Recent data breaches, such as those experienced by the U.S. cloud provider, PCM¹, illustrated that cyberattackers were able to access both client email and file-sharing systems by accessing PCM’s administrative credentials. There was extensive coverage of this breach in SCMagazine, Information Security Buzz, and Infosecurity Magazine. It appears that the attackers had access to PCM’s administrative credentials which they used to manage all of their client Office 365 accounts. PCM is a very substantial company, and has a heavy investment in cybersecurity with over 4,000 employees, 2,000 customers and over $2 billion in revenue in 2018. You would expect that their clouds were properly configured and well protected.
In the event that an attacker can gain complete access to your email administration this may be a potential disaster. Most of the authentication for many of your other business accounts requires control of your email account. Further, by having access to your email account cyberattackers can find and reset perhaps dozens of related online accounts by sifting through the data within the compromised email account. All in all, this could be a disaster under most circumstances. Data protection is your responsibility, not the SaaS application provider, nor the cloud infrastructure services provider. When things go wrong you will be liable.
In context, this attack on PCM was strikingly similar to the cyberattack against India-based Wipro. During the Wipro attack their internal credentials were compromised and used to obtain customer data. The attacks have not been proven to be linked, but there are many similarities. These attackers were able to exploit one of the many attack vectors which present top cloud security threats. Other risks include insecure API interfaces, system vulnerabilities, account hijacking, malicious insiders, malware, advanced persistent threats, and much more.
It has become very apparent that attackers will penetrate your on-premise and cloud networks at some point. It is almost unavoidable. You cannot build a wall and keep attackers out. The only thing you can really control is how well you can minimize their opportunities for breach, make sure your security controls are working as expected (perhaps operationalize MITRE ATT&CK or a similar protocol), detect them closer to the time of the initially breach and reduce their time moving freely within your network (dwell time). Most important, you must restrict their access to data at every turn they make while they are active within your network. Of course, once detected you must shut them down rapidly and then return to normal business operations.
There is quite a bit of light at the end of an otherwise very dark tunnel. The data protection capabilities of Cloud Access Security Brokers provide the ace in the hole and the insurance policy that you required to protect your cloud-based instances and the supply chain you depend upon.
CASB can bring important and critical features for threat and data protection, including Zero Trust end-to-end encryption, data masking, multi-cloud support, and much more. CASB technologies such as data loss prevention (DLP), native device management, secure offline data access, automated PII anonymization, and digital rights management can also provide the protection your data will need to stay secure. In the final analysis, data which is secured by encryption cannot be, by definition, breached, as the attacker has no access to it. Comprehensive encryption which is dynamically and automatically applied is the key to securing your kingdom.
CipherCloud aligns our approach for encryption with the tenets of Zero Trust. Zero Trust end-to-end encryption is the most comprehensive approach to data pseudonymization available today. Zero Trust ensures that your enterprise will have complete and continuous control over sensitive data (e.g. PII, PHI, IP, confidential documents), regardless of whether or not it is structured, unstructured, on-premise, in the cloud, or on an endpoint device.
The CipherCloud CASB encrypts data at the boundary of the enterprise so that data in the cloud is always safe. This is true regardless of how the data is being used or processed within the application. This applies when the data is in transit (through the network); within the cloud application layer, API, middleware, or memory; in use (on the client device); and at rest (in the database). The encrypted data is completely protected 100 percent of the time.
CipherCloud Zero Trust encryption protects your data from all of the cloud threats identified earlier, including the most highly sophisticated scenarios. For example, when a network intruder accesses an application program interface (API) which can access data in an encrypted database. Zero Trust encryption completely stops this sort of attack, as any data removed from the database will remain encrypted and unintelligible.
Note that CipherCloud’s strict data encryption key management control is also critical and essential. In order for encryption to protect the data, it depends on the absolute, complete, and total security of the keys that allow the data to be decrypted. When a user wants to read the data, they must possess and use the data encryption key. Without the data encryption key, the data is virtually inaccessible and not is useful to any misappropriating party.
In summary, you cannot possibly protect against breaches at the cloud provider level. It is an impossible situation and yet one for which you may be liable. The answer rests in changing your security strategy and moving from one which is heavily perimeter protection based (keep the attackers out) to one which is a bit more data protection based (encrypt all data almost all of the time). This aggressive approach to data protection is part of a Zero Trust strategy. If you are interested in learning more about Zero Trust encryption please call us or sign up for a free trial here: https://pages.ciphercloud.com/request-casb-trial. We’d be delighted to share more information with you.