Security professionals would be remiss to neglect the human element of data security, a veritable chink in the security armor of every organization. Cloud services have magnified the potential consequences of user error or malice by facilitating the movement of data into and out of the enterprise. Take the case of the hapless employee who accidentally uploaded confidential customer data to Facebook. With one wrong click your security efforts could be in vain. Of course, accidental data leakage is the bright side of this story. The security team’s worst nightmare is the rogue insider.

Cloud services have vastly expanded the scope of insider threat. The sheer number of cloud applications (over 9,000) and immature auditing and governance controls relative to on-premise applications result in a broad range of vectors for data exfiltration. Furthermore, enterprises leave a certain amount of liability in the hands of cloud service providers, who must protect corporate data from malicious actors within their own organizations. In other words, there are more vectors to access data and it is easier to remove data from the corporate environment.

The exfiltration of data in an insider threat event can be a low technology endeavor, requiring only rote usage of available services. Data leakage occurs through the same actions employees do any given day to get their jobs done: downloading data from and uploading data to cloud services. When you think of insider threats, you probably worry about headline-grabbing incidents in which whistle blowers expose data to the media, as in the case of Edward Snowden. The reality is that the bulk of insider threats fly under the radar: While only 17% of security professionals were aware of an insider threat within their organization in the past year, usage data from Skyhigh’s latest Cloud Adoption and Risk Report revealed anomalous activity indicative of insider threat in 85% of organizations.

Definitive Guide to Cloud Threat Protection

Learn about the most common threats to corporate data in the cloud and how to protect against them.

Download Now

How then can companies detect and neutralize insider threat incidents? Organizations can leverage the latest advancements in big data analytics to gain an edge on rogue insiders relying on cloud services. General user analytics tools focus on correlating data across multiple sources, a process that is expensive, time-consuming, and requires intensive custom integration between data sources. Analysis of cloud traffic, on the other hand, offers stronger signals of insider threat that can cut through the noise of general usage. Machine-learning algorithms look for a range of behaviors unique to cloud services that have a high correlation with insider threat. Read on to acquaint yourself different types of rogue insiders and learn how organizations can use cutting-edge data-analysis tools to detect them.

The Salesperson Jumps Ship

In what must be the most common insider threat scenario, a sales representative leaves the company for a competitor, taking sales opportunities with him. Concern over defectors leaving with data is prevalent in organizations of all industries and sizes, especially in competitive markets. Stealing customer data and leads is not only difficult to detect because it occurs on sanctioned corporate applications, but it is also incredibly detrimental to the business.

Cloud services have made this type of event unrecognizable as opposed to the classic theft of a physical stack of leads, à la “GlennGarry Glenn Ross.” Salesforce makes a huge database of leads accessible to employees at the click of a button. The challenge for enterprises, which may have thousands of Salesforce users logging in each day, is identifying unusual, anomalous activity against a background of typical everyday activity.

Today’s most advanced machine-learning algorithms address this age-old dilemma. Analysis of audit logs for activity in a service such as Salesforce will compare data traffic with normal usage. When a sales representative downloads all leads from Salesforce, activity monitoring will detect divergence from normal application usage in terms of download size and send a notification of high-risk behavior.

Abuse of Power: When Admins Go Rogue

Employees at all levels of an organization rely on cloud services to do their jobs, including the C-suite. Privileged users, however, have unique authority: administrative access to data housed in a cloud service.

The administrator for a cloud-based storage service can access executive-only financial projections and conduct insider trading with the confidential information. What’s worst-case scenario? Hosting service Code Spaces was forced to go out of business when an attacker gained access to their Amazon Web Services (AWS) control panel and deleted customer data and backups. A disgruntled employee with access to the control panel of a cloud service such as AWS could easily replicate this episode. Cloud services can broaden the scope of an administrator’s reach; he or she may have access to data belonging to offices across the globe.

Service action monitoring is the first line of defense here. Mapping activity on administrative applications to anomaly detection offers a strong correlation to insider threat, enabling prompt remediation.

Danger from the Cloud Provider

Insider threat is typically discussed in the context of enterprise employees, but cloud service provider employees present another vector for the exfiltration of data from within. Take, for example, a cloud service used internally by Human Resources. An employee of the cloud service provider has access to sensitive corporate data hosted in that service. Unless data is encrypted with customer-managed keys, he can download and sell identity credentials or intellectual property belonging to the enterprise customer. Depending on the user agreement, the cloud service provider may not even be liable for lost data. This scenario goes to show that enterprise cloud use assumes a certain level of trust in the security controls of the service provider, protecting from external and internal threats.

This particular scenario poses a more complex prevention challenge because companies do leave certain security controls in the hands of service providers. This risk factor makes the argument for organizations to hold cloud service providers to higher security standards, specifically auditing of administrator logins and legal liability for client data. The number of Enterprise-Ready services increased from 343 in Q2 to 429 Q3, demonstrating that security-minded service providers are popping up to answer the need for secure options. Cloud risk registries and initiatives to identify the risk ratings of cloud services such as Skyhigh’s CloudTrust Program offer incentive for providers to invest in security controls.

The Virtual Globetrotter

Cloud services enable worldwide collaboration, but the same trait allows data to wander where it shouldn’t. In a famous episode of unprecedented audacity, a developer at an unnamed company outsourced his own job to a Chinese counterpart. He paid a worker in China to complete his assignments and kept the margin. Legality aside, the creatively devious workflow obviously exposed his employer to an array of security concerns, as corporate data was openly shared with a third-party.

Cloud services enable worldwide collaboration. Visibility into the geographic flow of traffic can be an obvious indicator of fishy behavior. In this scenario, the illicit arrangement was foiled when a security team noticed VPN access from China. Similarly, IT might notice access to data housed in a cloud service coming from a location that should not need to use that service. If an organization with offices in the US, Canada, and the UK sees a login to a corporate Box account from Russia, then they have an inkling something suspicious has transpired with that account. Alternatively, an account that accesses a service from different locations within a limited timeframe will set off an alert for a compromised account.

Shady Services Stand Out

Some cloud services flat-out mean trouble for businesses. Violating company cloud usage policies constitutes another type of insider threat, and can range in severity from illicit Facebook use to illegal file sharing. On the more drastic side of the spectrum is the employee who uploads data to a development site such as CodeHaus, which claims ownership of uploaded intellectual property in its user agreement terms. The infamous worst cloud user in the world used 182 high-risk cloud services at work, uploading 9.3GB to code-sharing site SourceForge and 3GB to file-sharing site ZippyShare. Sending data to these services may have legal ramifications and even hurt the business if sensitive intellectual property is leaked.

Fortunately cloud service attributes offer one of the most accurate metrics for detecting insider threat. The aforementioned incident occurred at a large financial services organization. Security teams detected the uploads to CodeHaus because the service violated corporate legal policies for intellectual property, accounting for high probability of a rogue user. Another common vector for detection is called service knocking. If an insider makes multiple failed attempts to access a blocked file-sharing service, a red flag will be raised. These cases are perfect examples of the fact that, while cloud services enable this method of exfiltration, analysis of cloud traffic offers highly correlative data for detecting insider threat incidents.

The Cloud’s Silver Lining

The cloud has certainly exposed businesses to new risks, and the realm of insider threat is no exception. The same area, however, is also the perfect example of the power of security capabilities unique to cloud services. False alerts and information overload constitute key challenges for security teams. Analysis of cloud traffic can actually help organizations weave through an overwhelming amount of usage data and arrive at metrics highly correlative to insider threat. While the cloud facilitates several insider threat nightmares, it also represents the cutting edge of defense against this classic security vulnerability.