User credentials remain the Achilles heel of cloud apps: How you can prevent an attack


High-profile security breaches have dominated the headlines in 2014. Two notable examples over the last few months, the Apple iCloud and Dropbox breaches, have revealed a juicy target for attackers: user credentials.

Rather than try to hack into the application itself like iCloud, Dropbox, Salesforce, or Amazon Web Services (AWS), an easier and much more feasible approach to gaining access to sensitive data, celebrity photos, or whatever else an attacker is after, is through stolen user credentials.

Both Apple and Dropbox were quick to point out that their own applications weren’t breached, but that the hackers had stolen user credentials from other cloud services and then used them to access Apple and Dropbox accounts. These incidents highlight the perils of cloud applications. By moving business-critical applications (like storage, CRM, HR, finance) to the cloud, IT administrators have ceded security controls to cloud service providers, throwing into question the security of data stored in the cloud.

That’s why it’s so important to implement additional security controls on top of those provided by the cloud service. The AWSs and Dropboxes of the world provide varying levels of infrastructure security, but it’s ultimately up to the cloud service customer to close the loop. According to Forrester Research, it’s a shared responsibility between the cloud service provider and its customers to ensure complete security over the app and customer data.

It's imperative to have visibility into cloud app usage across all devices - managed and unmanaged

Fortunately, there are some steps organisations can take to mitigate the risk of cloud service credential theft.

Know what’s going on – and don’t forget about mobile

First off, it’s important to know what apps are being accessed by employees and whether they’re authorised by IT or not. Cloud apps are no longer just being accessed through desktop browsers. The ubiquitous use of mobile devices and explosive growth of native mobile apps have exposed a new security hole for many IT organisations.  

To date, most organisations have focused on securing managed devices (i.e. corporate-owned), but there’s no escaping the BYOD movement. More and more employees are blurring the line between work and personal devices. It’s common to see employees using their personal smartphones for work-related activity.

As a result, it’s imperative to have visibility into cloud app usage across all devices – managed and unmanaged. For example, knowing from which locations (home, office, Portugal etc) and through what devices (iPad, laptop, Android phone) users are typically accessing the cloud services is fundamental to a sound security strategy.

A new category of tools that analyst firm Gartner calls Cloud Access Security Brokers (CASB) can build “behavioural profiles” based on user and device fingerprints, which make it easier to identify suspicious behaviour in real-time and enforce appropriate policies to remediate risks before damage can occur.

Proactive yet flexible protection

Once a baseline of normal behaviour has been established for each user, CASB solutions can then define and enforce policies to provide proactive detection and protection against stolen credentials attacks. Here’s how it works: an attacker in New York steals the Gmail login credentials of a user in California. Assuming the victim’s login credentials are being used for most, if not all, of their cloud services, the attacker attempts to access a Dropbox account from his or her Android phone at 2am using the stolen credentials. 

Cloud Access Security Brokers (CASB) can build 'behavioural profiles' based on user and device fingerprints, which makes it easier to identify suspicious behaviour in real-time

Since the victim doesn’t normally access his or her Dropbox account from New York with an Android phone and certainly not at 2am, this attempt would be flagged as anomalous behaviour. At that point, several measures can be implemented separately or in conjunction. An alert can be sent to the security team, account access can be blocked and/or multi-factor authentication can be requested before allowing access to the account. This flexibility is required since the legitimate user could very well be on vacation in New York, accessing their account from a different device.  A draconian “block access” would be too strict of a measure in this case.

If necessary – request stronger authentication

In both the Apple and Dropbox breaches, both companies recommended the use of two-factor authentication to add another layer of security to prevent the inappropriate use of stolen credentials. Multi-factor authentication is a powerful way to protect against account takeovers. It forces would-be attackers to present at least two forms of authentication – one that involves something you own (e.g. a mobile device) and the other something you know (e.g. a one-time password).

In the New York-California attack example above, instead of blocking access immediately, an organization could invoke two-factor authentication. This would challenge the attacker to verify his identity via an out-of-band one-time password (which he wouldn’t be able to provide) and result in access being denied. If the request was being made by the legitimate user, they would be able to present both forms of authentication and still access their account.

Although stolen credentials pose a significant risk to cloud services security, with the right policies and technology in place, an organisation can protect data residing in cloud apps from unauthorised access and theft.

Related Stories

Leave a comment


This will only be used to quickly provide signup information and will not allow us to post to your account or appear on your timeline.

4 Jan 2015, 5:36 a.m.

The two-factor authentication, though not a silver bullet, could be reliable when it comes with a reliable password. 2 is larger than 1 on paper, but two weak boys in the real world may well be far weaker than a toughened guy. Physical tokens and phones are easily lost, stolen and abused. Then the password would be the last resort. It should be strongly emphasized that a truly reliable 2-factor solution needed for important accounts requires the use of the most reliable password.

Using a strong password does help a lot even against the attack of cracking the leaked/stolen hashed passwords back to the original passwords. The problem is that few of us can firmly remember many such strong passwords.  It is like we cannot run as fast and far as horses however strongly urged we may be. We are not built like horses.

At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.


17 Jan 2015, 11:18 p.m.

The biggest mistake that a company can make is...

True Story – I am on an airplane flight yesterday. The woman sitting next to me works for a MAJOR pharmaceutical company. We struck up a conversation. While we are talking, she used the airplane WiFi and her web tablet and to log on to the company site. I was sitting there watching each key stroke; I now know her password. Obviously, I removed the password from my memory, but just think about the consequences. What if someone with poor intentions was sitting next to this woman?

This is a moment in time when there is a lot of enthusiasm for new technologies, especially cloud and SaaS. Even though such technologies bring undoubtable advantages, very often companies underestimate that the adoption of such technologies implies a total redesign (re-thinking) of all their security policies and employee behaviors. It’s not just about encryption, accessibility from anywhere means that your HTTPS (SSL/TLS) protocol channel is not enough to keep safe!

The cloud requires a brand new security concept; to be invented and designed from scratch. The largest mistake that a company can make is accepting one solution as the save all. There is not “ONE CONCEPT”, it’s going to be a huge amount of new security tools, practices, algorithms, policies… If companies don’t want to continuously have their customer & internal private information victimized, security needs to quickly become part of their DNA.

Learn more and follow the biggest thing happening in cloud in 2015
new web site launching 1/25/15

for now follow us on social media so you can be part of the cloud reborn.


16 Mar 2015, 8:52 p.m.

Problem solved: search news: Extenua and Imageware partnership - cloud reborn!