High-profile security breaches have dominated the headlines in 2014. Two notable examples over the last few months, the Apple iCloud and Dropbox breaches, have revealed a juicy target for attackers: user credentials.
Rather than try to hack into the application itself like iCloud, Dropbox, Salesforce, or Amazon Web Services (AWS), an easier and much more feasible approach to gaining access to sensitive data, celebrity photos, or whatever else an attacker is after, is through stolen user credentials.
Both Apple and Dropbox were quick to point out that their own applications weren’t breached, but that the hackers had stolen user credentials from other cloud services and then used them to access Apple and Dropbox accounts. These incidents highlight the perils of cloud applications. By moving business-critical applications (like storage, CRM, HR, finance) to the cloud, IT administrators have ceded security controls to cloud service providers, throwing into question the security of data stored in the cloud.
That’s why it’s so important to implement additional security controls on top of those provided by the cloud service. The AWSs and Dropboxes of the world provide varying levels of infrastructure security, but it’s ultimately up to the cloud service customer to close the loop. According to Forrester Research, it’s a shared responsibility between the cloud service provider and its customers to ensure complete security over the app and customer data.
It’s imperative to have visibility into cloud app usage across all devices – managed and unmanaged
Fortunately, there are some steps organisations can take to mitigate the risk of cloud service credential theft.
Know what’s going on – and don’t forget about mobile
First off, it’s important to know what apps are being accessed by employees and whether they’re authorised by IT or not. Cloud apps are no longer just being accessed through desktop browsers. The ubiquitous use of mobile devices and explosive growth of native mobile apps have exposed a new security hole for many IT organisations.
To date, most organisations have focused on securing managed devices (i.e. corporate-owned), but there’s no escaping the BYOD movement. More and more employees are blurring the line between work and personal devices. It’s common to see employees using their personal smartphones for work-related activity.
As a result, it’s imperative to have visibility into cloud app usage across all devices – managed and unmanaged. For example, knowing from which locations (home, office, Portugal etc) and through what devices (iPad, laptop, Android phone) users are typically accessing the cloud services is fundamental to a sound security strategy.
A new category of tools that analyst firm Gartner calls Cloud Access Security Brokers (CASB) can build “behavioural profiles” based on user and device fingerprints, which make it easier to identify suspicious behaviour in real-time and enforce appropriate policies to remediate risks before damage can occur.
Proactive yet flexible protection
Once a baseline of normal behaviour has been established for each user, CASB solutions can then define and enforce policies to provide proactive detection and protection against stolen credentials attacks. Here’s how it works: an attacker in New York steals the Gmail login credentials of a user in California. Assuming the victim’s login credentials are being used for most, if not all, of their cloud services, the attacker attempts to access a Dropbox account from his or her Android phone at 2am using the stolen credentials.
Cloud Access Security Brokers (CASB) can build ‘behavioural profiles’ based on user and device fingerprints, which makes it easier to identify suspicious behaviour in real-time
Since the victim doesn’t normally access his or her Dropbox account from New York with an Android phone and certainly not at 2am, this attempt would be flagged as anomalous behaviour. At that point, several measures can be implemented separately or in conjunction. An alert can be sent to the security team, account access can be blocked and/or multi-factor authentication can be requested before allowing access to the account. This flexibility is required since the legitimate user could very well be on vacation in New York, accessing their account from a different device. A draconian “block access” would be too strict of a measure in this case.
If necessary – request stronger authentication
In both the Apple and Dropbox breaches, both companies recommended the use of two-factor authentication to add another layer of security to prevent the inappropriate use of stolen credentials. Multi-factor authentication is a powerful way to protect against account takeovers. It forces would-be attackers to present at least two forms of authentication – one that involves something you own (e.g. a mobile device) and the other something you know (e.g. a one-time password).
In the New York-California attack example above, instead of blocking access immediately, an organization could invoke two-factor authentication. This would challenge the attacker to verify his identity via an out-of-band one-time password (which he wouldn’t be able to provide) and result in access being denied. If the request was being made by the legitimate user, they would be able to present both forms of authentication and still access their account.
Although stolen credentials pose a significant risk to cloud services security, with the right policies and technology in place, an organisation can protect data residing in cloud apps from unauthorised access and theft.