As business applications move to the cloud and remote work practices gain momentum, organizations run the risk of leaving the human layer unprotected. The sprawl of cloud applications have paved the way for targeted inbound attacks and data loss. Enter stage right, cloud office security. In this blog, we will go through a simple definition of cloud office security and discuss why industry drivers have made the adoption of cloud office security a necessity for organizations today.
Setting the Stage
We live in a world dominated by remote work, cloud adoption, and digital workflows. This evolution in the way we live and work has resulted in improved organizational agility and a happier (not to mention more efficient) workforce. We send important communications over email, collaborate on Slack, store files in Box, and are able to complete business-critical processes much faster than ever before. However, chinks in this cloud-first armor have begun to appear.
While security technologies have focused on protecting every imaginable layer within cloud security, the most targeted layer is also the most overlooked - the human layer. Humans sit at the center of this collaboration sprawl, talking and writing and performing critical actions that keep businesses running. While all of this context lies unanalyzed, targeted attacks and data loss rear their heads.
Email attacks today are laser focused and evade traditional detection by targeting human nature. Moving beyond mass-phishing and malicious payloads, attackers are now researching their targets before sending socially engineered emails. Attackers impersonate trusted parties or take over legitimate email accounts to induce actions that cause financial and data loss. Over $26 billion has been lost to business email compromise (BEC) attacks over the last three years according to the FBI.
Fig: The rapid rise of business email compromise
Even after deploying a bevy of DLP tools, both direct and lateral data loss are prevalent across organizations today. The desire for speed and productivity usually comes at the expense of data privacy and compliance. Whether inadvertently or maliciously, employees share PII, PCI, passwords, and confidential data - either with outside parties or laterally across email, messaging, and file-sharing services.
“Over $26 billion has been lost to business email compromise (BEC) attacks over the last three years according to the FBI.”
A new layer of security controls has emerged to protect the human layer across office applications. Enough stage-setting, let’s introduce cloud office security.
What is Cloud Office Security?
Let’s start off with a simple definition:
“Cloud office security refers to processes and technologies that protect people and data across any channel used for communication and collaboration. These channels include but are not limited to email, messaging, file-sharing, and video communications.”
If we study this definition closely, three terms stand out:
Processes and technologies
Cybersecurity often tends to revert to a silver bullet mentality, but this should tell you that there’s no all-healing panacea for cloud office security. Similar to DevSecOps or Zero Trust, adopting cloud office security requires more than just implementing the relevant technology. It requires strategizing and deploying organizational practices that protect your business workers from losing money or data to socially engineered attacks.
It requires embracing API-first implementation of security controls that are best suited to safeguarding a distributed workforce using distributed cloud apps. It requires democratizing threat triage across employees, enabling workers to mark threats as safe or suspicious to increase alert relevance and reduce alert fatigue for your security team. It also requires empowering end users to classify confidential data and institute universal security controls that recognize the confidentiality of that data across channels.
Simply put, cloud office security is a journey requiring organizational flexibility and organizational discipline in equal measure.
Protect people and data
Traditionally, security products that detect and respond to inbound threats (like phishing and BEC attacks) lie separate from security products that prevent outbound data loss. But if we put people at the center of this security equation, it’s necessary for security controls to tackle both the inbound and outbound halves of this coin.
On the inbound front, cloud office security applications protect against the entire spectrum of targeted attacks including BEC, account takeover, and impersonation. Cloud office security solutions are built to augment the traditional security controls that your email provider might already have (eg. Exchange Online Protection and Advanced Threat Protection for Office 365 or the Advanced Protection Program for G Suite).
On the outbound front, cloud office security applications prevent the loss of sensitive and confidential data - whether accidental or malicious - both within and across cloud application channels. Cloud office security applications are built to augment and improve upon traditional DLP rules through contextual understanding of data and the people sharing that data.
Fig: An overview of cloud office security
Across any channel
We’ve left the most pertinent point for last. Cloud office security technologies are purpose-built to work across channels including email, messaging, file-sharing, and other cloud application channels.
The cross-channel nature of cloud office security is necessary because the elements they’re protecting - people and data - don’t reside on any one channel today. Analyzing signals across channels lends cloud office security technologies universal context of enterprise communications. This context is vital in addressing concerns where siloed security solutions fall short (eg. an employee downloading a sensitive document from Slack and sharing it with an outside contractor over email).
Why is Cloud Office Security Needed?
