Limiting Risks Found in the Cloud

CERT on Insider Threats Posed by Service Providers

By , June 10, 2013.
Limiting Risks Found in the Cloud

Operating in a cloud exposes organizations to a new dimension of insider threat problems, says Alex Nicoll of Carnegie Mellon University's CERT Insider Threat Center.

See Also: OPM Breach Aftermath: How Your Agency Can Improve on Breach Prevention Programs

Cloud computing providers must step up and develop approaches to prevent their employees from stealing or harming customer data they host, says Nicoll, a senior cybersecurity analyst, and Dawn Cappelli, CERT technical manager, in a joint interview with Information Security Media Group [transcript below].

"We're hoping that the cloud service providers understand insider threat," Cappelli says. "We have recommendations that we provide for organizations for what they should do to protect themselves against rogue administrators and to protect themselves against theft of intellectual property. Our hope is that cloud service providers understand that as well."

Cloud service providers, Nicoll says, can implement mechanisms to detect if their employees are attempting to modify a customer's virtual machines to modify data. "But absent this client service provider [offering] those capabilities, the operating system really can't tell," which leaves organizations vulnerable, he says.

Cappelli and Nicoll, in the first part of a two-part interview, address the:

  • Types of threats insiders pose in the cloud;
  • Characteristics of the insider who threatens IT security;
  • Limited technical approaches organizations can adopt to monitor potential insider threats from their cloud providers.

Cappelli, who joined CERT in 2001, founded the Insider Threat Center, part of Carnegie Mellon's Software Engineering Institute. Her teams research cyberthreats; develop and conduct assessments; and provide solutions and training for preventing, detecting and responding to illicit cyber-activity. Before joining CERT, Cappelli served as the director of engineering for the Information Technology Development Center of the Carnegie Mellon Research Institute.

Before joining CERT, Nicoll was as a senior technology research fellow at the University of Nebraska at Omaha, where he served as the associate director of the Nebraska University Consortium on Information Assurance. Earlier, at the U.S. Strategic Command working for contractor BAE Systems, he served as the primary systems architect on the distributed command and control systems, designing data centers and large-scale redundant/fault-tolerant computing systems.

Insider Threats in the Cloud

ERIC CHABROW: I think most of us can envision how an insider poses a threat from within the enterprise. The cloud is outside the enterprise. What are the insider threats from the cloud and how are they different from those within the enterprise?

DAWN CAPPELLI: In order to answer that, I'd like to review the different types of insider threats. The first type of insider threat is insider IT sabotage. This is when you have a very technical employee who typically is disgruntled or upset about something that happened at work and they get mad enough that they end up on the HR radar, so to speak. It's bad enough that they end up being sanctioned, fired or demoted. Then they attack. They typically set up the attack before they leave and carry it out after.

The second is theft of intellectual property, typically carried out by a scientist, engineer, programmer or business person within typically 30 days or so of when they leave the organization, so on their way out the door.

The third is insider fraud, which is either theft of information or modification of information in systems for financial gain, and that's typically done by low-level employees - help desk, customer support, those types - or their managers. Then there's national security espionage.

ALEX NICOLL: One of the things to remember about a cloud environment is that it's essentially a platform which is running on somebody else's infrastructure. And because of that, you're adding a whole new dimension to the insider threat problem. In a traditional enterprise, you have insider threats from your application administrators, your IT help desk folks and the people who do your day-to-day systems administration. When you bring the cloud into the picture, you still have those other three original categories of insider threats, as well as the additional category of the cloud service provider administrators.

Follow Jeffrey Roman on Twitter: @gen_sec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE White House, Apple Advance HTTPS

Encrypted browsing - using HTTPS - helps secure online communications, and Apple says developers...

Latest Tweets and Mentions

ARTICLE White House, Apple Advance HTTPS

Encrypted browsing - using HTTPS - helps secure online communications, and Apple says developers...

The ISMG Network