Once upon a time there was a critical infrastructure facility. The facility possessed state-of-the-art IT, OT and IoT security systems. It also met all the highest levels of security standards, from ISO to CISA to NERC CIP. One day, the maintenance man happened to be the last to leave. He forgot to lock the back door. So much for all the high-end security.
When it comes to security systems - and SaaS data security is no exception - human end users with their human fallibility are often the weakest link.
Human fallibility is even more of a factor in SaaS data security than in many other areas of enterprise information security because of the broad access end users have to sensitive SaaS data assets.
In this post, we deal with three types of danger to your SaaS security presented by the “end user factor,” along with practical approaches for mitigation.
Unintentional insider threats: ignorance and arrogance
Anyone who enjoys some level of trust when it comes to your company assets and internal network is a potential source of risk. While the threat can stem from malicious intent or unintentional negligence, negligence is much more common, embodied either by employees who are unaware of security best practices or who think that security best practices don’t apply to them.
Examples of SaaS data security insider threats brought about unintentionally include:
- making company SaaS assets publicly accessible
- sharing company SaaS assets with a personal email account
- falling for a phishing scam and giving away login information
- putting encryption keys or other access tokens into Slack
Three avenues for mitigation of unintentional insider threats to SaaS data security are:
- Mandating MFA (multi-factor authentication)
- Implementing a CASB (cloud security access broker)
- End user education
Let’s go through those one by one:
Mandating MFA (multi-factor authentication)
MFA enhances security by requiring multiple forms of verification before granting access. It significantly reduces the risk of unauthorized access, as even if a bad actor discovered one method of verification (such as a user password), it is much less likely that they also have access to another method (such as a security token sent via the user’s phone or email).
Implementing a CASB (cloud security access broker)
A CASB is a security policy enforcement solution for data moving through cloud applications. CASBs secure your SaaS data by monitoring user access and behavior and protecting against data exfiltration or exposure. When set with the relevant security policies, a CASB can detect risky actions such as sharing with personal email addresses or making sensitive information publicly accessible, and either alert or remediate.
End user education
The most effective way to prevent insider threats caused by negligence is to heighten end user awareness of SaaS data security standards. Education programs are one popular way of doing this, but even more effective is education in real time, as a risky action is performed. Using this approach, a user attempting to share a SaaS asset with a personal email address, or to post an encryption key to a Slack channel, would receive a message informing them of and explaining the issue, and requesting them to remediate. A CASB is often the tool of choice for this end user involvement.
Intentional insider threats: greed and spite
While employee negligence caused by ignorance or arrogance is the most common manifestation of insider threat, there are certainly cases of intentional bad action motivated by greed or spite. One example is departing employees who take information that will give their new company a competitive advantage; another is employees who leave with negative feelings and the desire to “take revenge.”
These actions can even be taken by employees who left some time ago, but whose access to company SaaS assets was never taken away. (One of our clients had a former employee access company SaaS assets two years after his termination date!)
Three avenues for mitigation of intentional insider threats to SaaS data security are:
- Closely monitoring the actions of departing employees
- Prompt, effective offboarding and access removal
- Understanding the business context of SaaS asset exposure
Let’s examine those one by one:
Closely monitoring the actions of departing employees
When it comes to departing employees, the sensitivity of your radar should be higher regarding external sharing or asset downloading. Inclusion of employee status and departure dates in the CASB or other SaaS data security system you are using to monitor user behavior is necessary to have this detection sensitivity. Ideally your system should have an integration with your HR information system, so that a change in employee status will automatically put your SaaS data security system on the lookout.
Prompt, effective offboarding and access removal
This should be an obvious action to take when employees depart the company. Without an effective process, however, former employees are often left with access to company data. In a recent analysis we conducted of DoControl client data, 90% of companies had former employees who accessed assets stored in SaaS applications after they left the company.
Understanding the business context of SaaS asset exposure
Sometimes it is a current (not departing) employee who seeks to cause damage to the company. In order to distinguish between SaaS data sharing, access or exposure that is normal in the course of business (the ease of collaboration, after all, is why organizations use SaaS in the first place!) and that which is suggestive of threat, it is important to factor in the business context of the action. This analysis - ideally performed by automated systems for the sake of scalability - would take into account typical behavior for an end user in this department, with this HR profile and with this type of asset.
If an automated or even a manual analysis cannot provide the business context, SaaS data security teams should leverage direct communication with the end user. What was the purpose of your sharing this asset? Why do these parties need the access you gave them? Business context that comes directly from the end user enables security teams to decide on the right remediation path. This is true for both intentional and unintentional insider threats.
Third parties sharing carelessly
Employees are not the only ones with access to your SaaS data assets. Partners, vendors, suppliers and contractors may all have SaaS asset access. Since these third parties are not within your organization, however, many internal security controls (e.g. Google Drive information management rights settings, end user sharing warnings) will not apply to them once they have been given access to the information. This makes it all the easier for them to create risky SaaS data exposure situations, like sharing with their own external contractors. In our recent analysis of DoControl client data, we found that over the course of 2023 third-party insiders shared an average of 3,003 assets with fourth parties.
Two avenues for mitigation of third-party carelessness threats to SaaS data security are:
- Removing external access to stale assets
- Implementing a CASB to track what happens to externally exposed assets
Let’s examine those one by one:
Removing external access to stale assets
SaaS assets that are both externally shared and stale (i.e. have not been accessed for 90 days or more) create an unnecessary attack surface. Any stale assets should automatically have any external access permissions revoked.
Track what happens to externally exposed assets
Did your third-party contractor share your sensitive document with a fourth party? And the fourth party with a fifth? Tracking the continued sharing of and interaction with SaaS assets that have been externally exposed is critical to ensure that your data stays protected.
Both of the above mitigation approaches, in order to be implemented at scale, would usually fall within the domain of a CASB.
Your greatest weakness - and your greatest strength
Human end users can be both the weak link that causes a SaaS data breach - and the proactive protection that upholds your SaaS data security. The right combination of automated monitoring and remediation solutions along with end user education and empowerment has the potential to create powerful SaaS data protection synergy.