Industry Insight: Collaboration Tools: The Next Great Security Risk

Collaboration tools take get hugely popular with all kinds of businesses because they enable strategies like virtual teams and keep employees working tightly together no affair how far apart they might be physically. Merely whether it's a workflow-based utility such equally Asana or a chat-oriented app such as Slack, these tools take also created new opportunities for cybercriminals looking to access your company's nigh vital information. Bad actors can infiltrate your collaboration software through application programming interfaces (APIs) or through accidental authorizations that leak private data outside of your arrangement. In other words, even if they're being hosted elsewhere, your collaboration tools might still be putting a huge security pigsty in your network.

Greg Arnette is the Director of Data Protection Platform Strategy at Campbell, Calif-based Barracuda Networks, a security, networking, and storage products provider. We recently sabbatum down with Arnette to hash out the sort of attacks that could happen via collaboration services and how businesses can protect themselves.

Application Programming Interface or API Concept

PCMag (PCM): Collaboration tools of all kinds are beingness adopted at a pretty rapid pace by all sorts of companies. What are some of the security-related problems that tin arise from this?

Greg Arnette (GA): So, before we become into the sort of vulnerabilities involved, I call up information technology'south of import to give an overview of what'south happening correct now. There are a number of different trends happening around collaboration and how it relates to what nosotros're seeing today, with systems that are vulnerable to attacks that are so compromising people.

Greg Arnette - Director of Data Protection Platform Strategy at Barracuda One of the trends is this massive migration of on-bounds collaboration services moving to deject alternatives. With that migration, you accept an increased use of email and existent-fourth dimension messaging systems, such as Slack and Facebook Workplace and a dozen or so different platforms that are rising in popularity alongside of electronic mail. With this migration, companies are saving money and simplifying their internal Information technology infrastructure. Microsoft Office 365 and Google G Suite and Slack are becoming the organisation of record in many organizations. That volition probably continue to play out for the side by side five years until I recollect there will be a big shift to people more often than not doing things in the cloud as opposed to annihilation on-premises.

At present, couple that trend with the rising of APIs and artificial intelligence [AI]. That is creating a lot of expert things only also an equal number of bad things. As companies migrate their collaboration systems from on-premises to cloud, they're using these new types of systems. An integration might be integrating an identity management service into Microsoft Role 365 so that y'all can get single sign-on. Or y'all could integrate a telephony service into the email organization so that the calendar can add a bridge number to the next meeting invite.

Artificial Intelligence AI and Machine Learning ML

PCM: These are all good things, of course. So where do the problems brainstorm?

GA: This same tech is allowing the people that desire to do impairment to others to take advantage of these open APIs and these new systems of record. The bad actors of the globe are also taking advantage of the innovations in cloud and using AI, machine learning (ML), and cheap deject computing to sponsor attacks with these APIs. They're looking for vulnerabilities and mimicking user behavior and then that they can get around the known defenses and infiltrate organizations using what were thought to be pretty secure defenses and to keep the bad stuff out.

So that's kind of a perfect storm of businesses wanting more convenience with the ability for bad actors to leverage these APIs and become into those systems. Information technology's a race of a mutually assured devastation, basically.

All-Seeing Eye of Big Brother in Computer Code

PCM: Give us an example of a specific type of assail. Would a malicious actor create a seemingly harmless app for a program like Slack that an employee would exist tricked into installing?

GA: An case of a malicious usage of the Slack API is you can develop a third-party Slack app that can bridge your Slack account with a customer relationship management (CRM) platform like Salesforce. Somebody in a visitor could download and install the app, and so this trojan Slack app—which appears on the surface to exist a simple connector—can be easily authorized by an individual in the company. Of a sudden, at present you take this lilliputian bot that's sitting on someone'due south workstation that tin can talk to both Slack and Salesforce and leak data out without the company'due south knowledge. And that's just one minor example. Yous can apply this to most any platform that has an open API.

In the case of AI, the folks out at that place in the world that want to exercise harmful things are using AI to figure out how to exploit systems, gather data, and expose it to journalists and others. This is to cause issues and touch elections, bear upon economies, bear on business stability, and so forth. This could happen in a lot of means. It could be an ML model that is trained to look for specific information or a bot that appears to be a real person that could solicit the data from employees. In that location are all sorts of vulnerabilities that these collaboration tools open up up for organizations.

Another tendency that we see is departments and teams purchasing or implementing solutions that inadvertently connect public things to the private network that is outside the purview of the It department. Since these collaboration tools accept been adopted, IT departments have been having trouble trying to lock down who can actually install and run things in the visitor network in club to prohibit these types of connections of happening. If any employee is immune to add, an app to the company Asana squad, it can be disastrous.

How Businesses Apply AI to Cybersecurity

PCM: These attacks are scary, sure, but these are extremely useful tools. It's hard to imagine most businesses giving up these apps once they've had access to this sort of convenience. How should businesses continue themselves secure?

GA: That'due south absolutely true; these apps are here to stay. They've established that they tin aid make lives better in a work setting.

There are a couple things that...companies can do to stay secure. The first is ensuring that the IT department is aware of all the apps that are installed and all these third-party connectors that are installed into these apps. Make sure they've been reviewed or vetted by scrutinizing eyes to make sure that they're not actually Trojan-similar attacks that were created to spook somebody into installing them.

The second thing that customers should be doing is vetting their supplier'due south security and compliance best practice standards. At that place'south a great third-party website that helps IT departments practise that vetting called Enterpriseready.io. You can go in that location and you can bank check out [your Software-every bit-a-Service or SaaS app] and encounter if it has all of the correct controls in identify to ensure a highly secure operating environment. So it's all about privacy, ensuring that in that location's a sufficient ability to lock down controls, that APIs take audit admission, and that kind of stuff, so that we tin can be amend vigilant.

On top of that, it's worth noting that a lot of these collaboration solutions have permissions controls to fight against this verbal sort of thing. You can tighten permissions on what integrations can come through these apps and who controls them. If y'all configure these permissions, it saves IT a lot of the work of having to monitor what apps are installed.