The Anthem Health breach has a new wrinkle, and it’s big. It’s called the cloud.
This is now the third recent example we’ve seen of Cloud Storage (also known as “File Sync and Share” or “File Sharing”) housing breached data. The first was Sony – stolen data were housed and shared in “tor” services. The second was reported by Blue Coat in this report – stolen data were housed in CloudMe, a Swedish Cloud Storage app, which also served as the command and control server.
We believe that in Anthem’s case, the Cloud Storage app to which data were shuttled from a database also served as the point of exfiltration.
This is a new and dangerous wrinkle as the data breaches and the cloud continue on their collision course, and it doesn’t help that there are more than 200 Cloud Storage apps in existence, only about one-quarter of which meets enterprise security, auditability, and business-continuity standards, and only a few of which IT usually knows about. We’ve seen as many as 125 cloud storage apps in use in a single enterprise (the average is 28, according to our Netskope Cloud Report).
What can you do? There are four things we recommend that enterprises do immediately:
- Enforce a DLP policy to block personally-identifiable information (PII) from being uploaded to any Cloud Storage app in real-time.
- Monitor user uploads to Cloud Storage apps at a category level, not just ones to the apps you know about or sanction
- Detect and alert on anomalous uploading to Cloud Storage apps at a category level
- Make sure that you can go back and quickly build a forensic audit trail after a suspected breach
We will continue to monitor this and other breaches involving the cloud, and providing advice and how-tos.
About the AuthorFollow on Twitter More Content by Krishna Narayanaswamy