The SolarWinds supply chain attacks continue to play out, with new impacts and technical considerations coming to light in the headlines seemingly every day.
Amidst all the helpful research into the vulnerabilities and tactics being utilized by the involved hackers, who many experts now believe to be sponsored by some form of nation-state, one particular element stands out from a cloud security and remote collaboration standpoint.
Last week, multiple stories were published that further detailed the extent to which Office 365 was leveraged in the SolarWinds campaign. The Wall Street Journal disclosed that the involved attackers had subverted Office 365 security controls, along with other defenses, to linger in SolarWinds’ environment for as long as nine months prior to being discovered.
This was followed by a piece in CRN that quoted SolarWinds CEO Sudhakar Ramakrishna in great detail regarding his conclusion that it was in fact a compromise of Office 365 that enabled the attackers to “gain access to and exploit the SolarWinds Orion development environment”, and not vice versa, as some earlier reports had implied [and we had reported in our earlier assessments of the situation].
While Microsoft has for its part denied that this is an Office 365 issue, the WSJ piece concisely defined what the scenario looks like from a cloud security and connected cloud applications standpoint. This is of course the angle that we have been observing with great interest from a technical perspective – specifically “that the hackers may have compromised [SolarWinds’] Office 365 accounts even earlier and then used that as the initial point of entry into the company.”
That “the hackers had accessed at least one of the company’s Office 365 accounts by December 2019, and then leapfrogged to other Office 365 accounts” and subsequently discovered, then exploited, vulnerabilities in SolarWinds’ products is precisely the type of security challenges that we speak to practitioners about on a daily basis.
So, we’ll continue to look at this type of threat from a holistic perspective. Microsoft has a formidable security strategy and has been assertive in building capabilities into Office 365. The real issue here is that attackers can increasingly utilize these types of techniques in today’s distributed cloud-connected environment. Organizations need to extend their abilities to identify and thwart campaigns that seek to compromise privileged user accounts and take advantage of trust relationships between cloud applications to carry out their nefarious activities.
To me, one of the best pieces written on all of this to date is the story authored by former Microsoft Security Response Center contributor Christopher Budd for GeekWire. His article clearly outlines the bigger picture cloud security implications in a detailed and straightforward manner.
If you’re interested in the CipherCloud perspective on advancing best practices to address these challenges and employing CASB and ZTNA capabilities to do so, check out our latest whitepaper, or join us for our related webcast. We of course maintain that there is a lot that can be done from a process and solutions standpoint – more details on this follow below.
What are the security considerations introduced by cross-cloud collaboration?
Cloud collaboration and remote productivity tools have emerged as key enablers of distributed workforce as well as business continuity over the last year. However, while tools such as Microsoft Teams, Office 365, One Drive, G Suite, Slack have boosted employee productivity and supported the human perimeter, they have also increased cloud and data security considerations.
Collaboration platforms support a lot of sensitive data exchange between internal teams, external teams, and other relevant third parties. In the new normal, collaboration is fundamental to business continuity and the growing adoption of platforms such as Office 365, Salesforce, ServiceNow, SAP, Slack, and Box, among many others, is at an all-time high. Amidst this growth, perhaps more than any other platform, Microsoft’s Office 365 cloud productivity suite has emerged as a leading enabler of the remote workforce, based on its wide range of communications and collaboration capabilities.
Are your Office 365 accounts, cloud applications, and data truly safe from cyber-attacks?
We’ve witnessed Microsoft’s official collaboration platform “Teams” explosive growth from 20 million DAU to 115 million DAU over the last year. This growth intensifies security issues as Microsoft Teams relies heavily on other apps from the Office 365 suite to facilitate real-time collaboration. For example, Teams uses SharePoint Online to store files that are shared in conversations, OneDrive to store files in private chats, and Azure AD to manage and authenticate team members. Moreover, these are the security considerations for just one cloud service. Employees need to access multiple clouds and private applications in the course of daily business operations.
With the use of Office 365 and other similar applications to interact and share information with internal colleagues and external business partners, security practitioners are experiencing a variety of security issues, including:
- Risky Privilege Access Management – Lack of visibility and tight controls over access pose serious threats to business continuity. For example, Group Owners on Microsoft Teams can easily grant the highest level of privileges and access rights to any member of the team, even though the group may contain files with sensitive data. These access rights stored across Azure AD and SharePoint can result in related exposure across Office 365 and connected cloud applications (as evidenced in the SolarWinds hacks).
- Unsecure Data Sharing – Sharing sensitive data or credentials via collaboration platforms can lead directly to the risk of data leaks and compliance fines. Sensitive data is most often downloaded and shared through chat between team members or even external parties that can further exacerbate data exposure concerns. Especially without integrated data protection policies, such as for cloud Data Loss Prevention.
- Evolving Insider Threats – Insider threats can clearly manifest from users attempting to utilize privileged access to applications and data, or more commonly from user errors that inadvertently place organizations at an added risk of breaches or compliance penalties. Security teams need to be able to monitor and detect anomalous user behavior in real-time.
- Unintentional Compliance Violations – As greater volumes of sensitive and standards-protected data find their way into cross-cloud collaboration workflows, it becomes vital for organizations to protect against unintentional exposures that could result in compliance violations and the potential for significant fines and penalties.
Best Practices for Securing Cross-cloud Collaboration for Office 365 and other Applications
As organizations further advance their cloud adoption and collaboration practices with newer tools, inevitably, new threats and risks will also appear. Be it the ignorance of the user or a loophole in security policies or tooling, a single vector can be exploited by an attacker to breach the entire cloud ecosystem. These core best practices enable security practitioners to implement an integrated security approach that supports continuous assessments of the cloud ecosystem for risks and triggers remediation measures across a human-centric perimeter.
- Knitting together the right access controls: To build an effective cloud applications and data access strategy, practitioners need to consider contextual device and user-based access controls for individual and connected cloud applications.
- Accounting for threats from the human perimeter: As threats and malware attacks continue to rise, integrating threat prevention with user anomaly detection enables practitioners to isolate emerging user activities that demand immediate analysis and response.
- Building a layered data protection approach: As cloud data security requirements continue to mature rapidly, applying a layered approach for end-to-end cloud data protection with centralized and actionable policies, ensures that confidential and sensitive data is protected at all locations – in the cloud and on users’ devices.
- Looking out for compliance: To avoid unintentional compliance violations, run assessments on data across cloud applications to ensure compliance with global and local privacy regulations including PCI, PII, HIPAA, GDPR, CCPA, and more.
To know more about securing Office 365 and other connected cloud applications, join us for this best practices webinar that highlights an integrated cloud security approach with CipherCloud CASB+ and references principles from MITRE ATT&CK Cloud Matri