Many of these contractors may be privileged users, with administrative credentials that give them access to sensitive parts of the company infrastructure.
The good news is that public cloud providers have done an excellent job documenting their security and compliance measures and offering a wide range of tools to help organisations lock down their infrastructure against insider threats. To take advantage of the cloud without opening your organisation up to new insider threats, though, it’s important to understand two key principles.
Principle 1: Shared Responsibility
Organisations must buy into the shared responsibility model when it comes to the cloud. The basic idea is this: Public cloud providers like AWS and Azure are responsible for the security of the cloud, while organisations are responsible for security in the cloud.
In other words, it is up to you to make sure you implement security measures like encryption and access and authentication controls to protect your data and applications in the cloud. As long as you take these measures, there is no reason why you can’t store sensitive data in the cloud.
Principle 2: Least Privilege
On a related note, one of the best ways to mitigate insider threat risk is to employ the principle of least privilege. This means that insiders—ranging from employees to third-party contractors—should only have as much access as they need to complete their work and no more.
In some cases, this may mean granting temporary access and revoking it in a timely manner. Least privilege can be a helpful principle for on-prem security as well, but it’s particularly important in the cloud, where leaving infrastructure access wide open doesn’t just mean any employee or contractor can get to it—it may mean anyone can get to it.
Consolidating Identity Across Infrastructure
One of the biggest challenges of running a hybrid computing infrastructure is that it can be difficult for security teams to tell who is who across on-prem and cloud-based applications. For this reason, hybrid infrastructure often results in significant “blind spots” for security. This can make it difficult to identify when, for example, an employee is abusing privileges and represents an insider threat.
Implementing a central identity management platform can create a unified identity across on-prem and cloud for each user, which increases visibility for security organisations and makes it possible to understand who is who across the organisation. This can also help security build the documentation and proof they need if, for example, a user takes rogue action that may represent an insider threat.
Once it is possible to understand “who’s who” across a hybrid infrastructure, the focus for insider threat detection should move to user activity and data movement, which we’ll discuss below.
A Hybrid, Cloud-Friendly Approach to Insider Threat Management
User activity monitoring and data activity monitoring are the best ways to monitor and capture key data and context about insider threat incidents, no matter where suspicious activity is taking place. Focusing on user and data activity means you are agnostic to where the activity happens.
Security teams should be able to track and alert on file movement across local folders and cloud-based storage services, as well as removable media, since users will often move data across these sources when attempting data exfiltration. Additionally, security analysts and investigators should be able to capture all user behaviour and quickly build context around any incident that takes place.
Proofpoint’s insider threat platform monitors and captures key data about insider threat incidents, whether they take place on-premise or in the cloud. Proofpoint monitors user sessions (including screen, mouse, and keyboard activity, as well as local and remote logins) and transmits captured data in real time, so security analysts can document insider threat incidents and HR, legal, and other stakeholders can take action in a timely manner.
Hybrid computing is the reality today, and likely will be for a long time to come. Organisations must take this reality into account when building an insider threat program to decrease their risk of costly insider threat incidents.