Providing Insight Into the Cloud Computing Security, Privacy and Related Threats

Cloud Security Journal

Subscribe to Cloud Security Journal : eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get Cloud Security Journal : homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Cloud Security Authors: Elizabeth White, John Katrick, Mamoon Yunus, Ravi Rajamiyer, Liz McMillan

Related Topics: Cloud Computing, Security Journal, Cloud Expo on Ulitzer, Cloud Security Journal , Secure Cloud Computing, IT Security Insider

Blog Post

The Major Cloud Security Threat By @Intermedia_Net | @CloudExpo [#Cloud]

Eighty-nine percent of knowledge workers retain access to the sensitive corporate applications and files of former employers.

The Major Cloud Security Threat Most IT Departments Overlook

Eighty-nine percent of knowledge workers retain access to the sensitive corporate applications and files of former employers.

Earlier this year, a member of the team at Site-Eye, one of the top time-lapse film companies in the UK, noticed a disturbing problem with one of its client's feeds. A deeper investigation revealed that of the 200 cameras it had installed at construction sites around the world, 120 had been remotely disabled. In order to restore service to these cameras, engineers needed to be dispatched to each location, setting Site-Eye back $80,000.

The cause behind the problem? A single disgruntled former employee who walked away from his job with the passwords to the company's services in-hand.

This is an issue that is far from isolated to the time-lapse film industry: it's actually a risk for any business that embraces the cloud.

A not-so-silver lining
Cloud services do more than just increase flexibility and scalability: they level the playing field by enabling small and medium-size businesses to leverage the same technology as enterprise companies. Businesses are showing increasing comfort with cloud-based services, and so are users. This has created the "Bring Your Own Service (BYOS)" trend, in which employees deploy the cloud services that they're most familiar or comfortable with, sometimes without IT's permission and often without IT's awareness.

This is one reason why it's becoming increasingly difficult for IT to control who has access to what data-and why stories like the Site-Eye sabotage are becoming increasingly common.

14.3 apps per company

According to Osterman Research, the average company has deployed 14.3 apps. (To me, that number sounds too small, even if it doesn't include apps provisioned without IT's knowledge.) Regardless, it's no surprise that employee turnover is now introducing a new IT risk: ex-employees that retain continued access to their former employer's sensitive cloud apps.

In fact, a separate study from Osterman Research found that a staggering 89% of knowledge workers retained at least one login and password to a former employer's cloud service, including Salesforce, PayPal, Dropbox, and others.

To make matters worse, 45% of the respondents to the Osterman Research survey considered the information they could access from their former employers to be "confidential" or "highly confidential." And 49% admitted to logging into one of these accounts after leaving a company.

I call this "rogue access." The FBI calls it "insider threat cases": they recently announced that this risk poses "a significant cyber threat to US businesses," noting that "...victim businesses incur significant costs ranging from $5,000 to $3 million due to cyber incidents involving disgruntled or former employees."

Three ways to mitigate your risk

This vulnerability creates risks that are potentially devastating for a business. These include the potential for stolen secrets, loss of data, data breaches, regulatory compliance failures, and, as in the case of Site-Eye, out-and-out sabotage.

However, there are three steps companies can take to regain control over their data and their access:

1. Establish stringent access management and IT off-boarding practices. Osterman Research found that 60% of the employees that participated in its survey were not asked for their cloud logins by their employers. Formal on-boarding and off-boarding policies are critical and must be implemented for every employee and every app.

2. Offer cloud storage services that are more attractive than personal alternatives. IT obviously is unable to revoke access to data on personal storage. However, 68% of the employees in Osterman Research's study reported using personal file storage services-including Dropbox and Google Drive-to store corporate files or transfer them to other devices.

Not only does this enable employees to retain access to these files after leaving the company, it also creates the risk of losing the only copy of a critical file if the former employee simply purges their personal file storage folders.

If companies offer easy to use options that also provide IT with full access and control, employees will be less likely to sidestep it, and employers can avoid these serious risks.

3. Leverage a single sign-on (SSO) service to improve visibility into employee access. An SSO portal allows employees to securely access all of their apps with just one click, using one strong password. This improves security because employees are more likely to use strong passwords if they don't have to commit them to memory. In addition, SSO gives IT visibility into which apps a departing employee had been using, providing a much better picture of which accounts need to be transferred or terminated.

The "ex-employee menace" is a very real problem, but also a preventable one. If IT departments institute and adhere to these three crucial steps, they can enjoy the benefits of cloud applications without incurring the potential risks.

More Stories By Michael Gold

Michael Gold is the President of Intermedia, a leading one-stop shop for cloud IT. You can learn more about the dangers of rogue access in Intermedia’s report, The Ex-Employee Menace. You can also download their IT off-boarding checklist and best practices for IT access. Follow Intermedia at @intermedia_net.