Often in the world of cyber security, many G Guite administrators focus on outside threats that exist on the perimeter of the data center. The risks presented to organizations from outside threats are very real, whether in the form of an attacker, or a malicious bit of code trying to infiltrate vital systems. However, it is often the case that dangerous cloud insider threats come from within the internal networks used by organizations for business-critical functions. Insider threats are very real and need to be addressed accordingly.
Even though public cloud resources exist “outside” the walls of an organization’s on-premise resources, public cloud “insider threats” must be taken seriously. G Suite administrators looking to be proactive with any security concerns found in the G Suite environment must take threats coming from end users very seriously. This involves putting in place not only policies but also technology solutions that can bolster G Suite security from the inside. Typically, this involves G Suite administrators getting a handle on what end users are doing “inside” the G Suite environment, including login activity, as well as any suspicious activity that may indicate a rogue employee who may be attempting to compromise G Suite environment data or domain security. SpinOne provides powerful Insider Threats Control technology that allows G Suite administrators to successfully have visibility and be alerted to these threats.
Protect your Google Workspace from insider threatsUse SpinOne
Table of Contents
Cloud Insider Threats – A Serious G Suite Security Concern
Organizations that simply rely on end-users to follow policy are asking for trouble. While not trying to stereotype honest employees, who bring tremendous value to organizations today, there is a small subset of end users who may develop malicious intentions either because of becoming compromised in some way or becoming disgruntled for one reason or another. Otherwise, even honest employees may make mistakes that may jeopardize overall company security. In analyzing a vast number of cloud security breaches, security firms have verified in most cases an insider may be involved in some capacity either knowingly or unknowingly.
Today with companies scaling out and utilizing public cloud resources as well as on-premise resources, it becomes more and more difficult to know exactly where data lives. Also, knowing who has access to which resources and which data may be shared with the outside is a challenge. With public cloud resources, often with a few clicks, if not moderated, employees can potentially share very sensitive data outside the company even without knowing it.
Malicious, abnormal, or harmful end-user activity is hard to detect since most often it is masked along with legitimate activity coming from normal end-user traffic. Also, it is difficult to distinguish between risk presented by an end user with malicious intentions versus an end user who is simply negligent. Realistically there is no difference. Either way, organizations that take insider threats lightly are doomed for trouble and potentially data loss or leak.
The financial impact to organizations from insider threats and the damage they may cause can be tremendous. Systems can potentially be damaged and data may have to be recovered. Depending on RPO and RTO times defined by organizations, this may result in downtime, loss of customer confidence, tarnished reputation, etc. This underscores the importance for organizations to take insider threats seriously. Companies today must give due diligence to this security concern.
G Suite administrators must have the visibility they need to monitor end-user activity, what data they are sharing, what risky third-party apps they are installing, inordinate failed login attempts, and where logins are coming from. A G Suite administrator may have end-users who are spread across the globe and access data from any number of devices. Manually attempting to police data access and insider threats would be impossible.
G Suite administrators must be alert to all types of insider threats coming from these various end-users. This includes having visibility to insider threats. By using powerful Data Loss Prevention (DLP) solutions for G Suite such as provided by SpinOne, G Suite administrators can leverage powerful machine learning and automated processes to discover and gain visibility to these types of threats. Let’s see how by leveraging SpinOne Insider Threats Control, G Suite administrators can effectively moderate end-user activity.
SpinOne DLP: Cloud Insider Threats Control Overview
Best practices for G Suite administrators providing recommended security to the G Suite public cloud environment includes:
- Appropriate Security Policies and training in place to enforce company security policies
- Assign users with the least privileged access
- Have strict password and account management policies and practices
- Have appropriate logging, monitoring, and auditing of employee actions
- Monitoring suspicious employee behavior
- Providing backups of business-critical G Suite data
- Implementing threat controls to remediate threats
SpinOne provides the powerful DLP tools that allow G Suite administrators to have the visibility to insider threats coming from end-user activity within the G Suite environment. Part of the “single pane of glass” view that SpinOne gives to G Suite administrators includes Cybersecurity tools including the Domain Audit dashboard. Using this view, G Suite administrators can see a global overview of all user actions in real-time as well as an automated risk assessment evaluated by SpinOne.
SpinOne Domain Audit provides powerful visibility and filtering based on risk level
G Suite Administrators can select various risky behaviors to filter the Domain Audit view
The SpinOne Domain Audit dashboard gives granular detail to the activity of end-users including the following:
- When the action occurred (date and time)
- Automated risk assessment (high, medium, low, or informational)
- G Suite user
- The action of users (login, transfer of data, data download, data sharing, or authorization)
- Which application was associated with the action
- G Suite user IP address
- The IP geolocation of the G Suite user (country/city)
G Suite Administrators can also see all activity of a particular G Suite user
Insider threats that are detected by utilizing SpinOne automated threat control:
- Detection of G Suite user sharing information to a user outside the G Suite organization
- Abnormal login activity of a G Suite user account
- Transferring data from the G Suite cloud storage to a private cloud storage provider
- Downloading G Suite organization data to a local storage device
- Installation of risky third-party apps.
Utilizing new SpinOne custom security policies allows G Suite administrators to define the scope, actions, and alerting of various risky behavior and potential security threats.
Benefits of using SpinOne DLP for Insider Threats Control
The powerful Insider Threats Audit provided by SpinOne integrates seamlessly with the entire suite of data loss protection and data leak prevention provided. In fact, it is but one of the many tools provided to organizations looking to protect business-critical data with cloud to cloud backups, ransomware protection, risky third-party apps control, and sensitive data control.
SpinOne is uniquely providing all of the aforementioned tools to G Suite administrators in a single product that allows G Suite administrators to have the visibility to insider threats but also moderate and remediate any end-user activity that is deemed risky. What potential situations can the Insider Threats Audit help to avert?
- A less than honest employee attempts to download all data he/she has access to from G Suite storage to personal storage in an attempt to collect the data before leaving the company
- An employee either knowingly or mistakenly grants sensitive data access to a risky third-party application
- An employee provides access to sensitive data to someone who is unauthorized to view the data outside the organization.
- A user account is compromised and network access is arriving from a non-standard location
- An inordinate amount of login attempts for a particular user are being denied access
In all of the above scenarios, the domain audit dashboard gives visibility to G Suite administrators to allow quick discovery of potential security emergencies as well as to quickly revoke access to those activities. Additionally important and powerful, SpinOne proactively alerts G Suite administrators to defined risks identified that allow email security alerting as well as alerts to Slack.
If we think about the benefit to G Suite administrators of being able to proactively receive alerts as well as have automated visibility to end-user activity with risk assessed on the fly, organizations utilizing SpinOne are provided tremendous benefits to overall G Suite security.
Organizations implementing G Suite security best practices in today’s hybrid cloud infrastructures have many challenges to meet. Not only do threats to data security come from the perimeter network, they also lurk inside the “trusted” environments of organization networks. Company employees, affectionately deemed “end users” can bring a wide array of security vulnerabilities to the forefront. Employees may unknowingly open an organization up to security vulnerabilities by making legitimate mistakes and neglecting to follow security guidelines or policies. Outright malicious employees may have ulterior motives to leak or compromise company data in some form or fashion. Either way, the risk is no different as the results can be the same. Data can be leaked or compromised, resulting in damage to the company and/or liability legally or financially.