Sir Blog-a-lot | Cloud Security

How to reduce insider threat in the cloud.

Written by Laura | 15 March 2024

When it comes to the security of your data and the risk of insider threat, it’s easy to see it could go very wrong, very quickly.

Earlier this year, Jack Teixeira of the US Air Force, pleaded guilty to leaking classified military documents to a group on messaging app, Discord – in one of the most serious US national security breaches in years.

So where did it all go wrong? And if the US military can’t get it right, is there really any hope for the rest of us? Yes. Absolutely, yes.

HR issues aside (we’ll come to that later), here are our top six ways to reduce insider threat in the cloud:

1. Just-in-Time Access (JIT) allows users to access the data they need – but only when they need it, and in a pre-determined timeframe. Generally speaking, users don’t need access to all company documents all the time – this takes care of that.

2. The Principle of Least Privilege (PoLP) can be used to control access to data within an organisation – and is particularly useful in reducing insider threat.

3. Zero Trust. It's simple. Trust nothing or no-one. Microsoft’s Zero Trust model covers identities, endpoints, apps, data, infrastructure, and networks, and is based on three core components:

  • Always assume breach
  • Verify explicitly
  • Ensure least privileged access

 4. Privileged Identity Management (PIM) allows you to manage, control, and monitor access to important resources within your organisation. If you’re looking to minimise the number of people with access to secure information or resources, PIM might be the answer.

5. RBAC (role-based access control) helps you manage who has access to an organisation’s resources, what they can do with those resources, and what areas they have access to.

6. Data classification in Microsoft Purview allows organisations to categorise data assets by assigning them with unique logical tags or classes. This makes it much easier to protect sensitive or important data, simply based on its classification – this process is particularly important if you're looking to deploy Copilot into your environment.

 

But, the tech can only do so much...

It’s important to note that the Air Force disciplined 15 personnel as a result of failing to take any action about Teixeria’s suspicious behaviour. The tech can only do so much – there is a responsibility across the organisation, and up to Board-level, to reduce business risk – and that includes all users, regardless of talent or seniority (however hard that pill is to swallow). Staff need to be vetted, continually trained, and their access and activity needs to be monitored regularly in order to keep those precious business assets away from prying eyes.  

 

Of course, we’re not military experts. And we’re not saying that in our hands, things might have turned out differently... But, getting the fundamentals of identity and access management is absolutely the most important thing you can do to reduce the risk of threat in the cloud – whether that’s from inside or outside your organisation, malicious or otherwise.