Security is often the top consideration when planning to invest in cloud-based technology. Of course, in cloud environments, technology is usually located outside an enterprise's network perimeter, so that users have access to resources but not to physical racks, servers, power systems and other related equipment. A major concern has been ensuring that critical data (e.g., customer data, medical records) and intellectual property are suitably shielded from other customer systems and data files.
In this article, we'll examine another growing security concern for enterprise cloud environments: insider threats. We'll explore both intentional (planned) and unintentional (accidental) attacks or disruptions to critical cloud-based resources.
Exploring cloud computing insider threat scenarios
The principal issue when investigating insider threats is that the attacker is already on the inside. For the purpose of this article, we'll assume the "insider" works for the cloud service provider and has access to one or more client environments. The insider has the ability to compromise the confidentiality, integrity and availability of customer information.
Possible types of intentional attacks include theft of information, data destruction or corruption, damage to systems serving specific clients, damage to software and services being used by customers, plus sabotage and fraud.
While it may be difficult to imagine an unintentional cloud computing insider threat, they can occasionally happen. Often it results from careless entry of administrative commands that negatively affect customer systems, services and data. However, it can also result from a lack of training in the proper management of customer systems and services. For example, an operator or technician may receive an order for a particular service, or perhaps an update to a specific service, and, because of a lack of training in that particular activity, enters the wrong data. A database administrator may accidentally access the wrong customer database, enter incorrect commands and go so far as to corrupt the entire database.
In fact, seemingly malicious insider activities could be entirely accidental. Yet such incidents beg the question: If someone knew how to securely access and use sophisticated cloud-based systems and services, why would "accidents" occur?
Therefore, let's focus on intentional attacks, their potential ramifications and how they can be prevented or mitigated. Theft of information or intellectual property, assuming the perpetrator has the proper security clearances, could be a nightmare for a business. Trade secrets, engineering documents, financial data, customer data and many other valuable assets could be copied and sold to the highest bidder or simply distributed anywhere. This could happen with the perpetrator remaining completely invisible.
In data destruction or corruption, insiders can access critical customer files and databases and erase the data, introduce viruses or worms, or introduce logic bombs to damage/erase the data at a future date. If this critical data is not backed up and/or replicated at an alternate location, its loss could spell the end of the company.
Companies using cloud-based systems and services that have been maliciously manipulated or altered could suddenly find that their important customer-facing applications are malfunctioning or not operating at all. This means that their customers may be unable to transact business properly, resulting in lawsuits, loss of business and loss of reputation. It may be difficult and even impossible to regain customer trust, especially if damage to customer-facing systems has been severe.
The above-mentioned situation could be an act of sabotage, as are many insider attacks. Someone in the cloud-based service organization may be unhappy or have a personal vendetta against a specific company, which just happens to be a customer of the cloud service organization. This individual, who has solid security credentials, can do almost anything he or she likes to slowly undermine the target organization and its operations. This can be done over time, using a variety of techniques to steal information, create false financial data or damage the organization with occasional operational "hiccups" that appear minor on the surface, but collectively could be part of a larger and more sinister plan of destruction.
Finally, fraudulent activities, like many other malicious acts, can be easily launched within cloud environments. Whereas a perpetrator within a single company may only be able to access that company's resources, in a cloud environment the perpetrator has access to many organizations. For example, we've heard stories about insiders who manipulated financial systems, such as in the infamous Societe Generale fraud incident, leading to millions if not billions of dollars in losses for a victim organization. In a cloud environment, the perpetrator once again has secure access to multiple customer systems and data and is only limited by his or her computing skills.
Preventing insider threats: Questions to ask
A malicious insider may be a system administrator or other qualified technician. People like this who conduct unlawful attacks may be called "rogue" administrators or technicians.
Organizations planning to use cloud-based resources must take a highly proactive approach when it comes to assessing the security posture of a cloud service provider. Some of the issues and questions to address can include the following:
- How often are cloud system administrator and technician access privileges audited and reconfirmed? Make sure you sit down with your provider and not only hear the process explained, but also receive it in writing. Ideally the organization will undergo an internal access recertification process several times per year.
- How carefully screened are prospective system administrators and technicians who may have access to customer systems and data? Make sure newly hired employees aren't able to instantly access sensitive customer systems and data. Providers should require new employees to prove themselves to be competent and trustworthy before trusting them with managing your account.
- Are background checks administered? Are they periodically updated and/or redone? Those with criminal records should undergo further scrutiny or be removed from consideration altogether. Similarly, has an employee worked for a competitor in the past? If you're PepsiCo, you probably don't want a former Coca Cola employee managing your cloud computing implementation.
