The cloud presents new challenges in protecting data, such as who is responsible for implementations, Stephen Lawton reports.
Cyber espionage is fast becoming a hot topic of Hollywood blockbuster movies, best-selling mystery novels and international intrigue. But, in real life, sometimes the “villain” is someone within the victimized organization and often the so-called attack is anticlimactic bordering on the mundane. And, while many insider breaches are malicious in motivation, sometimes attacks are nothing more than employees' accidents, misconfigured networks or staffers being duped into clicking on a legitimate-looking link in an email.
Further, unlike traditional data centers where insiders are employees of the company that creates and owns the information, cloud-based “insiders” might not work for the company at all, but rather the service provider that operates the data infrastructure or cloud-based software. Cloud service providers have their own staffs, and in the case where a company's cloud-based infrastructure is housed on virtual machines (VMs), the definition of who constitutes an insider gets increasingly muddled. In multitenant environments, each company that has data stored on a VM has its own community of insiders, and multiple VMs are housed on a single, physical piece of hardware. In such cases, the hypervisor component of the virtualization environment acts as the barrier among various stores of private information.
Guidelines: Stopping leaks
“The Guide to Intrusion Detection and Prevention Systems” from The National Institute of Standards and Technology (NIST) offers five recommendations for federal departments and agencies, although these are not limited to government sites. They include:
Who has responsibility?
Many cloud providers are moving away from the VM-centric cloud, instead opting for security controls built in to off-the-shelf, software-as-a-service (SaaS) applications, such as Microsoft Office 365, Salesforce.com and the suite of Google applications, says John Howie, chief operating officer of the Cloud Security Alliance, a nonprofit coalition of industry practitioners which seeks to educate stakeholders and promote the use of cloud computing best practices. Additionally, he says the idea of giving sensitive corporate data to a third party is not unique to the cloud. Companies for years have outsourced human resources and payroll services with little concern that an insider could steal data, he says.
The underlying key to determining insider threats is a full-risk analysis, Howie says. Companies need to ensure their providers employ best practices to protect private data, he says, but much of the security enforcement should remain with the customer and not with the provider.
Cloud service providers that permit the customer to do self-provisioning can eliminate much of the vendor-introduced errors and eliminate the provider's vulnerability to threats by ensuring that it has no interaction with customer data, Howie says. In an infrastructure-as-a-service (IaaS) setup, such as Amazon Elastic Compute Cloud (EC2), the customer is required to provide all data security. In fact, Amazon's FAQ states: “You have complete control over the visibility of your systems. The Amazon EC2 security systems allow you to place your running instances into arbitrary groups of your choice. Using the web services interface, you can then specify which groups may communicate with which other groups, and also which IP subnets on the internet may talk to which groups.”
Mandating these steps enables users to manage traffic to their particular requirements within the host environment. “Of course,” the FAQ continues, “you should also secure your instance as you would any other Linux host.”
Guidelines: Stopping leaks2. Organizations should consider using multiple types of IDP technologies to achieve more comprehensive and accurate detection and prevention of malicious activity.
3. Organizations planning to use multiple types of IDP technologies or multiple products of the same IDP technology type should consider whether or not they should be integrated.
Another popular cloud provider, Rackspace, publishes its security practices on its website, including its own hiring policies. According to Rackspace, the company “will perform pre-employment background screening of its employees who have access to customers' accounts.” Additionally, the company states it will control access, privileging only those “employees and other agents” who need to provide services with the ability to touch customer accounts. Additionally, those personnel with access codes are required to logon with username and password.
Themis Papageorge, director of information assurance at Northeastern University in Boston, is more circumspect than Howie when it comes to cloud security. While emphasizing the need for a full-risk analysis for data in any environment - cloud or corporate - he says that moving data offsite does increase vulnerability exposure. Although companies such as Rackspace take precautions with their internal hires, risk increases as more individuals have access to data.
Privileged users – those who have access to data based on their credentials – can pose a legitimate weakness, regardless if the users work for the owner of the data, a service provider or a business partner, he says. One important key to protecting confidential data, regardless of whether it resides locally or in the cloud, is provisioning, Papageorge says. The more users who have access to confidential data, the greater the vulnerability footprint.
Restricting access to a need-to-know basis can limit potential issues, Papageorge adds. Further, companies need to put in place countermeasures and controls, such as policies for security, administration, physical access to servers and the technologies used to run and protect the systems themselves.
Monitoring usage, access and activities are critical to ensure that corporate policies are followed, he says. When defending against an external attacker, the company will have a number of physical and logical protections in place – everything from locked doors to the premises to login and password controls on users. However, he says, with an internal threat, many of those defenses are, by definition, bypassed, be the attacker malicious, such as an employee who is stealing data from the company, or the employee who accidentally causes an exposure by leaving a VPN open or an unattended machine logged on.
Insider threats need not be malicious in order to be destructive. Corporate IT departments do not give up management responsibility when they deploy applications and data to the cloud. “You have more responsibility,” Papageorge says. “The probability of errors is higher.”
Guidelines: Stopping leaks
4. Before evaluating IDP products, organizations should define requirements that the products should meet.
Companies that outsource computing resources, including applications or even a full infrastructure, must not relinquish their management or monitoring responsibilities, he says. Doing so will increase the possibility of errors and attacks. Large corporations likely are aware of this need already, as they tend to have professional IT and security staffs that understand risk management. A small or midsize business (SMB), however, should get advice from security professionals before turning over any responsibilities to a third party.
“Advice is not expensive,” Papageorge says, adding that the cost of a data leak could be far greater than the price a company would pay for professional security consulting.
This possibility is neatly illustrated by the case of Mat Honan, a former contributing editor for Wired magazine, who in August was the victim of a cloud-based attack. The incursion was caused, in part, by a help-desk employee who unwittingly gave the attacker access to Honan's private cloud account. The attacker allegedly compromised his Gmail, Twitter, Amazon and Apple iCloud accounts, ultimately resulting in the loss of all data from all of the devices. As part of the attack, the hacker gained access to his credentials by duping a rep at Apple's online help center into providing Honan's personal information, saying that he needed assistance accessing the account.
One solution to vulnerabilities such as this one may be mitigated by what Forrester Research, in its report, “The Forrester Wave: Enterprise Cloud Identity and Access Management, Q3 2012,” identifies as the “market moving toward turning IAM [identity and access management].” The report projects the segment emerging into an “explicit business enabler rather than a mere cost center and putting more focus on federated identity administration versus just front-door authentication and access control into remote apps.”
Guidelines: Stopping leaks
5. When evaluating IDP products, organizations should consider using a combination of several sources of data on the products' characteristics.
A variety of vendor-neutral resource material is available to assist the IT manager in developing a strategy to defend against insider threats. The National Institute of Standards and Technology (NIST), a non-regulatory agency of the U.S. Department of Commerce, currently is working on a special publication, the “Guide to Intrusion Detection and Prevention Systems (IDPS).” The draft offers recommendations for companies to protect themselves from both internal and external intrusions.
While another NIST document, “Special Publication 800-94,” was under public review until the end of August, it provides details on intrusion detection and prevention principles, an explanation and analysis of various technologies and their capabilities, and an explanation of how companies can do product selections.
This article originally ran in a Spotlight edition of SC Magazine.