IT Security Blog | Rivial Security

Importance of User Access Controls in the Cloud Era

Written by Jacob Blazina | 10 Oct 2019

 

We are in the Cloud Era, and the mass migration of business processes to cloud-based third-parties is not slowing down. Some of the reasons business owners are relying more and more on the cloud:

 

  • Cost Management. Many third party service providers offer tiered pricing models, enabling the organization to pay for only the services that they need, and giving them the ability to scale that cost up or down based on current need and usage.
  • Quality. Most third parties provide a unique and oft-times niche product. This specialization allows them to improve their services faster than an organization would be able to if they were building and maintaining them in house.
  • Security. Moving data and hardware into the hands of a 3rd party allows an organization to lessen their need to focus on physical and cyber security. This opens the door for faster scaling as an organization grows and their security program changes.

 

Although there are many reasons to move business processes to outsourced service providers, this paradigm shift does come with some trade-offs.

 

 

3rd Party Services, all with Web Portals

The nature of web-based service providers calls for a much greater need for User Access Controls. Now, many critical business lines and sensitive data lies in the myriad web portals spread across the World Wide Web. Much of these assets are protected purely be the prolific Login Screen.

 

 

Services talking directly to other services

With the interconnected nature of services, many organizations have their third-party applications interface directly to other third-party applications to enable automated and streamlined business processes. This connectivity opens the risk of chain-reaction incidents. An attacker gaining access to one service through faulty user access controls could potentially affect multiple other services through the back door nature of service-to-service APIs.

 

Social Engineering

With the ever increasing adoption of HTTPS, brute force mitigations, and system-level incident monitoring, it is becoming harder and harder for attackers to compromise systems on a “hacking” level. A lot of security incidents stem from Social Engineering attacks. These attacks target the weakest link in the security chain: people. Leveraging the human nature of trust and curiosity, attackers will go to great lengths to trick an employee to accidentally give up credentials. These attacks often have many steps and be done over the course of weeks or months.

Many times, an employee will have no idea that the website they are entering their login information into is not legitimate until it’s too late. Attackers will find third parties that an organization trusts, and “spoof” their website, most of the time triggered by a “call to action” email or phone call that will prompt the employee to login in response to some event.

 

 

Multi Factor Authentication

Once a single employee account is compromised, an attacker can sometimes start a chain reaction attack by targeting other connected services or employee accounts. Even if the incident is caught and remedied quickly, that attacker already has enough new information to continue the barrage of social engineering attacks on other parts of the organization.

This scenario can be avoided by strong User Access controls and Multi Factor Authentication. But by how much? MFA is now very mainstream and goes a long way to avoid incidents based on compromised user credentials but is not foolproof. Attackers many times now include the MFA process as part of a layered Social Engineering attack strategy, and even popular authentication tools can be compromised on the system and hardware levels.

 

Wrap Up: User Training

With all the advances in technology, the most reliable security measure today is still sometimes.. people. Proper awareness of User Access controls and consistent cybersecurity awareness training of employees to detect and report social engineering probes can go a long way to preventing incidents. With the vast networks of connected service providers, this is ever more important to prevent a single incident from snowballing into something much larger.

 

 

Rivial Data Security knows that a proper security program starts and stops with the most important asset of any organization: the people. Managed Security Training and customized Social Engineering testing, together with simple reporting and informative metrics, can go a long way to achieving a truly robust security program.