Enterprises, particularly SMBs, are no longer holding back wondering if they should move their critical data and apps to the cloud. According to a recent BCSG survey, nearly two-thirds of SMBs are already using cloud-based software, with three being the average number of applications in use. Most of these applications provide well-established services like email, creating websites and accepting payments.
This situation looks likely to change, as consideration levels are very high. Seventy percent of SMBs indicate they are considering purchasing new cloud-based solutions in the next two to three years, creating the potential to move the average number of cloud-based applications being used to seven, with 88 percent consuming at least one service.
In spite of this adoption rate, security of cloud-based data and apps remains an important consideration, as major cloud service provider breaches can and do still happen. One example is the recent Gooligan malware attack, whereby hackers gained access to more than a million Google accounts, hundreds of which were associated with enterprise users. User accounts are the Achilles’ heel of information security, because attackers can take over the entire environment by stealing account credentials. Fortunately, the Gooligan creators did not gain access to or steal any Google apps or data, but the reality that they easily could have frightened many businesses relying on G Suite. We view Gooligan as a sign of more sophisticated attacks coming in 2017, so SMBs need to be prepared.
Cloud service providers typically deploy extensive security protocols to protect their environments. However, organizations like the Cloud Security Alliance have long implored businesses using the cloud to assume more responsibility for their own data protection through techniques like multi-factor authentication and encryption. But what about the security risks these businesses face on their own side, within their own four walls? No matter how secure a cloud service provider may be in their own right, they cannot insulate cloud users from many of their own client-side risks or insider threats.
When it comes to ensuring security for cloud-based data and apps, a large share of responsibility still must lie with cloud users. Client-side threats are extensive and growing, with the most predominant being “insider threats.” Traditionally, this term invokes images of malicious employees lurking in the shadows of an office attempting to steal company secrets or bring down the system. The reality is that this type activity is infrequent at most companies. The real threat and biggest risk to confidential data is an unwitting employee who means no harm at all. Insider threats manifest in several different ways including:
- Third-Party Apps: According to industry research, the use of third-party apps has increased 30 times in the past few years. More than a quarter of the third-party apps used in enterprises are risky, and one of the most problematic are connected cloud applications. An employee may innocently install a third-party app, not realizing that this app essentially has an all-access pass to his or her company’s SaaS-based data and applications. This makes it important for organizations to be able to identify suspicious third-party apps that pose the highest risk.
- “Shadow IT” and OAuth: Shadow IT is a term used to describe applications and systems used by employees without approval from their IT teams. One technology that can introduce especially serious risks is OAuth, an authentication protocol that allows users to approve apps to act on their behalf without sharing their password. This mechanism is used, for example, by Google, Facebook, Microsoft, Twitter and others to permit the users to share information about their accounts with third party applications or websites, without providing their passwords.
The problem with OAuth-connected applications is that, like other types of third-party apps, they can access corporate data extensively, including viewing, deleting, transferring and storing corporate data when enabled using corporate credentials. If these apps are malicious by design, or the connected application’s vendor is compromised, this opens the door to cybercriminals wreaking all sorts of havoc. Like other types of third-party apps, cloud and SaaS users must be able to identify the riskiest OAuth-connected apps.
- Bring-Your-Own-Device (BYOD) – As the workforce becomes more reliant on mobile devices, the floodgates of data leakage and threats opens up. Data loss can be as simple as an employee having their device stolen, or more complex, such as mobile phones or tablets not being properly patched and attacked by data-stealing malware. Employees also often download mobile apps and connect to external Wi-Fi spots without having the correct security protocols in place.
All of this makes mobile phones and tablets a notoriously weak link and prime attack vector. If a device is used to access cloud-based data and apps, evil-doers can gain a foothold. Fortunately, advances in cloud-to-cloud backup and cybersecurity are available to help SaaS users, particularly G Suite organizations, address the growing client-side threat landscape. Existing features include automated daily security scans of third-party applications that have access to G Suite in order to identify all major risks; user audits (insider threat detection) to ensure 24/7 detection of abnormal user behavior and help proactively identify potential data thefts and leaks; and security alerts via integration with Gmail and Slack, so administrators can be notified quickly and efficiently about security threats.
New capabilities for G Suite users now include third-party application audits and security scoring systems; blacklisting and automated removal of applications identified as risky; data audits (detects data shared with external third-parties); and blacklisting for shared data (automatic removal of data that may have been shared with a non-corporate email address).
Recognizing that a comprehensive cloud information security strategy must also address the issue of availability, G Suite users also now have at their disposal combined cloud-to-cloud backup and cybersecurity offerings. The backup capabilities support automated, encrypted daily backup to alternative cloud storage environments, beyond Google data centers. This combined solution is ideal for organizations looking to streamline resources and simplify the task of backing up and securing their G Suite data and applications.
There are many benefits to using the cloud and SaaS apps, including fast ramp-up time, minimal development costs and scalability. But the threat surface area expands greatly to include both threats targeted at the cloud, as well as the threats cloud users face themselves, independent of the cloud. This may seem like a lot to manage, but the good news is cloud service providers overall have very strong security (far better than most cloud users) and they’re always looking to improve. On the client-side, new solutions can help cloud users do their part, ultimately helping to maximize data protection and overall investments in cloud and SaaS strategies.
About the Author
Dmitry Dontsov, CEO of Spinbackup, has wide technology and marketing expertise in the area of cloud apps development and management. In addition to being the CEO and Co-founder of Spinbackup, Dontsov is the Co-founder of Bridge and founder of Optimum Web Outsourcing.