The Missing Piece in Cloud App Security

You can’t defend against what you can’t see. With the widespread adoption of cloud applications, user activity is harder to track. Consequently, many organizations are looking for ways to increase visibility into how users are using applications and the data within them.

Mike Mason

March 31, 2019

6 Min Read
The Missing Piece in Cloud App Security

As the economy improves, the workforce becomes more mobile. It has become quite common for employees to take more than their potted plants with them when they leave. They take confidential company data, too – and the majority see nothing wrong with it, even though it is a criminal offense. Failing to properly secure this data leaves companies open to the loss of customers and competitive advantage.

Organizations can increase trust by driving bad actors out and improving their overall security posture if they have better visibility into insider threats,. Below are the top five events that organizations monitor cloud applications for and how they can help to promote good security hygiene within a company.

1. Exported data

Users can run reports on nearly anything within Salesforce, from contacts and leads to customers. Employees can extract large amounts of sensitive data from Salesforce and other cloud applications by exporting reports. And those reports can be exported for easy reference and analysis.

This is a helpful feature for loyal employees, but in the hands of others, such data extractions can make a company vulnerable to data theft and breaches. Departing employees may choose to export a report of customers, using the list to join or start a competitive business.

Companies are not helpless, though. Organizations can monitor for exports to:

-- Protect sensitive customer, partner and prospect information, increasing trust with your customers and meeting key regulations and security frameworks (e.g., PCI-DSS).

-- Easily detect team members who may be stealing data for personal or financial gain and stop the exfiltration of data before more damage occurs.

-- More quickly spotting and remediating the activity, reducing the cost of a data breach.

-- Spot possible instances of compromised credentials and deactivate compromised users.

2. Who is running reports

While organizations focus most of their attention on which reports are being exported, simply running a report could create a potential security issue. The principle of least privilege dictates that people only be given the minimal amount of permissions necessary to complete their job – and that applies to data that can be viewed. But many companies grant broad access across the organization, even to those whose job does not depend on viewing specific sensitive information.

By paying attention to top report runners, report volume and which reports have been run, you can track instances where users might be running reports to access information that’s beyond their job scope. Users may also be running – but not necessarily exporting – larger reports than they normally do or than their peers do.

In addition, you can monitor for personal and unsaved reports, which can help close any security vulnerability created by users attempting to exfiltrate data without leaving a trail. Whether it’s a user who is attempting to steal the data, a user who has higher access levels than necessary, or a user who has accidentally run the report, monitoring for report

access will help you spot any additional security gaps or training opportunities.

3. Location and identity of logins

You can find some hidden gems of application interaction by looking at login activity. Terminated users who have not been properly deprovisioned may be able to gain access to sensitive data after employment, in the case of a departed employee, or at the end of a contract with a third party. Login activity can also tell you a user’s location, hours, devices and more – all of which can uncover potential security incidents, breaches or training opportunities.

By monitoring for inactive users logging in, then, companies can protect data from theft by a former employee or contractor. Login activity can also tell you whether employees are logging in after hours or from a remote location. This may be an indicator of an employee working overtime -- but it may also be a red flag for a departing employee, logging in after hours to steal data, or of compromised credentials.

4. Changes to profiles and permissions

There are profiles and permissions within cloud applications that regulate what a user can and cannot do. For example, in Salesforce, every user has one profile but can have multiple permissions sets. The two are usually combined by using profiles to grant the minimum permissions and access settings for a specific group of users, then permission sets to grant more permissions to individual users as needed. Profiles control object, field, app and user permissions; tab settings; Apex class and Visualforce page access; page layouts; record types; and login hours and IP ranges.

Permissions for each application vary at each organization. In some companies, all users enjoy advanced permissions; others use a conservative approach, granting only the permissions that are necessary for that user’s specific job roles and responsibilities. But with over 170 permissions in Salesforce, for instance – and hundreds or thousands of users – it can be difficult to grasp the full scope of what your users can do in that application.

5. Creating or deactivating users

Managing users including being able to create and deactivate their accounts. Organizations can monitor for deactivation – which, if not done properly after an employee leaves the organization, may result in an inactive user gaining access to sensitive data or an external attacker gaining hold of their still-active credentials. For this and other cloud applications, a security issue may also arise when an individual with administrative permissions creates a “shell,” or fake user, under which they can steal data. After the fact, they can deactivate the user to cover their tracks.

Monitoring for user creation is another way that security teams watch for any potential insider threats. And by keeping track of when users are deactivated, you can run a report of deactivated users within a specific time frame and correlate them with your former employees (or contractors) to ensure proper deprovisioning. Monitoring for creation and/or deactivation of users is also required by regulations like SOX and frameworks like ISO 27001.

Monitor for greater insight

You can’t defend against what you can’t see. With the widespread adoption of cloud applications, businesses are seeing an enormous uptick in user activity that is simultaneously harder to keep track of. Consequently, many organizations are looking for ways to increase visibility into how users are using these applications and the data within them. Monitoring the specific activities detailed above will help organizations increase visibility and keep data safe and secure.


About the Author(s)

Mike Mason

Mike Mason is General Manager, Cloud Security at FairWarning.

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights