IS Decisions logo

IS Decisions Blog

Auditing file access in the cloud

Here’s what to expect when auditing file access in the cloud, how moving files to the cloud impacts auditing, and how to audit changes in on-premise and cloud environments.

Updated November 8, 2023
Auditing file access in the cloud

If your files aren’t already in the cloud, they will be soon. By putting a strategy in place that ensures a single, consolidated view of all file activity both in the cloud and on-premises you will reduce the risk associated with allowing users anytime, anywhere, any device access to cloud-based file data.

The adoption of cloud file storage

We’d like to think all our critical data only existed in application databases. It would be a much easier world for IT. In a world like that, none of the data would be freely running around rampant, being copied and pasted by users, ending up in locations on your network that you’d never suspect.

But that’s not reality. Critical data intellectual property, financial data, patient information, personal data, credit cards, and more all end up in files. Word documents, spreadsheets, presentations, and the like, are all utilized in the natural order of business and end up containing much of your organization’s most precious data.

Traditionally stored on file servers, the data has always been relatively secure from improper use. Native security permitted only approved access to file data by the organization’s users, with no ability to easily share the data with external parties.

As organizations have undergone digital transformation, shifting critical services and applications to the cloud, the natural assumption has been to leverage the cloud for the storage of these same critical files. With productivity enhancements like the easy sharing of documents, and integration with other cloud services such as email, the adoption of cloud-based file services has become a staple.

But, the change in location doesn’t diminish the organization’s need to audit the access to, and use of, file data. Frequent security audits, compliance mandates, and government regulations all require an ability to ascertain and demonstrate that critical, sensitive, and protected data is being properly accessed and used – regardless of where the data resides.

Enter, file auditing. It’s been around since Windows NT in the mid-'90s. Microsoft has provided the basic Windows auditing tools necessary to functionally audit the use of its file systems. And, as organizations have moved file data to the cloud, this same basic functionality has found its way into enterprise cloud-sharing solutions as well, as a means to appease customers wishing to audit usage.

But, what does it take to truly audit file access and use in the cloud?

Why audit file access?

As previously outlined, the necessity exists to include any locations containing sensitive, protected, or valuable data that may be involved in data breaches, data theft, espionage, etc. There are four primary use cases of auditing that include file access:

  • Compliance: Whether data protection is the focus (as in the case of mandates like PCI or HIPAA), or proving data has been properly handled (e.g. GDPR), compliance mandates usually make no distinction around where the data needs to reside. They are only concerned with you putting controls in place which usually include some degree of auditing anywhere the data in question may exist.

  • Security audits: Organizations with a mature security stance include quarterly, semi-annual, or annual audits of the state of security, changes since the last audit, and even dive down into specific actions of individuals. The goal of most audits is to understand what has changed, and whether that has had a negative impact on the company’s security posture.

  • Threat detection: Threats come in all shapes and sizes. Insider threats and external threats alike can result in data theft, manipulation, or deletion. File audits can be used to identify early indicators of a threat action, such as: abnormal access times and days of week, larger than normal data transfers, successive deletions, etc.

  • Forensics: After a threat has been identified, having a record of every action helps understand the scope of the threat activity. For example, if IT determines a data breach occurred with a specific user account, performing an audit of every file that account touched within a relevant period will bring context to the specific actions taken.

In all of these cases, data of value exists within files. This makes file auditing a necessary part of any of the initiatives listed above whether files exist on-premises or in the cloud.

So, what functionalities can you expect from file auditing ?

File auditing: The basics

Whether you utilize the native tools within your Operating Systems of choice or choose to leverage a third-party solution to automate and simplify the work of auditing, there are some common functionalities within file auditing that every IT pro expects.

  • Track: File auditing needs to be able to monitor the access to, and use of, files on every system and platform hosting files.

  • Audit: An ability to intelligently collect and present file activity is necessary for IT to make key decisions. Audited actions should include attempted and successful read/write/delete, as well as changes to ownership, permissions, and attributes. And, in the case of the cloud, all activity around sharing, including use of sharing links by external parties.

