Mitigating Insider Threat From the Cloud
Part 1: Relying on Provider to Keep Its Employees in Check
Operating in a cloud exposes organizations to a new dimension of insider threat problems, says Alex Nicoll of Carnegie Mellon University's CERT Insider Threat Center.
Cloud computing providers must step up and develop approaches to prevent their employees from stealing or harming customer data they host, says Nicoll, a senior cybersecurity analyst, and Dawn Cappelli, CERT technical manager, in a joint interview with Information Security Media Group [transcript below].
"We're hoping that the cloud service providers understand insider threat," Cappelli says. "We have recommendations that we provide for organizations for what they should do to protect themselves against rogue administrators and to protect themselves against theft of intellectual property. Our hope is that cloud service providers understand that as well."
Cloud service providers, Nicoll says, can implement mechanisms to detect if their employees are attempting to modify a customer's virtual machines to modify data. "But absent this client service provider [offering] those capabilities, the operating system really can't tell," which leaves organizations vulnerable, he says.
Cappelli and Nicoll, in the first part of a two-part interview, address the:
- Types of threats insiders pose in the cloud;
- Characteristics of the insider who threatens IT security;
- Limited technical approaches organizations can adopt to monitor potential insider threats from their cloud providers.
Cappelli, who joined CERT in 2001, founded the Insider Threat Center, part of Carnegie Mellon's Software Engineering Institute. Her teams research cyberthreats; develop and conduct assessments; and provide solutions and training for preventing, detecting and responding to illicit cyber-activity. Before joining CERT, Cappelli served as the director of engineering for the Information Technology Development Center of the Carnegie Mellon Research Institute.
Before joining CERT, Nicoll was as a senior technology research fellow at the University of Nebraska at Omaha, where he served as the associate director of the Nebraska University Consortium on Information Assurance. Earlier, at the U.S. Strategic Command working for contractor BAE Systems, he served as the primary systems architect on the distributed command and control systems, designing data centers and large-scale redundant/fault-tolerant computing systems.
Insider Threats in the Cloud
ERIC CHABROW: I think most of us can envision how an insider poses a threat from within the enterprise. The cloud is outside the enterprise. What are the insider threats from the cloud and how are they different from those within the enterprise?
DAWN CAPPELLI: In order to answer that, I'd like to review the different types of insider threats. The first type of insider threat is insider IT sabotage. This is when you have a very technical employee who typically is disgruntled or upset about something that happened at work and they get mad enough that they end up on the HR radar, so to speak. It's bad enough that they end up being sanctioned, fired or demoted. Then they attack. They typically set up the attack before they leave and carry it out after.
The second is theft of intellectual property, typically carried out by a scientist, engineer, programmer or business person within typically 30 days or so of when they leave the organization, so on their way out the door.
The third is insider fraud, which is either theft of information or modification of information in systems for financial gain, and that's typically done by low-level employees - help desk, customer support, those types - or their managers. Then there's national security espionage.
ALEX NICOLL: One of the things to remember about a cloud environment is that it's essentially a platform which is running on somebody else's infrastructure. And because of that, you're adding a whole new dimension to the insider threat problem. In a traditional enterprise, you have insider threats from your application administrators, your IT help desk folks and the people who do your day-to-day systems administration. When you bring the cloud into the picture, you still have those other three original categories of insider threats, as well as the additional category of the cloud service provider administrators.
Now, the cloud service provider administrators often have abilities that are substantially more robust than any systems administrator would have. The main reason for that is that cloud service providers typically take advantage of virtualization in order to have large numbers of systems hosted on their hardware platforms. Those systems hosted on a cloud service provider can be of any sort, type or color, as long as they can be successfully virtualized using any number of commercial virtualization packages.
However, the virtualization administrators who work for the cloud service providers are not constrained by the operating system requirements of those virtualized images. They essentially operate outside the boundaries of those protections. By adding service to the cloud, you're adding the additional service of somebody who can essentially see their data and see everything that was going on in the enterprise based on whatever is in the cloud, and having very little way to actually monitor for them looking at your data, stealing your data or even changing your data if they have sabotage involved.
