Insider Threats Related to Cloud Computing--Installment 5: Securing Against Cloud-Related Insiders
By CERT Insider Threat Center on 08/27/2012 | Permalink
Hi, this is Bill Claycomb and Alex Nicoll with installment 5 of a 10-part series on cloud-related insider threats. In this post, we discuss how to secure against one type of cloud-related insider threat: rogue administrators.
The security of cloud computing is a popular research topic; and insider threats in the cloud is no exception. Unfortunately, as cloud computing is primarily a collection of previously existing technologies used in a new way, many solutions to cloud security concerns are merely repackaged solutions to other problems. Though responsibilities may differ, there are few fundamental differences between a rogue administrator at the cloud provider and a rogue administrator within the customer organization; both insiders have root access to systems and data, and both may employ similar types of attacks to steal information. However, architecture differences and trust issues between organizations and cloud providers presents the need for specialized approaches to insider security in the cloud.
The remediation listed in CSA’s document, Top Threats to Cloud Computing, Version 1.0, is quite applicable to the rogue administrator:
- Enforce strict supply chain management and conduct a comprehensive supplier assessment.
- Specify human resource requirements as part of legal contracts.
- Require transparency into overall information security and management practices, as well as compliance reporting.
- Determine security breach notification processes.
Many of these items can be achieved through careful management and enforcement of service level agreements (SLAs) with cloud providers. Though enforcement of SLAs is difficult, due to transparency issues with cloud providers, the authors of Self-Adaptive and Resource-Efficient SLA Enactment for Cloud Computing Infrastructures (presented at IEEE Cloud 2012) and Casvid: Application Level Monitoring for SLA Violation Detection in Clouds (presented at COMPSAC 2012) present methods for SLA enactment and monitoring that organizations may find useful to consider.
Several researchers suggest encryption as a method of protecting data in the cloud. Two novel solutions are described by the authors of Over-Encryption: Management of Access Control on Outsourced Data and Privacy as a Service: Privacy-Aware Data Storage and Processing In Cloud Computing Architectures, but these are clearly not the only options proposed for secure data storage in the cloud. One vulnerability of data encryption with respect to rogue administrators is that encryption keys stored or used on cloud systems are subject to eavesdropping.
A motivated attacker could potentially recover decryption keys using memory analysis on the host system. Using cloud services to simply store and/or transfer encrypted information, without introducing the associated keys to the cloud system, is a potential way to protect that data from a rogue cloud administrator. For some organizations, this could be a way to protect the data from rogue local administrators as well. That is, a cloud-based rogue administrator would have access to the encrypted data, but not the associated keys; and a local rogue administrator would have access to the locally-stored keys, but not the encrypted data. It is easy to point out a weakness with this suggestion: How does the organization prevent the local rogue administrator from stealing credentials to access the cloud-based data? Proper enforcement of local separation-of-duties policies, as described in Separation of Duties in Computerized Information Systems of Database Security IV: Status and Prospects could be a viable approach to that problem.
Other issues that illustrate the risk posed by rogue administrators are the lack of involvement an organization has in the hiring process, access control procedures, and monitoring of system administrators at the cloud provider. The concerns are generally as follows:
- How does an organization know the access?
- How does the customer know the cloud provider enforces strict hiring guidelines?
- How can the organization be assured that the cloud provider is adequately monitoring for insider attacks?
The insinuation could be made that cloud providers hire any system administrator they can find, regardless of qualifications or security concerns. But current events do not seem to support the notion that cloud providers have no security vetting process and hire unknown and untrusted administrators. Otherwise, cases of nefarious insiders stealing sensitive information from within cloud providers would abound. Rather, it seems that cloud providers have a vested interest in hiring carefully screened administrators that meet the security requirements of their customers.
This interest would seem to be particularly true for very large and visible cloud providers seeking to attract business from multi-national corporations, governments, etc., such as the U.S. Department of the Interior, which recently announced a 7-year, $35 million contract for cloud email and collaboration services. Because data protection is critical to business success, cloud providers simply cannot afford a rogue administrator incident; and they have enormous resources available to ensure system administrators are carefully vetted prior to hiring, given very limited access to systems with customer data, and are carefully monitored for indications of malicious activity.
Coming up next: We’ll discuss ways of securing against two more types of cloud-related insider threats.