  • Report: Both scheduled and run-time reporting are useful to IT teams looking to understand the current state of access to critical data. Important data points would include (when applicable) server, filename, action type, success or failure, date, time, user performing the action, machine name, and IP address.

  • Alert: IT and Security teams need real-time notifications around suspect and inappropriate access to files containing critical data. Alerts should be customizable, so that organizations can tailor the monitoring for specific data sets, users, actions, timeframes, etc.

  • Respond: Sometimes when an alert is triggered, we can’t wait for when IT intervenes. An organization needs a solution to take automatic action, before the damage is done.

  • Delegate: In addition, the delegation to trusted users closest to the actual use of the data can provide additional benefit to the security-aware organization. Delegated users can more easily spot inappropriate activity, notifying IT of the find.

In some cases, going the “DIY” route may involve some custom scripting, or creative use of multiple native tools, but are usually found within even the least expensive of solutions. Regardless of whether you used a prebuilt solution or build your own, all of this functionality assists IT with materially speeding up the process of searching, analyzing, and reporting on the file audit data collected.

So, what changes when you move file storage to the cloud?

The challenge of file auditing in the cloud

As with any service, when you move file services from on-premises into the cloud, there are 3 challenges IT faces:

  1. A lack of visibility: Because file services are managed by a third-party, IT has little ability to see how the service is being used, and whether that use if appropriate and compliant with organizational requirements and external mandates.

  2. A lack of control: Those creating the online file service usually provide basic IT controls, but don’t necessarily provide IT teams with technical tools they need. Remember, cloud providers are in the business of providing the service, not necessarily making life easy for IT.

  3. A lack of consideration for on-premise: Even if file sharing services have some degree of auditing capability, there is little to no integration (on the part of the cloud provider) with any on-premises auditing capabilities.

It’s imperative that file auditing address each of the challenges above. With cloud-based file sharing, the possibility of data theft and negligent sharing of data publicly increases significantly, especially given the amount of control handed to users.

There are many business-focused cloud-sharing solutions available today. Consumer-facing file-sharing services such as Box and Dropbox have developed corporate versions of their services, which include varying degrees of auditing functionality.

Where they’re lacking is in their ability to tie on-premises and cloud-based actions together. Take the following data breach example. A user wishes to steal exported CSV files containing the company’s customer lists. They copy the export files from an on-prem file server to a local folder that syncs with your cloud file service. They then share it out to a third party, who quickly connects to the cloud service and retrieves them. That’s it that was all it took to steal data from your organization. Organization’s need a complete picture of what actions are transpiring both on-premises and in the cloud.

So, how can you do file auditing with cloud-based services in the mix?

However you choose to go about auditing, you should look for the following:

  1. Complete visibility: Whether you use a SIEM solution to consolidate on-premises and cloud data, or you use a file auditing solution that already addresses both environments simultaneously, you need something in place that gives you visibility into the entirety of your file environment.

  2. Inclusion of every cloud service: The average enterprise uses a multitude of cloud-based services. This means it’s entirely possible to have one part of the organization using, say, Dropbox, and another using OneDrive. Be certain that either each cloud sharing service can provide you the audit data you need or use a solution that supports every service in place.

  3. An intelligent view: You can’t expect cloud services to make sense of audited actions for you. You may find that auditing data from the cloud may be as “needle in the haystack-ish” as the Windows file auditing data remains after two decades. Be certain you have a solution or an internal means by which to intelligently normalize and present the audit data in a way that allows IT and security teams to make smart decisions.

Make file auditing in the cloud a reality

If your files aren’t already in the cloud, they will be soon. Compliance, security, and incident response requirements make the need for file auditing whether in the cloud or on-premises a necessity. Organizations must achieve the same levels of visibility and control over access to and usage of file data in the cloud as they have enjoyed for years on-prem.

By putting a strategy in place that ensures a single, consolidated view of all file activity both in the cloud and on-premises you will reduce the risk associated with allowing users anytime, anywhere, any device access to cloud-based file data. Take a look at how FileAudit extends file auditing to data stored on major cloud platforms. Quickly get key insights in the access to and usage of data stored across both cloud and on-premises environment.

Try FileAudit for free

  • 20-day trial
  • Full technical support
  • No credit card required
FileAudit screenshot