Storms ahead: Insiders and the cloud
Storms ahead: Insiders and the cloud

The cloud presents new challenges in protecting data, such as who is responsible for implementations, Stephen Lawton reports.

Cyber espionage is fast becoming a hot topic of Hollywood blockbuster movies, best-selling mystery novels and international intrigue. But, in real life, sometimes the “villain” is someone within the victimized organization and often the so-called attack is anticlimactic bordering on the mundane. And, while many insider breaches are malicious in motivation, sometimes attacks are nothing more than employees' accidents, misconfigured networks or staffers being duped into clicking on a legitimate-looking link in an email.

Further, unlike traditional data centers where insiders are employees of the company that creates and owns the information, cloud-based “insiders” might not work for the company at all, but rather the service provider that operates the data infrastructure or cloud-based software. Cloud service providers have their own staffs, and in the case where a company's cloud-based infrastructure is housed on virtual machines (VMs), the definition of who constitutes an insider gets increasingly muddled. In multitenant environments, each company that has data stored on a VM has its own community of insiders, and multiple VMs are housed on a single, physical piece of hardware. In such cases, the hypervisor component of the virtualization environment acts as the barrier among various stores of private information.

Guidelines: Stopping leaks

“The Guide to Intrusion Detection and Prevention Systems” from The National Institute of Standards and Technology (NIST) offers five recommendations for federal departments and agencies, although these are not limited to government sites. They include:

  1. Organizations should ensure that all IDPs [intrusion detection and prevention system] components are secured appropriately.

Who has responsibility?

Many cloud providers are moving away from the VM-centric cloud, instead opting for security controls built in to off-the-shelf, software-as-a-service (SaaS) applications, such as Microsoft Office 365, and the suite of Google applications, says John Howie, chief operating officer of the Cloud Security Alliance, a nonprofit coalition of industry practitioners which seeks to educate stakeholders and promote the use of cloud computing best practices. Additionally, he says the idea of giving sensitive corporate data to a third party is not unique to the cloud. Companies for years have outsourced human resources and payroll services with little concern that an insider could steal data, he says.

The underlying key to determining insider threats is a full-risk analysis, Howie says. Companies need to ensure their providers employ best practices to protect private data, he says, but much of the security enforcement should remain with the customer and not with the provider.