Security "Bits"

SaaS Holes - Part 2: Suspicious Activity

By Annie Wang | October 13, 2014 at 6:00 AM


Suspicious activities

In part one of this series I discussed how single sign-on systems can make identity sprawl obsolete (at least from an enterprise perspective). Do check it out

If you haven’t given it a read. Part 2 of this series will be addressing another major problem area when it comes to cloud apps - Monitoring for suspicious activities.

When you think of monitoring for suspicious activities, what’s the first thing you think of? Some of you might be thinking Showtime’s hit series “Homeland” (given the recent premiere). Being the dog lover that I am, I think of guard dogs. For hundred of years, guard dogs were one of human’s most advanced security systems. They barked when intruders were on our property, they gave us peace of mind when we were away, asleep or otherwise in dispose and lastly, they were cost effective. In essence, they protected our most beloved assets, family and home. Watch dogs gave us visibility into what was going on our property. The same concept applies to protecting cloud apps.

The Hole: No Visibility Into Suspicious Activities (aka no guard dogs)

No visibility 


Most cloud apps don’t offer any audit logging or visibility into user activity. In other words there are no watch dogs!

Here’s an example scenario to help paint a clearer picture: 

“Dimitra” signs into Office 365 in Bangalore, India at 1pm local time while on a business trip. At the same time someone posing as “Dimitra” logs into from San Francisco, California.

If Dimitra’s company is relying solely on a cloud app, they wouldn’t know that they may have a potential compromise on their hands. No alerts are sent your way, no red flags have been drawn, no barking. Just silence. This lack of visibility can turn into hundreds of thousands of dollars of fines, not to mention the loss of the public’s trust.

If you’re a financial or healthcare institution, or function within any other highly regulated industry, visibility into who is accessing what information, and flagging any and all suspicious activities is even more important.  

The Fill: An Effective Cloud Access Security Broker (Rottweiler not Poodle)


The good thing is that there is a solution. A cyber security guard dog that you can use to monitor all activity taking place in your cloud applications, even if activities take place in multiple cloud apps at the same time. Cloud access security brokers (CASBs) give you complete visibility into corporate activity across all company cloud apps. They’re super easy to implement and some take less then 30 min. to deploy. Here’s how they work: 

  1. Implement CASB
  2. All data from cloud apps (i.e Office 365, Google Apps etc.) flows through proxy
  3. Data is then recorded

NOTE: Remember, you want a Rottweiler for a watch dog, not a poodle. Make sure to invest in a CASB that offers alerts (not all do this) with all information in plain English. Some logs offer an audit log of unreadable transactions. Not the biggest help when you’re trying to operate at the speed of life. 


Stay tuned for Part 3 in our blog series. I will be tackling data leakage. Follow @Bitglass to learn about what’s going on in the cloud and mobile security world.

Chris Hines



see all