When it comes to cloud security, enterprise employees can be their own worst enemy, especially when organizations stray too far from least-privilege models of access.
Data exposures have been a constant topic of news recently — often blamed on cloud misconfigurations — and have led to voter records, Verizon customer data and even army secrets being publicly available in cloud storage.
In a Q&A, BetterCloud CEO and founder David Politis discussed why SaaS security has become such big news and how enterprises can take control of these cloud misconfigurations in order to protect data.
Editor’s note: This conversation has been edited for length and clarity.
There have been quite a few stories recently about cloud misconfigurations leading to exposures of data. Do you think this is a new issue or just something that is becoming more visible now?
David Politis: This is an issue that has been around really since people started adopting SaaS applications. But it’s only coming out now because, in a lot of cases, the misconfigurations are not identified until it’s too late. In most cases, business configurations were in place when the stock application was deployed, or they were in place when the setting was changed years ago or six months ago, and it’s not until some high-profile exposure happens that the organization starts paying attention to it.
We’ve actually seen this recently. We had a couple of customers that we’re talking to for, in one case, three years. And we told them three years ago, ‘You’re going to have issue X, Y and Z down the line, because you have too many administrators and because you have this issue with groups. And for three years, it has been living dormant, essentially. And then, all of a sudden, they had an issue where all their groups got exposed to all the employees in the company. It’s a 10,000-person company, where every single employee in the entire company could read every single email distribution list.
Similarly, another company that we’ve talked to for a year came to us three weeks ago and said, ‘I know you told us when we’re going to have these problems, where we just had one of the super admins that should not have been a super admin incorrectly delete about a third of our company’ — they’re about 3,000-person company — ‘and a third of the company just was left without email, without documents and without calendars and thought they got fired.’
A thousand people, in a matter of minutes, thought they got fired, because they had no access anything. And they had to go and restore that app. Fifteen minutes of downtime for 1,000 people is a lot of confusion.
We’ve seen these types of incidences, and we’re seeing it in these environments. This is why we started the company almost seven years ago now. But only now has the adoption of these SaaS applications reached critical mass enough to where these problems are happening at scale and people are reporting it publicly.
You mention different SaaS security issues that can arise from cloud misconfigurations. Are these data exposure stories overshadowing bigger issues?
Politis: It’s more of the inadvertent piece is what makes this so challenging. And this is not malicious. There are malicious actors, but a lot of these situations are not malicious. It’s misconfiguration or just a just a general mistake that someone made. Even deleting the users is just a result of having too many administrators, which is a result of not understanding how to configure the applications to follow a least-privilege model.
I think, even if it’s a mistake, the kind of data that can be exposed is the most sensitive data, because we’ve hit the tipping point in how SaaS applications are being used. The cloud, in general, is being used as a system of record. If we go back maybe five years ago, six years ago, I’m not sure we’re at the point where cloud was being trusted as a system of record. It was kind of secondary. You could put some stuff there, maybe some design files, but now you have your [human resources] files.
Recently, we did a security assessment for a customer, and what we found was that all the HR files that they had lived in a public folder in one of their cloud storage systems. And it was literally all their HR files, by employee. That was this configuration that was definitely not malicious, and that’s as bad as it gets. We’re talking about Social Security numbers. We were finding documents such as background checks on employees that were publicly available files. And if you knew how to go find them, you could pull that up.
That, I’d argue, is worse than people’s email being deleted for 15 minutes — and, again, completely by mistake. We spoke to the company, and the person in charge of HR was just not very familiar with these cloud-based systems. And they just misconfigured something at the folder level, and then all the files that they were adding to the folder were becoming publicly available. And so I think it’s more dangerous there, because you’re not even looking for a bad actor. It’s just happening. It’s happening day in, day out, which I think is harder to catch actually.
Should all enterprises assume there is a cloud misconfiguration somewhere? How difficult is it to find these issues?
Politis: I can say from our experience that are nine out of 10 environments that we go into — and it doesn’t matter the size of the organization — have a major, critical misconfiguration somewhere in their environment. And it is possible, in most cases, to find the misconfiguration, but it’s a little bit like finding a needle in a haystack. It requires a lot of time to go through, because the only way to do it is to go page by page in the admin console; it’s to click on every setting to look at every group, look at every channel and look at every folder. And so unless you’re doing it programmatically, right now, there are not many [other] ways to do it.
This is self-serving, but this is why we built BetterCloud is to identify those blind spots. That’s because there’s a real need. When we went to look at these environments and we started logging into Salesforce and Slack and Dropbox and Google, it could take you months to go through an environment of couple hundred employees and just check all the configurations and all the different areas, because there [are] so many places where that misconfiguration can be a problem.
The way that people have to do it today is do it manually. And it can take a very long period of time [depending] on how big an organization is, how long they’ve been using the SaaS applications, how much they’ve adopted cloud in general, and the sprawl of data that they have to manage and, more importantly, the sprawl of entitlement, configuration settings, permissions across all the SaaS.
And we’re seeing a large portion of that is not even IT’s fault. The misconfigurations may predate that IT organization in many cases, because the SaaS application has been around for longer than that IT organization or that IT leader.
In many cases, it may be the end users who are misconfiguring, because they have a lot of control over these applications. It could be that it started a shadow IT, and it was configured by a shadow IT in a certain way. When the apps are taken over by the IT organization, a lot of that cleanup of the configuration isn’t done, and so it doesn’t fit within the same policies that IT has.
We also have a lot of customers where the number of admins that they have is crazy, because sales operations were the ones responsible for that and, generally speaking, it’s easier to make everyone an admin and let them make their own changes, let them do all of that. But when IT openly takes over the security and management of Salesforce, the work required to go find all the misconfiguration is really hard. That goes for Dropbox, Slack and anything that starts as shadow IT; you’re going to have those problems.