While we celebrate Halloween, it is hard not to extrapolate some of the spookiness to what we encounter in real-life cybersecurity scenarios. Check out the blog below by our CASB PM, Karl Miller, on some frightful findings we recently encountered with some cloud application deployments! Thankfully enough, Oracle CASB Cloud Service was able to get these customers right back on track so these spooky secrets got addressed promptly!
Halloween is one of my favorite holidays. It has always been because I can make it as fun, creepy, silly or scary as I want. Cloud security is not always quite so silly, but it can be creepy or downright scary. However, like any good haunted house, the scariest things aren't always what you think they are or jump our screaming to get your attention.
Recently, I've had a few interactions with organizations that had some rather scary issues, but didn't jump out screaming "Boo". Before we jump in, let me point out that each of these organizations have truly fantastic security teams and great practices. Seriously. These chilling tales are just a reminder that as we move into clouds, we need better ways to keep an eye on everything that happens. As one of my friends used to say "In God we trust, but He's still going to be monitored".
A la "Scooby DooTM", here are some short case notes.
While we all remain concerned about the nefarious attacker compromising network security layers and stealing data, that outside attacker is not the only risk. A recent regulated financial institution using one of our products (minor plug: Oracle CASB Cloud Service) with their Microsoft Office 365 rollout was alerted to activities by an entry-level email support administrator. Upon investigating, we learned that this 3rd-party administrator working with Exchange was using a perfectly legitimate feature of Office 365 to monitor the email folders of the organization's board of directors and several officers and then performing stock trades on the information. The customer asked why features like this exist in services, but there are scenarios where this type of capability may be required (e.g. legal discovery of a person’s misbehavior in their email inbox); however, I’m not going to cover all these types of discussions here in my “case notes”. While this case is now moving through legal resolutions, clearly, not a fun surprise.
This financial organization was greatly surprised by missing data from their sanctioned enterprise Box environment. This organization routinely examined Box user activities and data volumes via their perimeter and were quite content. Unfortunately, when we started looking inside their enterprise Box account, only six (yes, SIX!) users were using that service instance while HUNDREDS of others were using other Box accounts (some personal, some departmental, etc.) without the knowledge of information security. Data was leaving the corporate network and going to a sanctioned cloud (InfoSec had monitored that for months), but no other service or staff had put all the data about network activity and sanctioned service usage (or absence of usage) together to reveal a problem. Their perimeter was still completely intact; users and data were going to an approved service, just not in the way they expected. Merely deploying a productivity app in the cloud isn’t enough – monitoring it for usage and adoption is equally important, like this organization learnt the hard way.
Another organization with well-established security and compliance processes was quite startled when Oracle CASB revealed a tremendous amount of activity in their Salesforce environment from an odd location. With them, we performed some forensic examination and discovered that an external service not approved by their InfoSec team was accessing their enterprise Salesforce data (which includes very sensitive customer information) using OAuth approvals by some of the organization's senior sales leaders. This external service was connecting directly to Salesforce via the service’s APIs and was not subject to IP restrictions for accessing the data, was operating with complete administrative control of the environment, and not being monitored at all. Digging a bit further, we found this service was also using the organization's production Salesforce environment to test Alpha and Beta versions of their cloud without any approvals by information security or the audit teams. To return to compliance, this organization had to update their Salesforce configuration to include restrictions on accessing data. They also use Oracle CASB Cloud Service to monitor and assess Salesforce activities by end-users, administrators, and external services, and also alert InfoSec of any configuration shifts to prevent the introduction of new risks.
So, before we head into the night looking for treats and creepy tales, make sure you take a moment to wonder who may not be jumping from the bushes to frighten you.
About the Author: Karl Miller is an experienced security professional with extensive experience across Identity Management, Access Management, Directory Services and Cloud Security. He currently works with the Oracle Cloud Security offerings as a Senior Principal Product Manager for Oracle CASB Cloud Service.
SCOOBY-DOO and all related characters and elements are trademarks of © Hanna-Barbera.