Once upon a time there was a critical infrastructure facility. The facility possessed state-of-the-art IT, OT and IoT security systems. It also met all the highest levels of security standards, from ISO to CISA to NERC CIP. One day, the maintenance man happened to be the last to leave. He forgot to lock the back door. So much for all the high-end security.
When it comes to security systems - and SaaS data security is no exception - human end users with their human fallibility are often the weakest link.
Human fallibility is even more of a factor in SaaS data security than in many other areas of enterprise information security because of the broad access end users have to sensitive SaaS data assets.
In this post, we deal with three types of danger to your SaaS security presented by the “end user factor,” along with practical approaches for mitigation.
Anyone who enjoys some level of trust when it comes to your company assets and internal network is a potential source of risk. While the threat can stem from malicious intent or unintentional negligence, negligence is much more common, embodied either by employees who are unaware of security best practices or who think that security best practices don’t apply to them.
Examples of SaaS data security insider threats brought about unintentionally include:
Three avenues for mitigation of unintentional insider threats to SaaS data security are:
Let’s go through those one by one:
MFA enhances security by requiring multiple forms of verification before granting access. It significantly reduces the risk of unauthorized access, as even if a bad actor discovered one method of verification (such as a user password), it is much less likely that they also have access to another method (such as a security token sent via the user’s phone or email).
A CASB is a security policy enforcement solution for data moving through cloud applications. CASBs secure your SaaS data by monitoring user access and behavior and protecting against data exfiltration or exposure. When set with the relevant security policies, a CASB can detect risky actions such as sharing with personal email addresses or making sensitive information publicly accessible, and either alert or remediate.
The most effective way to prevent insider threats caused by negligence is to heighten end user awareness of SaaS data security standards. Education programs are one popular way of doing this, but even more effective is education in real time, as a risky action is performed. Using this approach, a user attempting to share a SaaS asset with a personal email address, or to post an encryption key to a Slack channel, would receive a message informing them of and explaining the issue, and requesting them to remediate. A CASB is often the tool of choice for this end user involvement.
While employee negligence caused by ignorance or arrogance is the most common manifestation of insider threat, there are certainly cases of intentional bad action motivated by greed or spite. One example is departing employees who take information that will give their new company a competitive advantage; another is employees who leave with negative feelings and the desire to “take revenge.”
These actions can even be taken by employees who left some time ago, but whose access to company SaaS assets was never taken away. (One of our clients had a former employee access company SaaS assets two years after his termination date!)
Three avenues for mitigation of intentional insider threats to SaaS data security are:
Let’s examine those one by one:
When it comes to departing employees, the sensitivity of your radar should be higher regarding external sharing or asset downloading. Inclusion of employee status and departure dates in the CASB or other SaaS data security system you are using to monitor user behavior is necessary to have this detection sensitivity. Ideally your system should have an integration with your HR information system, so that a change in employee status will automatically put your SaaS data security system on the lookout.
This should be an obvious action to take when employees depart the company. Without an effective process, however, former employees are often left with access to company data. In a recent analysis we conducted of DoControl client data, 90% of companies had former employees who accessed assets stored in SaaS applications after they left the company.
Sometimes it is a current (not departing) employee who seeks to cause damage to the company. In order to distinguish between SaaS data sharing, access or exposure that is normal in the course of business (the ease of collaboration, after all, is why organizations use SaaS in the first place!) and that which is suggestive of threat, it is important to factor in the business context of the action. This analysis - ideally performed by automated systems for the sake of scalability - would take into account typical behavior for an end user in this department, with this HR profile and with this type of asset.
If an automated or even a manual analysis cannot provide the business context, SaaS data security teams should leverage direct communication with the end user. What was the purpose of your sharing this asset? Why do these parties need the access you gave them? Business context that comes directly from the end user enables security teams to decide on the right remediation path. This is true for both intentional and unintentional insider threats.
Employees are not the only ones with access to your SaaS data assets. Partners, vendors, suppliers and contractors may all have SaaS asset access. Since these third parties are not within your organization, however, many internal security controls (e.g. Google Drive information management rights settings, end user sharing warnings) will not apply to them once they have been given access to the information. This makes it all the easier for them to create risky SaaS data exposure situations, like sharing with their own external contractors. In our recent analysis of DoControl client data, we found that over the course of 2023 third-party insiders shared an average of 3,003 assets with fourth parties.
Two avenues for mitigation of third-party carelessness threats to SaaS data security are:
Let’s examine those one by one:
SaaS assets that are both externally shared and stale (i.e. have not been accessed for 90 days or more) create an unnecessary attack surface. Any stale assets should automatically have any external access permissions revoked.
Did your third-party contractor share your sensitive document with a fourth party? And the fourth party with a fifth? Tracking the continued sharing of and interaction with SaaS assets that have been externally exposed is critical to ensure that your data stays protected.
Both of the above mitigation approaches, in order to be implemented at scale, would usually fall within the domain of a CASB.
Human end users can be both the weak link that causes a SaaS data breach - and the proactive protection that upholds your SaaS data security. The right combination of automated monitoring and remediation solutions along with end user education and empowerment has the potential to create powerful SaaS data protection synergy.
Research-based benchmarks to assess risk across critical threat model
Discover why sensitive data discovery tools often trigger false alarms, causing frustration for InfoSec teams. Learn why this happens and how to find tools for accurate detections.
Learn about the three primary types of Zoom vulnerabilities: in-meeting, data storage, and system access risks. Safeguard your organization effectively against these threats.
SaaS solutions are integral for workflows, granting anytime access to critical data. Yet, without robust SaaS Access Control Management, businesses face significant security risks.