Decentralized data and the increased use of cloud services leave organizations with blind spots in their security perimeter. Employees now have many options to access their organization’s sensitive data. The traditional perimeter, once defined by on-premises security infrastructure, is blurred. A network user can be at home, at a café, or even taking their daily walking exercise and have the same access and opportunity for interaction with corporate data as they would sitting at a desk in a company office.
There is an increasing need for data protection strategies to evolve and meet the security challenges presented by the cloud computing reality. That starts with achieving better visibility into what applications their employees are using, and how they are using them.
What is User Activity Monitoring?
Digital Guardian defines User Activity Monitoring (UAM) as a set of “software tools that monitor and track end user behavior on devices, networks, and other company-owned IT resources.” Organizations implement user activity monitoring solutions to detect and stop insider threats, whether unintentional, negligent, or with malicious intent. The extent and the scope of implementing UAM methods depends on the risk environment of the organization and on the sensitivity and criticality of the assets to be protected. UAM solutions complement identity and access management (IAM) tools to enhance the confidentiality and integrity of cloud-based workloads, apps and data. While IAM platforms ensure that only authorized individuals can access data they have been granted permissions to, UAM solutions help businesses mitigate the risks of privilege abuse.
Organizations implement user activity monitoring to identify suspicious behavior and mitigate risks either before they evolve into damaging data breaches, or at least in time to minimize the consequences of security incidents. User activity monitoring is a form of surveillance, but it shouldn’t be confused with the use of surveillance cameras in the workspace, which are illegal. UAM serves as a proactive review of end user activity to determine misuse of access privileges or data protection policies either through ignorance or with malicious intent.
Why is UAM required?
With on-premises architecture, securing intellectual property, For-Official-Use-Only data, and sensitive information, security simply meant securing the perimeter. The cloud, on the other hand, offers unprecedented flexibility and scalability. But it also presents a new, complex attack surface, since data passes between on-premises and hosted environments.
The nature of the cloud means everyone is an outsider. Thus, analytics are crucial with regard to identifying legitimate users from malicious ones. While a bad actor may be able to steal someone’s credentials, they cannot imitate their behavior. They will use a different browser, different endpoint, different device, different location, and so on. As a result, cloud risks can be mitigated through user behavior analysis, which involves collecting a baseline of “normal activity,” so deviations (such as attempting to access restricted files or abnormal geolocation) can be easily recognized.
A recent survey by Forcepoint of over 600 IT and IT security practitioners, including cloud administrators representing federal agencies, departments, and enterprise organizations indicated that cloud deployments are difficult to manage because of:
- Lack of visibility into resource utilization, metering and monitoring (62%)
- Lack of control or visibility into usage (56%)
Overall, the lack of visibility and governance is a barrier to cloud transformation with only 29% of respondents indicating that their agency has 360-degree visibility to determine when and how sensitive data is collected, processed, and stored in the cloud.
Typical data protection approaches initiate with establishing various rules designed to alert security teams and analysts once a potential data loss has occurred. Indicators of Compromise (IOC), as they are known, indicate that a security policy has been triggered, but that alert is delivered after the event and required validation and research. False positive indications will only result in time-consuming investigations before understanding the true nature of the event that triggered the policy.
However, if organizations merge established IOCs with behavioral analytics, they can more effectively detect, prioritize, and respond to areas of concern well before a data breach has occurred. Indications of abnormal or anomalous behavior are the evolution of traditional IOC controls and enable a proactive approach to protecting data in the cloud.
Benefits of UAM controls
The goal of any user activity monitoring program should be to find and filter out actionable information that is valuable for protecting data stored in the cloud. Having this kind of intelligence can help you detect and investigate suspicious user activity. You can also find out if users are uploading sensitive data to public clouds, utilizing unauthorized services and applications, or engaging in risky activities while using the company network or resources. User activity monitoring tools are also helpful in ensuring that employees do not take any of your company's confidential information when they are leaving the company.
To make the data collected by UAM solutions as useful as possible, it must be analyzed against associated risk, established policies, datetime and identity context. User activity monitoring can help you answer the following question: Who did what, when and where?
Overall, User activity monitoring helps organizations to reduce the risk of inappropriate actions that can lead to malware infections or data breaches. By preventing data breaches, organizations can decrease the cost of compliance, while gaining valuable insights to improve established security measures.
How a certified cloud security professional can help
User activity monitoring is an important line of defense against data breaches and other cybersecurity compromises in the cloud. A certified cloud security professional can help strengthen their organization cloud security posture by following these best practices:
- Obtain buy-in from all corporate stakeholders, from the executives down to the last employee.
- Follow the principle of least privilege and allow privileged access only to important users who need it for effective work production.
- Wherever required, enforce policies to ensure that account passwords are complex, unique, and are never shared or reused.
- Create strong authentication procedures for privileged accounts, such as two or multi-factor authentication.
- Manage remote access through company-based protocols and deny the use of insecure protocols like FTP.
- Collect and preserve forensic evidence including capture files, screenshots, and keystrokes.
- Educate users on data protection policies as well as effective cloud security habits through ongoing information security awareness programs.
How the CCSP Certification Can Help You to Succeed
The ISC2 Certified Cloud Security Professional (CCSP) is the answer to all your concerns about gaining visibility into the usage of cloud-based assets and data. CCSP is the benchmark of cloud security certifications and is repeatedly recognized as the most valued and well-rounded cloud security certification. CCSP is a vendor-agnostic certification that ensures that certified practitioners have the security knowledge to successfully secure and protect data in any cloud environment. It is CCSP’s unique criteria that has elevated it to a standard that has allowed it to be identified as the premier cloud security certification, providing an advantage in an increasingly competitive corporate landscape.
Attaining CCSP certification shows you have the advanced technical skills and knowledge to design, manage and secure data, applications, and infrastructure in the cloud using best practices, policies, and procedures established by the cybersecurity experts at ISC2
To learn more about how the CCSP credential can help you gain expertise and advance your career, download our white paper Cloud Security Skills Can Take Your Career to Infinity (And Beyond).