2020-07-28 Patrick Walsh
Originally published at blog.ironcorelabs.com.
The Cloud Needs More Sunshine
We recently learned that nearly 1 in 4 Twitter employees can access customer accounts. That access includes the ability to lock and unlock the account, to view direct messages, and to change email addresses.
As we’ve seen with Twitter, access without accountability is problematic, but even with accountability, insider threats are still a problem. Software companies need to start rethinking employee access completely.
SaaS businesses say your data is safe but is it really when much of the company has access? Nearly 1 in 4 Twitter employees can access customer accounts.
It isn’t just Twitter that does this. It’s extremely common for employees of SaaS companies to have access to sensitive customer data. I’m not just talking about their contact info here, I’m talking about the data that they store with the SaaS vendor.
In places where I’ve worked that sold enterprise cloud software, most of customer support, ops, devops, engineering, and professional services had the ability to access customer data or to act in the context of a particular customer.
I don’t think this access was generally abused. It was used to help customers solve problems, to understand issues, to debug software, and to provide services. And we had systems to gate the access that logged whenever an employee looked at customer data and what they looked at.
But the question is: who was looking at those logs? I don’t think they were regularly monitored in places where I worked. And those logs certainly weren’t published to the customer.
Access logs are only useful if they’re being monitored. In many cases, they aren’t and customers don’t know who’s been in their account.
When people think they can do something and no one will notice, accountability is lost, even if there’s a record somewhere.
Twitter’s embarrassing moment where high-profile accounts were taken over is only an extreme and highly obvious sign of abuse. But even before that happened, Twitter employees were spying on the private messages of notable Twitter users.
And Twitter knows it’s a problem.
“In September of 2018, shortly before he testified before the Senate Intelligence Committee, I met privately with Twitter’s CEO Jack Dorsey. During that conversation, Mr. Dorsey told me the company was working on end-to-end encrypted direct messages. It has been nearly two years since our meeting, and Twitter DMs are still not encrypted, leaving them vulnerable to employees who abuse their internal access to the company’s systems, and hackers who gain unauthorized access.” — Senator Ron Wyden
Twitter is a recipe for disaster for two reasons:
- Privileged users can access private data.
- There’s no way for users to know when that has happened.
Without transparency, there’s no accountability. Without accountability, there can be no trust.
Twitter is a high profile example, but I believe strongly that these problems have equally high stakes in the business world. Businesses trust their data to Amazon, Microsoft, Salesforce and thousands of other cloud providers. The more sophisticated of these, like those I’ve mentioned, take extra measures to protect against curious or malicious insiders.
For example, Google recently released GCP Access Transparency so companies can know when a GCP administrator has accessed their data (unless something like a FISA court order compels them to secrecy, in which case they hold back those logs). This feature also lets the customer approve access by support engineers before it happens.
*Unfortunately, Google only offers this feature to its enterprise customers with premium support levels. And even then it isn’t on by default.* *You have to ask support to turn it on.*
Enterprise customers who want GCP Access Transparency have to ask for it.
Sunshine is the best antidote. When customers can see how their data is accessed, they can react to that information. And when cloud vendor employees know that a customer will see them accessing their data, they act more responsibly and more cautiously.
It comes down to SaaS Trust Models. Buyers need to know and understand these models to make informed decisions.
The full-trust model can no longer be the default when potentially sensitive information is at play. End-to-end encryption and zero-trust models are ideal, but there’s a sliding scale of options including the trust-but-verify model that is fast becoming a standard request from enterprises.
It’s time to move incrementally, if not in jumps, to stronger trust models. Full trust without verification is a toxic stew.
With great power comes great temptation. Twitter has put this on display, but if you look closely, the same dynamic is everywhere around us. But we can fix it.
Photo credit: Loren Gu on Unsplash