Of the 15 percent of workers who changed or lost their jobs in the past year, half took confidential company data with them – and 52 percent didn’t view the use of such documents as a crime. A lack of security can impact an organization’s growth and innovation, making it more difficult to meet workforce and customer needs. 

With more visibility into insider threats, organizations can increase trust by driving bad actors out and improving their overall security posture. Below are the top five events that organizations monitor cloud applications for and how they can help to promote good security hygiene within a company.

1. What’s Being Exported?

Employees can extract large amounts of sensitive data from Salesforce and other cloud applications by exporting reports. Users can run reports on nearly anything within Salesforce, from contacts and leads to customers. And those reports can be exported for easy reference and analysis.

However, such data extractions can make a company vulnerable to data theft and breaches. Departing employees may choose to export a report of customers, using the list to join or start a competitive business.

However, monitoring for exports can help an organization:

• Quickly spot team members who may be stealing data for personal or financial gain and stop the exfiltration of data before more damage occurs.
• Keep sensitive customer, partner and prospect information safe and secure, increasing trust with your customers and meeting key regulations and security frameworks (e.g., PCI-DSS).
• Detect potential instances of compromised credentials and deactivate compromised users.
• Reduce the cost of a data breach by more quickly spotting and remediating the activity.

2. What Reports Are Being Run?

Though the top security issue monitored by organizations is which reports are being exported, simply running a report could create a potential security issue. The principle of least privilege dictates that people only be given the minimal amount of permissions necessary to complete their job – and that applies to data that can be viewed.

But many companies grant broad access across the organization, even to those whose job does not depend on viewing specific sensitive information.

If you look at which reports have been run, top report runners and report volume, you can track instances where users might be running reports to access information that’s beyond their job scope. Users may also be running – but not necessarily exporting – larger reports than they normally do or than their peers do.

Finally, monitoring for personal and unsaved reports can help close any security vulnerability created by users attempting to exfiltrate data without leaving a trail. Whether it’s a user who is attempting to steal the data, a user who has higher access levels than necessary, or a user who has accidentally run the report, monitoring for report access will help you spot any additional security gaps or training opportunities.

3. Who’s Logging in, When and From Where?

Looking at login activity may show you some hidden gems of application interaction. Terminated users who have not been properly deprovisioned may be able to gain access to sensitive data after employment, in the case of a departed employee, or at the end of a contract with a third party. Login activity can also tell you a user’s location, hours, devices and more – all of which can uncover potential security incidents, breaches or training opportunities.

So then, companies can secure data from theft by a former employee or contractor by monitoring for inactive users logging in. Login activity can also tell you whether employees are logging in after hours or from a remote location. This may be an indicator of an employee working overtime – but it may also be a red flag for a departing employee, logging in after hours to steal data, or of compromised credentials.

4. What Profiles and Permissions Were Changed?

In cloud applications, profiles and permissions regulate what a user can and cannot do. For example, in Salesforce, every user has one profile but can have multiple permissions sets. The two are usually combined by using profiles to grant the minimum permissions and access settings for a specific group of users, then permission sets to grant more permissions to individual users as needed. Profiles control object, field, app and user permissions; tab settings; Apex class and Visualforce page access; page layouts; record types; and login hours and IP ranges.

In some companies, all users enjoy advanced permissions; others use a conservative approach, granting only the permissions that are necessary for that user’s specific job roles and responsibilities. But with over 170 permissions in Salesforce, for instance – and hundreds or thousands of users – it can be difficult to grasp the full scope of what your users can do in Salesforce.

5. What Users Are Created or Deactivated?

One aspect of managing users is the ability to create and deactivate them. Organizations can monitor for deactivation – which, if not done properly after an employee leaves the organization, may result in an inactive user gaining access to sensitive data or an external attacker gaining hold of their still-active credentials. For this and other cloud applications, a security issue may also arise when an individual with administrative permissions creates a “shell,” or fake user, under which they can steal data. After the fact, they can deactivate the user to cover their tracks.

Security teams monitor for user creation as another way to keep an eye on any potential insider threats. And by keeping track of when users are deactivated, you can run a report of deactivated users within a specific time frame and correlate them with your former employees (or contractors) to ensure proper deprovisioning. Monitoring for creation and/or deactivation of users is also required by regulations like SOX and frameworks like ISO 27001.

Visibility is Security

Today’s businesses often use cloud computing as a central point of business, handling workflows involving customer and prospect data, HR, accounting, IT, sales and more. But with an ever-more-complex web of cloud-based business systems comes a lot more user activity. As a result, many organizations have begun looking for ways to monitor how users are interacting with cloud applications and customer data – using the audit logs available in many cloud applications. Use this data to your security advantage, increasing visibility into exactly what’s going on within your cloud-based applications.

This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.