Hi, this is Bill Claycomb, lead research scientist for the CERT Insider Threat Center and Alex Nicoll, technical team lead for Insider Threat Technical Solutions and Standards. Over the next few months, we will discuss, in a series of blog posts, problems related to insiders in the cloud, defending against them, and researching approaches that could help solve some of these problems.
The CERT Insider Threat Center is frequently asked to comment on insider threats related to new and emerging technologies. While not necessarily “new,” cloud computing is a paradigm that has recently emerged as a key component in many enterprise information systems architectures. We would like to share some observations of insider threats related to cloud computing, based on CERT’s analysis of our extensive collection of known insider threat cases. We welcome and encourage your feedback, and hope this information is useful for evaluating security considerations related to your use of cloud computing systems and services.
Organizations continue to embrace the advantages of flexibility, scalability, and management provided by cloud computing platforms and services, and often consider security one of their top concerns in cloud environments. One of the most serious challenges, not only to cloud computing, but to data security in general, is the insider threat—a threat well known to security professionals. The CERT Insider Threat Center, in the book The CERT Guide to Insider Threats, defines a malicious insider as a ”current or former employee, contractor, or other business partner who has or had authorized access to an organizations network, system or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organizations information or information systems.”
Since 2001, over 700 cases of actual insider crimes have been collected and analyzed by CERT researchers. The crimes collected range across multiple sectors, including small companies to multi-national corporations, and cover several hundred types of exploits used by malicious insiders to harm organizations. Some of these insider crimes relate to cloud computing, but the subject has not been thoroughly explored.
In 2010, the Cloud Security Alliance (CSA) released Top Threats to Cloud Computing, which describes seven threat areas considered most important to organizations using cloud services, including malicious insiders. This CSA report describes the insider threat in cloud computing as a malicious employee of a cloud provider accessing sensitive customer data. Additional details from the presentation made at the 2010 RSA conference indicate ”76 percent of respondents believe that the likelihood of Malicious Insiders in the cloud is possible, likely, or frequent.”
Despite these security concerns, cloud computing use continues to grow. One of many cloud service providers, Amazon.com, has been offering commercial cloud computing services for over 5 years, and today, cloud computing is used by millions of people. It has been embraced by governments, academia, and the world’s largest corporations. Given the widespread adoption and pervasive coverage from personal to business use, one might expect an abundance of cloud-related insider threat incidents.
Despite the grim predictions and creative hypothetical attacks presented by researchers, we have little evidence of actual events involving the type of insider described in CSA’s document. However, insiders do use the cloud to commit crimes, and the threat should not be dismissed.
In this blog series, we will briefly discuss three types of insider threats related to cloud computing and share tips for reducing the risk of these types of attacks. We’ll present a hierarchy of service provider administrators, and show how the architecture of cloud computing enables certain types of attacks to succeed. Finally, we’ll share our recommendations for future directions in insider threat research for cloud computing.
Coming up next: We’ll discuss three types of cloud-related insider threats and include an in-depth discussion of the “rogue administrator.”