Monitoring for Suspicious Activities
CHABROW: So you're saying it's very difficult for the user, the customer, to monitor those activities?
NICOLL: In a lot of cases, yes. The biggest problem you have is that because the virtualization administrators that work for the cloud service providers are not constrained by the operating system or application-level protections that all the users of the cloud service are, the ability to monitor for them trying to interact with the system is simply not there, at least not at the consumer's level. The cloud service provider themselves can implement a number of mechanisms to detect if and when somebody's attempting to potentially modify your virtual machines or modify your data while it's actually being used. But absent this client service provider providing those capabilities, the operating system really can't tell.
In a lot of ways, it's analogous to what forensics experts have been doing for a long time. When forensics experts are analyzing a hard drive for suspicious information, they essentially take an image of that hard drive and then use their own tools and their own methods on that image. The image is not live so none of the protections afforded by that image are actually in force.
Therefore, the cloud service provider can essentially look at it in exactly the same way. When you've run a cloud instance, you have a whole bunch of virtual machine images that are sitting in the cloud service provider's environment, which the cloud service provider's administrators can then interact with using tools that essentially circumvent all of the protections on those virtual images.
Advice for Organizations
CHABROW: What should organizations do?
CAPPELLI: One thing that we're hoping is that the cloud service providers understand insider threat. We have recommendations that we provide for organizations for what they should do to protect themselves against rogue administrators and to protect themselves against theft of intellectual property and against fraud. Our hope is that cloud service providers understand that as well.
If they have a very technical system administrator, web administrator or database administrator who is very disgruntled and who is on the HR radar, we would hope that the cloud service provider would be able to look and see what that person has been doing online because, otherwise, they could sabotage not only their own employer systems but all of their customers' systems as well.
CHABROW: It sounds as if the company contracting out the cloud services has to put a lot of faith into the cloud provider to do their work to assure that their employees are not providing a threat. There's no technical solution to this from the customer's perspective?
NICOLL: There are three basic models of cloud service. There's the infrastructure-as-service, whereby the cloud service provider is essentially providing the bare hardware in a virtualization layer and the customer essentially can have their own entire infrastructure on top of their provided resources. There's the platform-as-a-service, where the cloud service provider is essentially providing a number of prebuilt virtual images that the subscriber can then customize for their own purposes. And then finally there's the software-as-a-service, where the cloud service provider is hosting a particular software application or a package, and it typically functions in a distributed manner that the consumer is then subscribing to.
Now, your ability to detect what's going on with your data essentially follows that same trend. The infrastructure-as-a-service people have a better chance of instituting monitoring to detect potential insider threats from the cloud service provider than the people who are doing platform-as-a-service, simply because they have a wider range of integration options. The folks that are subscribing to a software-as-a-service model essentially have the least chance of being able to.
From an infrastructure-as-a-service model, since you're building your own operating systems and you're building your own virtual images, you have your chance of creating essentially what I would call "canaries." They're settings on a particular virtual system that are in critical locations that would allow you to tell whether or not a particular change has been made outside the scope of the operating system.
For instance, if you're worried about a systems administrator trying to change values in a database, you can insert what we would call a canary record in the database so that if that gets overwritten for some particular reason, you know that something has gone wrong and you can go back and check for it. [It's] the same thing for your security accounts management in terms of if somebody's trying to create accounts on your system or, if you're using Windows, changing registry settings. There are a number of other options you have for essentially putting things in place to watch for.
CAPPELLI: We've been very concerned about the implications of insider threats in the cloud, and I think you can tell it's a very complex issue. We have a database of more than 800 insider threat cases that we use for all of our research in CERT. What we think would be a good idea is to take those cases and put them in the context of a cloud environment and really study what are the implications of these cases had the organization been using a cloud environment. That's research that we actually have just started, and will be publishing a report within the next few months. Hopefully we'll have more detailed recommendations after that.