So you’re clear on what cloud office security means, but you’d be justified in asking - so what? Why is cloud office security needed?
In some ways, decades-long technological trends have led us to this point where cloud office security should be a key part of every organization’s security stack.
Rapid (and unsecure) cloud adoption
Most business applications have moved to the cloud, and the ones that haven’t are in the process of being moved. The worldwide public cloud services market is forecast to grow 17% in 2020 to total $266.4 billion, up from $227.8 billion in 2019, according to Gartner, Inc. This is unquestionably a positive trend - cloud adoption improves organizational agility, minimizes the burden of capex investments, and results in a more efficient outlay of resources across the board. However, privileging speed of adoption often comes at the expense of securing these cloud environments and apps.
For instance, recent research from ESG found that 53% of cloud email users believed native email security to be insufficient. Among those organizations, only 23% chose to incorporate additional, third-party controls before migrating to cloud-delivered email. More than one in five (21%) assumed native controls would be sufficient, which proved not to be true, leaving most to add controls post migration.
Over the course of reading this guide, you will probably get five different-sounding notifications from your phone informing you of a Slack message, some emails, an upcoming Zoom meeting, and a Box file someone shared with you. Research from 2018 found that the average business used 1,181 cloud services and the vast majority of those services weren’t completely enterprise-ready.
This is the double-edged sword most organizations have to deal with. Employees access a sprawling ecosystem of third-party apps, resulting in productivity gains and efficient business processes. But this same sprawl has created a large threat surface where any cloud application - and the humans using the application - are potential entry points for targeted attacks as well as potential sources of data leakage.
“Research from 2018 found that the average business used 1,181 cloud services and the vast majority of those services weren’t completely enterprise-ready.”
If you’re reading this guide in 2020, you’re probably reading it from home. But even if we keep force majeure events aside, the nature of work has become increasingly distributed over the years. Research from Global Workplace Analytics found that the number of people working from home grew by 140% from 2007 to 2017. These numbers are sure to increase further now as the world navigates shelter-in-place policies and social distancing.
This rise in remote work will lead to happier, more productive employees. But it also means the security threat surface just exploded. Organizations that could earlier apply stringent perimeter security measures and protect workplace assets now have to deal with people and data spread across the globe.
Socially engineered attacks
While all the aforementioned trends - cloud adoption, cross-channel communication, and telecommuting - have gathered pace, security adversaries have unfortunately not been standing still. Spray-and-pray phishing attacks have given way to the surgical precision of social engineering.
Email attacks today are laser focused and evade traditional detection by targeting human nature. Moving beyond mass-phishing and malicious payloads, attackers are now researching their targets before sending emails that trigger authority, urgency, or fear in the targets’ minds. Attackers impersonate trusted parties or take over legitimate email accounts to induce actions that cause financial and data loss.
BEC attacks are not just a singular entity either. Multiple attack types exist within the BEC umbrella, each utilizing a different combination of techniques to get past traditional defenses. Some attack types include:
- Payroll diversion fraud: Targeted emails that fraudulently request a change in direct deposit information to steal from an employee.
- Email account compromise: Attackers take over a legitimate email account through credential phishing. Attackers then use that account for further compromising customers, third-party vendors, and internal employees.
- Vendor email compromise: A ‘long con’ business email compromise attack that exploits legitimate third-party email accounts to further compromise the vendor’s clients.
- Advanced credential phishing: Attackers send emails with malicious zero-day URLs, often masking the final credential phishing site behind multiple redirects and lookalike pages.
“Moving beyond mass-phishing and malicious payloads, attackers are now researching their targets before sending emails that trigger authority, urgency, or fear in the targets’ minds. Attackers impersonate trusted parties or take over legitimate email accounts to induce actions that cause financial and data loss.”
We live in a post GDPR and CCPA world where organizations are liable for mishandling of private or sensitive user information - and that’s undoubtedly a good thing. However, even unintentional data violations can result in fines if it’s determined that the offending organization did not provide reasonable data security measures to protect its customers’ personal information.
Keeping in mind the challenges already discussed above - the communication sprawl, a distributed workforce, and cloud apps galore - it becomes very difficult for organizations to avoid accidental data loss. With no one person or application really ‘knowing’ where all the sensitive and confidential information resides, data loss concerns are probably not a surprise.
That’s all we have for now! We hope this has been a useful initiation into the world of cloud office security. If you’d like to learn more about cloud office security drivers and capabilities, read our free guide, The Definitive Guide to Cloud Office Security, below.