With the increasing reliance on cloud services, organizations must ensure their data is protected from potential threats. Varonis Threat Labs has been at the forefront of this effort, providing valuable insights and strategies to enhance cloud security.
Understanding cloud threats
Tal Peleg, a researcher at Varonis, identified various threats to cloud data, explained the shared responsibility model, and presented several vulnerabilities and techniques found in SaaS applications, including Salesforce, Okta, and Copilot, during a Cloud8 presentation.
Cloud8 has played a role in advancing the understanding of risks and best practices for securing sensitive data in SaaS environments. By providing practical insights and tools, they help organizations adopt security frameworks that address their specific needs. Their work complements Varonis Threat Labs' efforts in promoting data protection strategies tailored to modern cloud-based systems. Watch the full presentation below.
This article will provide key takeaways from Tal's presentation, including how to detect and prevent these vulnerabilities and practical steps for securing data in environments like Microsoft 365 and SharePoint.
Who's accountable for protecting data?
In an on-premises environment, organizations are responsible for everything from the hardware to the software running on it, including data and compliance.
However, when moving to an IaaS model, such as Azure, the cloud provider offers hardware and virtualization, while the organization manages virtual machines, networks, and operating systems. In a serverless environment, the cloud provider manages the operating system and runtime environment, but the organization still needs to ensure its software is secure and up to date.
When using SaaS applications, the entire infrastructure is managed by the SaaS provider, but data security remains the organization's responsibility. Cloud vendors cannot know the organization's data or compliance needs, so it is crucial for the organization to manage and protect its data. This shared responsibility model is essential for understanding how to secure data in the cloud.
Traditional Shared Responsibility Model
Key questions to ask about data security
To control their data, organizations need to answer several questions:
- Who can access data?
- Where is the data located?
- What data is stored, and should it be there?
- What does protecting the data entail?
- How can the data be accessed, and what can someone do with it?
Answering these questions requires visibility into cloud services, understanding permissions, monitoring activities, and knowing the classification of the data.
Uncovering vulnerabilities in SaaS applications
In his Cloud8 presentation, Tal highlights critical SaaS vulnerabilities and how attackers exploit them, emphasizing the need for proactive measures to safeguard sensitive organizational data. These insights from Varonis Threat Labds are based on real-world examples and provide practical steps for enhancing cloud security.
Salesforce Public Link Abuse
Salesforce, a well-known CRM system, holds essential records like accounts, leads, users, contracts, and files. These files, often called content documents, can be shared through public links. Varonis discovered an alarming SQL injection vulnerability in the Salesforce API, which could let attackers steal sensitive data. This aligns with the shared responsibility model in cloud security. Providers handle infrastructure and network security, while organizations manage data, identities, and permissions. Tasks like addressing SaaS vulnerabilities and monitoring activities fall to organizations, ensuring comprehensive and proactive data security.
To protect against these threats, organizations should follow the principle of least privileges, limit the creation of public links, use temporary access, and keep an eye on any unusual activities.
Okta and Active Directory:
Several companies use Okta and Active Directory for single sign-on, making access more straightforward. However, if an Active Directory agent is compromised, it could let malicious actors access the identity provider and move freely between on-premises and cloud environments.
To spot these attacks, organizations should check for inconsistencies between Active Directory and Okta authentication logs. Using strong authentication methods, following security best practices, and using temporary credentials can help reduce the risk of compromised credentials.
Copilot blast radius exploitation
Copilot, an advanced AI-powered productivity assistant, integrates seamlessly with Microsoft 365 platforms like SharePoint to revolutionize workflow efficiency. Leveraging natural language processing and machine learning algorithms, it simplifies complex tasks, accelerates data retrieval, and enhances collaboration.
However, as with any AI-driven tool, its capabilities pose potential risks, highlighting the importance of robust data governance and cybersecurity measures in mitigating vulnerabilities and securing sensitive information.
Copilot can index SharePoint sites and reveal data to users, which can be misused by malicious actors or insider threats who ask Copilot for sensitive information. To minimize this blast radius, organizations should watch out for dangerous prompts, separate public and sensitive data, and apply attribute-based access controls.
Practical steps for securing data in SaaS applications
Securing SaaS applications is essential for modern organizations that rely heavily on cloud-based tools for daily operations. A proactive approach includes implementing strong authentication methods, restricting unnecessary access, and continuously monitoring for anomalies. Additionally, it is critical to apply the principle of least privilege, enforce robust data-sharing policies, and regularly audit permissions to ensure sensitive information remains protected. With these strategies in mind, organizations can better safeguard their data across various platforms.
When it comes to Microsoft 365, its widespread use makes it a prime target for potential threats, underscoring the need for specific measures tailored to its environment.
Microsoft 365:
- Block the creation of public links in SharePoint and enforce sharing with specific people
- Review and revoke unused access permissions periodically
- Use phishing-resistant, passwordless authentication methods
- Perform segregation of duties with separate accounts for administrative tasks
- Monitor for threats and unused access
- Organizations can create conditional access policies in Microsoft Entra to enforce authentication strength and manage access to sensitive files in SharePoint.
Taking action on cloud security
Cloud security is a shared responsibility, and proactive measures are essential to protect data.
By understanding the shared responsibility model, asking the right questions, and implementing best practices, organizations can enhance their cloud security posture. It is important not to be overwhelmed by the complexity of cloud security; instead, use secure controls and monitor data movement to keep data safe.
Take the next step in securing your data by getting a free Data Risk Assessment from Varonis today. Our experts will help you identify vulnerabilities, enhance your security protocols, and ensure your data remains protected.
