Cloud computing and the amplified insider threat

When it comes to insider threats, the nature of the threats is largely the same regardless of the computing environment, such as whether the data and apps reside on-premises, public cloud, or provide cloud — the risk of data exfiltration, data destruction, theft, and similar is ever-present.

One of the most troublesome aspects of insider threats is just how random they can be. When it comes to insiders gone awry, you never really know what will set an insider off. It could be high levels of debt they’ve accumulated, a substance addiction, blackmail, a personal life that’s suddenly gone troublesome and so forth. It could also be aspects closer to work: business reasons that involve perceived poor pay, fear of being fired, or feelings of being overlooked. All enterprises of all sizes have to be concerned about insider threats.

Those who have been in cybersecurity awhile have heard the stories about insiders attacking, by doing such things as planting logic bombs and destroying lots of data. One such famous incident is Omega Engineering, which consisted of an insider planting a logic bomb on a file server at one of Omega Engineering’s manufacturing facilities. The logic bomb successfully destroyed software that ran the company’s manufacturing processes. Another example is the city of San Francisco administrator who, according to news reports, changed access passwords and locked the city out of network access for 12 days. Then there’s the insiders behind the Department of Defense's Secret Internet Protocol Router Network (SIPRNet) and infamous NSA leaks.

How do enterprise security teams view the insider risk? According to the Insider Threat Report survey, produced by Crowd Research Partners, enterprises view too many users with excessive access privileges (37 percent), an increasing number of devices with access to sensitive data (36 percent), and the increasing complexity of information technology (35 percent) as the key insider risk enablers. 

Also, fifty-two percent of the survey respondents confirmed that their organizations suffered an insider attack in the previous 12 months, and twenty-seven percent of said insider attacks have become more frequent.

These types of threats can hit anyone, as we’ve seen, but in cloud environments, the insider threat is amplified. When data and apps are run on internal clouds, it’s certainly true that a disgruntled employee with access can cause lots of damage. But with cloud computing there’s the risks associated with the employees at all cloud providers.

Suppose your organization uses a cloud service to manage a hosted application that is central to the function of the business. The organization then takes an action that is considered politically objectionable by some (an easy thing to do, nowadays) and an insider at the cloud service provider decides to take some form of retribution on the company as a result and wants to destroy or steal data, or do whatever he can to harm the organization in some way. What controls does the cloud service provider have in place to protect from this? Many organizations may not know this, but not all contracts and agreements will adequately protect them. Suppose the employee at the cloud service provider succeeds in destroying the data. Who is held responsible? How will that situation be handled? How does the CSA track user access and would they be able to determine how the data was destroyed?

In another scenario, perhaps the employee wouldn’t want to get caught. Who would, right? The insider could try to download data to give to a competitor, sell, or just dump online. How does the CSA protect against this type of threat? Do they monitor access closely? Would they be able to spot a data exfiltration? I know, for my money, I’d like to have my data encrypted with my own managed keys so that any intellectual property can only be accessed by those within my organization.

While there’s no cure-all that will make these risks go away, there are things that can be done to mitigate the insider threat associated with cloud. The first is to understand how cloud service providers handle access to customer data and resources – do they audit and manage privileged access? How often? The right answer would be yes and hopefully regularly. And, just as when hiring your own employees – how does the cloud provider vet new hires and screen system admins?

It’s important to remember that every time an organization is outsourcing a cloud service that organization is also taking on the risk of the service provider. So everything an organization should do internally to ensure its data is secure, it should also do to make certain that its cloud service provider has comparable processes in place.

This includes looking at how they monitor the security of their networks and systems, their access control, their management of security functions, incident response capabilities and other policies. The important thing to remember is that with cloud systems, while there are security gains as well as trade-offs when it comes to security, the insider threat is amplified across cloud service providers and their employees — and you need to take steps to mitigate this risk.