Digitisation has dramatically changed how work gets done. Business-critical apps and data are a keystroke away, no matter where an employee is or what time it is. Perhaps it is this familiarity with data that makes employees feel so connected to it that, when they switch jobs, they often take some of it with them. Maybe it’s why most of them don’t think this is a criminal act.
Whatever the reasoning for this willful exfiltration of data, a lack of security can impact an organisation’s growth and ability to retain a competitive advantage. But with more visibility into insider threats, organisations can drive bad actors out and improve their overall security posture.
Below are the top five events that organisations monitor cloud applications for and how paying attention to them can help to promote good security hygiene within a company.
Look at login activity
Dig into who is logging in, from where and when, is likely to turn up some surprises related to application interaction. Terminated users who have not been properly deprovisioned may be able to gain access to sensitive data after employment, in the case of a departed employee, or at the end of a contract with a third party. Login activity can also tell you a user’s location, hours, devices and more – all of which can uncover potential security incidents, breaches or training opportunities.
Organisations can keep data safe from those who shouldn’t have access anymore, like a former employee or contractor, by monitoring for inactive user logins. Login activity can also tell you whether employees are logging in after hours or from a remote location. This may be an indicator of an employee working overtime – but it may also be a red flag for a departing employee, logging in after hours to steal data, or of compromised credentials.
Examine what’s being exported
Exporting reports is an easy way for employees to extract large amounts of sensitive data from Salesforce and other cloud applications. Users can run reports on nearly anything within Salesforce, from contacts and leads to customers. And those reports can be exported for easy reference and analysis.
The other side of the coin is that this ability can also make a company vulnerable to data theft and breaches. Departing employees may choose to export a report of customers, using the list to join or start a competitive business.
But if a company is monitoring for exports, this activity helps to:
- Secure sensitive customer, partner and prospect information, which will increase trust with your customers and meeting key regulations and security frameworks (e.g., PCI-DSS).
- Find employees who may be taking data for personal or financial gain and stop the exfiltration of data before more damage occurs.
- Lessen the severity and the cost of a data breach by more quickly spotting and remediating the export activity.
- Find likely cases of compromised credentials and deactivate compromised users.
Research all reports being run
Companies focus their security efforts on which reports are being exported, but simply running a report could create a potential security issue. The principle of least privilege dictates that people only be given the minimal amount of permissions necessary to complete their job – and that applies to data that can be viewed. But many companies grant broad access across the organisation, even to those whose job does not depend on viewing specific sensitive information.
Job scope is an important consideration in which reports are appropriate. If you look at which reports have been run, top report runners and report volume, you can track instances where users might be running reports to access information that’s beyond their job scope. Users may also be running – but not necessarily exporting – larger reports than they normally do or than their peers do.
A third benefit comes from monitoring for personal and unsaved reports, which can help close any security vulnerability created by users attempting to exfiltrate data without leaving a trail. Whether it’s a user who is attempting to steal the data, a user who has higher access levels than necessary, or a user who has accidentally run the report, monitoring for report access will help you spot any additional security gaps or training opportunities.
Keep track of creation and deactivation
Creating and deactivating users is a part of managing users. Organisations can monitor for deactivation – which, if not done properly after an employee leaves the organisation, may result in an inactive user gaining access to sensitive data or an external attacker gaining hold of their still-active credentials. For this and other cloud applications, a security issue may also arise when an individual with administrative permissions creates a “shell,” or fake user, under which they can steal data. After the fact, they can deactivate the user to cover their tracks.
Monitoring for user creation is an additional step security teams can take to keep an eye on any potential insider threats. And by keeping track of when users are deactivated, you can run a report of deactivated users within a specific time frame and correlate them with your former employees (or contractors) to ensure proper deprovisioning. Monitoring for creation and/or deactivation of users is also required by regulations like SOX and frameworks like ISO 27001.
Check changes in profiles and permissions
What a user can and can’t do in cloud applications is regulated by profiles and permissions. For example, in Salesforce, every user has one profile but can have multiple permissions sets. The two are usually combined by using profiles to grant the minimum permissions and access settings for a specific group of users, then permission sets to grant more permissions to individual users as needed. Profiles control object, field, app and user permissions; tab settings; Apex class and Visualforce page access; page layouts; record types; and login hours and IP ranges.
Permission level varies by organisation. Some give all users advanced permissions; others grant only the permissions that are necessary for that user’s specific job roles and responsibilities. But with over 170 permissions in Salesforce, for instance – and hundreds or thousands of users – it can be difficult to grasp the full scope of what your users can do in Salesforce.
Monitor that data
Digital transformation has brought about great freedom and productivity, enabling employees to work from anywhere at any time. Cloud-based business apps have become the norm, with data flowing to and fro along a countless number of endpoints connected to employees with different levels of responsibility.
To oversee all this activity, many companies today are monitoring user interactions with cloud apps and data. This creates greater visibility, which helps both your organisation and your customers have greater peace of mind that security measures are in place to protect data.
Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.