Compromised Accounts and Cloud Activity | Cloud industry forum

Compromised Accounts and Cloud Activity

On Tuesday, we released our first ever Netskope Cloud Report for Europe, Middle East and Africa.  The report highlights useful statistics about enterprise cloud apps, including that enterprises in the region have an average of 511 cloud apps in use – 10 times as many as IT expects – and more than 15 per cent of enterprises have more than 1,000 apps.

Perhaps the most interesting finding in the report is on compromised user accounts. In our January Cloud Report we estimated, based on our research, that 15 per cent of enterprise users have had their credentials stolen in a prior data breach. This quarter, we report that that number is 13.6 per cent over the report’s time period. We also correlate that data with the active usage data in our cloud. When you marry activity-level security analytics with data on compromised accounts, the risk picture becomes significantly more clear.

Among the more interesting findings from the report is that 23.6 per cent of logins to Customer Relationship Management apps are by users who have had their account credentials (personal or corporate) compromised in a prior major data breach. While many IT and security organisations ensure that these types of important corporate apps are monitored and secured with an identity management solution, it’s an important reminder that users re-use logins and passwords across multiple accounts. It’s also important to note that for every one of these sanctioned apps, there are often dozens of ecosystem apps connected to it. So even if the corporate CRM app is well-secured, what about the apps that integrate with it? 

Another key finding is that 70 per cent of data uploads by users with compromised accounts are to apps that are rated “poor,” according to the Netskope Cloud Confidence Index (an objective yardstick adapted from the Cloud Security Alliance’s Cloud Controls Matrix), as compared with 30 per cent for an average user. Monitoring cloud activity at the intersection of compromised users and risky apps goes a long way toward understanding security threats related to cloud apps – uploads to risky apps could signal data exfiltration, downloads could be malware, excessive activity could be a hijacked account. Looking at these pockets of activity can help you identify problems quickly.

These are just a couple of examples to show the importance of understanding not just how many users with compromised accounts you have in your environment, but also how those users are interacting with your cloud apps and business-critical data.