- What kind of initial and ongoing security training is available for system administrators and other technicians? On the assumption that security administrators and other technicians understand information security, and can demonstrate that competence through careful questioning and evidence of specific skills (e.g., professional accreditations), the next step is to ensure they are fully briefed on the security systems in use; you can enhance the experience by having them read technical manuals for the systems being used, security configuration data, and discussing the security systems with the system manufacturer and/or distributor. As new releases of the security systems are implemented or software patches are installed, administrators and technicians should be briefed on those changes.
- What kind of security training is given to nontechnical cloud service company employees? Assuming the cloud organization has an information security policy, begin by circulating the policy to all employees and even try to get a signature of acknowledgement that it was read; next, schedule periodic half-hour briefings on security activities to all staff (or at least staff that may have access to customer information and systems); finally, prepare a one-page document that summarizes key information security policies and good practice as defined by the company.
- How proactive are cloud-based service providers from policy and procedure perspectives when it comes to security, particularly with regard to theft of information, sabotage, fraud, etc.? As part of the vendor-evaluation process, request evidence of cloud service provider policies, guidelines and practices regarding client system and data protection activities; if you prepare a request for proposal as part of the cloud service provider evaluation process, be sure to ask for evidence of how the service provider ensures client data protection within its environment.
- What security monitoring systems and programs are in place? Most cloud service providers will have security monitoring systems and programs in place; get a list of the systems being used, e.g., intrusion detection systems, intrusion prevention systems, firewalls; ask to see their policies and procedures for security monitoring; find out what activities they have in place to detect and remediate denial-of-service attacks, malware and other attempts to breach system and data/database security; finally ask for documented evidence detailing any previous security breaches and how they were detected and remediated.
- What network monitoring systems and programs are in place? These will be similar to the list above, except that they focus on the network perimeter, Internet access facilities, internal/external voice and data network services, and network access devices (e.g., routers, switches, load balancers); again, ask to see evidence of any network security breaches and how they were detected and remediated.
- How many documented malicious insider acts have occurred with the cloud service provider in question? This is probably one of the most important issues to address when evaluating prospective cloud service providers; it should be part of any RFP and the vendor should be prepared to submit documented evidence of the incident; be prepared to get no answer on this question as it may be considered "company confidential;" naturally, a nonresponse to this issue should raise a major red flag.
- How were the attacks resolved? Any cloud vendor response to this kind of question should include a documented summary of the incident and how it was resolved; more important, ask to see what improvements were made to the cloud service company's security policy and procedures to prevent future incidents and quickly identify suspicious behavior.
- Has the cloud service firm ever been convicted of insider attacks on customers? Again, be prepared for a sanitized or nonresponse on something like this, as it may be a sensitive issue to the cloud service provider and its position may be to keep it confidential; a truly reputable cloud service firm should be willing to own up to its mistake and describe how an incident helped it improve its client security policies, practices and capabilities.
Ask these and other questions before contracting with a cloud service provider (and it doesn't hurt to ask them about your own internal IT organization as well). Even the most successful and well-respected cloud companies may have someone on the inside waiting for the right moment who will act maliciously to line their own pockets or suit their own ends. While it's almost impossible to spot a perpetrator until it's too late, there are warning signs. Evidence of discontent, poor performance reviews, lack of salary increases, problems at home, keeping to oneself at work and occasional outbursts of temper could all be warning signs. It may seem insensitive, but make sure your provider's human resources team assists with the screening process and the ongoing monitoring of employee performance. Take these same approaches when evaluating your organization's security posture. Like your vendors, your own organization may be the target of an insider threat.
Until there are totally infallible methods for employee screening, system/network monitoring and detecting changes in human performance that portend an insider attack, cloud-based service providers, like many other IT service firms, must be compelled to maintain a high level of due diligence and proactive operational oversight to prevent malicious insider attacks. So be sure to consider the advice above. Holding providers to the highest possible standards will help reduce cloud computing insider threats.
About the author:
Paul Kirvan is an independent consultant/IT auditor and technical writer/editor/educator with more than 22 years' experience in business continuity, disaster recovery, security, enterprise risk management, telecomm/IT auditing and over 30 years' experience in technical writing/editing, technical training and public speaking. Mr. Kirvan has been directly involved with dozens of business continuity, security, IT audit, risk and telecom consulting engagements, ranging from operational audits and strategy definition projects to plan design and implementation, program exercising, execution and maintenance, and RFP preparation and response. Mr. Kirvan was recently a member of the board of the Business Continuity Institute and is currently a member of the board and secretary of the BCI's USA Chapter. He is also a Certified Information Systems Auditor (CISA), Fellow of the BCI (FBCI) and Certified Business Continuity Professional (CBCP).