This is another short piece of the “Strictly Theoretical” mini series in which I put insensible historical incident management and suspicious behaviour patterns under the microscope reflecting on how the “inner” and “outer” world continuously interact with each other forming the everyday life of the production environment.
Some pros and cons of cloud security
Cloud security companies offer a great range of cyber security solutions. One of the core products of these enterprises is access control through their numerous web gateways. This is great in general as loads of potential attack vectors can be blocked in this way, but what if other security related systems are in place as well. If these screening tools are not fully aligned or are in the baselining phase, they may work against each other increasing the level of noise.
User authenticates from different geolocations
If a user’s location is close to a number of gateways of the applied cloud security tool, a case might occur when the tool would try to authenticate the user via different gateways in a short period of time. There might be several reason for this like load balancing, the user’s personal VPN or other routing issues. In a situation like this screening tools would start clamouring as the timeframe is just too narrow for a real life journey for the user to travel between these geographical locations hence, this is suspicious.
After the confirmation of the circumstances with even potentially with the user as well, there is nothing else to do is just noting up the alert and potentially fine-tuning the workflow automation for such an alerts. The most important data to identify in these alerts is the “organization”. If it is matches with the name of the cloud security tool hopefully there is not much to worry about.
Thanks for reading and as always, any feedback is most welcome.