As of June 1, 2024, Vestige Digital Investigations is part of ArcherHall, a leading digital forensics, e-discovery, and cybersecurity service provider.
The Vestige team that you know and trust will continue to serve you at ArcherHall. Our expanded team, capabilities, and infrastructure will allow us to serve you and your clients even better.

Protect Access to Data in the Cloud

Articles

Protect Access to Data in the Cloud

Author photo
Senior Director, Digital Forensic & E-Discovery
BS, EnCE, DFCP

Don’t Let the Cloud Rain on your Parade

With all of the benefits that working in “the cloud” brings, it is no surprise that many companies are turning their eyes towards working more in the cloud.  Offloading the management of physical hardware, access to data and updates to servers saves companies time and provides efficiencies in allowing access to data whether in the office or not. But with that access comes challenges in cloud data protection.

Traditionally, when Vestige was tasked with a forensic analysis to determine if a departing employee took data that a company considered confidential, Vestige would analyze the departing employee’s work computer to determine what may have been taken via USB or personal email.  Occasionally we might see evidence that the employee engaged in use of Dropbox, Google Drive or similar.

How the cloud has changed Digital Forensic Analysis  

Today, this analysis is different.  When a company utilizes something such as OneDrive as a standard corporate repository now the analysis has to parse the access to data in OneDrive and work with the client to determine what may or may not be illicit access.

While the typical use of OneDrive is via the company computer while in the company office, the nature of OneDrive as a cloud repository opens the ability to access the data from anywhere, on any device.  OneDrive can be accessed by a company computer while at the company office, while at home, or while traveling.  OneDrive can also be accessed by a home computer.  The OneDrive account could even be accessed by a computer at the company to where the departing employee it going!  Don’t get me wrong, OneDrive is a great tool, but like other great tools there is the responsibility to see that it isn’t used in contradiction to company policies.

The Importance of Conditional Access in your Company Policies

Let’s start with those last words, “company policies.”  Does your company have a company policy surrounding the use of OneDrive?  If not, your company may wish to employ your legal representative and human resources to devise a policy that meets your needs.  That written policy will be the first building block upon which electronic policies and other governing actions are taken.

Now, how does a company take it to the next step?  Welcome to conditional access policies!  Resources such as Google Drive, OneDrive and Amazon Web Services (AWS) allow the use of conditional access policies to restrict access to a company’s cloud resources beyond just the use of usernames and passwords (and MFA, you do have MFA, right?).

With conditional access policies, an organization can restrict access to cloud resources (depending on which cloud resources) based on the following:

  • Does the device have an MDM (Mobile Device Management)?
  • Is the storage (hard drive) on the device encrypted?
  • What time of day is the data being accessed?
  • From what IP address is the data being accessed?
  • What is the MAC (Media Access Control) address?

There are other ways to restrict access as well.  The point being is to utilize these tools to help protect your data in the Cloud in such as way as to limit the devices that can access the data.

But whether you use conditional access policies or not, there still is the opportunity for a departing employee to use an authorized device to take data.  It is in this situation that a forensic analysis can help understand what was taken, but only if you are collecting the right data.  In the case of OneDrive, the unified audit log will record evidence of downloading of files from OneDrive.  In client cases we have taken on, however, not every one has the unified audit log turned on or they do not have it configured to retain enough data to go back 3, 6 or more months in the past to do a more thorough analysis.  Google Drive will also allow for auditing of actions, including downloading of data.

Hopefully this cloud data security blog has been helpful with respect to protecting your cloud data from the insider threat of a departing employee. In summary a company should seek to:

  1. Develop company policies around the use and access of cloud repositories
  2. Consider conditional access policies to restrict the devices that can access corporate cloud repositories
  3. Trust but verify when it comes to logging of activity that may be critical when an investigation of a departing employee is needed.

If you need additional assistance about cloud data protection, CONTACT Vestige today. We’ll be happy to help!