More and more companies have become dependent on cloud data storage. While the cloud can be a cost-effective and useful solution for many, failing to account for which users can access what data is becoming increasingly hazardous. There is a permissions gap for cloud data users, which means that many users have far more permissions and privileges than they need, which creates problems if an attacker compromises their credentials and then has access to so much.
To solve this problem, companies need to keep track of how permissions are given and restrict them as needed. Using fraud prevention strategies can also help with detecting unusual activity around sensitive data, and they can lower discovery and recovery time.
The Cloud Has a Permissions Gap
Recently, Microsoft released a report that indicated that users only need 1% of the permissions they are granted for day-to-day work, and 60% of user identities are inactive, meaning the user likely no longer works for the company but still has access to company data through old credentials. At least half of identities are considered superusers, meaning that logging in with those credentials provides administrative privileges.
Clearly, there is a gap between the access needed by most people and the access provided. Even more alarming, however, is the gap between machine identity permissions and their actual utilized permissions. Inactive identities for machines is 80%, and less than 5% of permissions available to cloud-based applications are used, meaning that online machine entities have expansive permissions that they don’t need.
The Risks of Excessive Permissions
Although the users and applications don’t utilize all available permissions, attackers are more than willing. Attackers can use excessive permissions to:
From our partners:
- Access data. Especially if an attacker can access an unused superuser credential, impersonating an inactive user can yield large amounts of data and provide access to sensitive information. Failing to adequately secure your data can lead to fines due to data privacy law violations.
- Move laterally. Even if the user initially impersonated doesn’t have access to a particular bit of data, an attacker can use those credentials and access to the system to move to a new account that has not yet been compromised. If this account does have access, the attacker has successfully infiltrated your environment and probably stolen your data. Sometimes attackers are able to give themselves administrative credentials, which could be used to create vulnerabilities elsewhere in your environment to facilitate later attacks.
- Plant malware. An attacker who has free access to your environment can easily plant malware on a device, and once the malware is on one device, it can spread to your whole network. Attackers could plant keystroke loggers on your machines or hack your email to send malware to your contacts (including your customers). Regaining customer trust after causing them cybersecurity problems may prove difficult.
As challenging as any of these problems would be for your business, they also put your customers at risk. If an attacker views your private data, not only are you at risk of violating data privacy laws, but your customers are also at risk of identity theft. Similarly, any malware that infects your system could be passed to your customers through supply chain attacks or malware-laden emails.
Managing the Risk of Excessive Cloud Permissions
To avoid these problems, lock down your permissions and adopt the principle of least privilege. Users should only be able to access the data necessary to do their jobs, and expanded privileges should only be granted on an as-needed basis. Ideally, if an attacker were to steal credentials from someone, he would have a very limited amount of accessible data, and you could shut down or lock the attacker out of the account quickly.
There are a number of other things you can do to keep your cloud environment relatively safe. Managed fraud prevention solutions can help you protect your organization from things like bot attacks, account takeovers, and client-side incidents. These solutions will automatically detect, block, and alert you to suspicious activity while still allowing legitimate traffic to access permitted data.
Another benefit of managed solutions is recovery speed. If an attacker is able to access someone’s account and infiltrate your environment, quick detection will reduce the amount of compromised data and the likelihood that the attacker will be able to move laterally or compromise any more credentials. A speedy recovery will also lower your odds of frustrating or losing customers.
Currently, many companies fail to accurately tailor user permissions according to the data the user needs to regularly access or the functions frequently performed. This creates an environment that is more susceptible to damage following a security breach. To minimize the damage and downtime without sacrificing functionality, companies should consider fraud prevention solutions, automated alerts, and the principle of least privilege.