The risk of moving data and applications into cloud environments is constantly becoming better understood, and covers a broad range of technical controls that security professionals are learning to discuss and audit, where possible. However, one cloud computing threat that needs more attention from security teams is malicious insiders.
We’ve battled the “insider threat” for many years within our own organisations, but now we need to make sure cloud providers are doing the same through their hiring practices and administrative controls. A malicious insider, like a rogue administrator, could access your sensitive data, steal information, sell your data to other parties or perform any number of other malicious activities.
Using the CSA guidance to counter the insider cloud computing threat
Cloud providers will, of course, develop and maintain their own hiring practices and access control procedures, and leverage administrators as needed to fulfill job functions. The challenge is in vetting these procedures, and matching them to your own internal standards to determine whether or not they meet your expectations and legal and regulatory compliance requirements. The Cloud Security Alliance Cloud Controls Matrix, which can be used as the basis for evaluating both internal and CSP security controls, includes the following specific controls that pertain to cloud provider administrative access and resource control:
- FS-02: Facility Security - User Access
- FS-04: Facility Security - Secure Area Authorisation
- HR-01: Human Resources Security - Background Screening
- HR-02: Human Resources Security - Employment Agreements
- HR-03: Human Resources Security - Employment Termination
- IS-07: Information Security - User Access Policy
- IS-08: Information Security - User Access Restriction / Authorisation
- IS-09: Information Security - User Access Revocation
- IS-10: Information Security - User Access Reviews
- IS-11: Information Security - Training / Awareness
- IS-13: Information Security - Roles and Responsibilities
- IS-15: Information Security - Segregation of Duties
- IS-16: Information Security - User Responsibility
In particular, control HR-02 has been updated in the most recent CCM version to reflect the importance of information security training and enforcement in hiring practices:
“Prior to granting individuals physical or logical access to facilities, systems or data, employees, contractors, third-party users and tenants and/or customers shall contractually agree and sign equivalent terms and conditions regarding information security responsibilities in employment or service contract.”
The CSA Consensus Assessments Initiative Questionnaire has several supporting questions to align with the HR controls in the CCM, all of which you should ask your cloud provider or any potential service provider:
- HR-01: Pursuant to local laws, regulations, ethics and contractual constraints are all employment candidates, contractors and third parties subject to background verification?
- HR-02: Do you specifically train your employees regarding their role vs. the tenant's role in providing information security controls?
- HR-02: Do you document employee acknowledgment of training they have completed?
- HR-03: Are roles and responsibilities for following performing employment termination or change in employment procedures assigned, documented and communicated?
Additional questions to ask
With those specific controls and questions from the CSA in mind, what should you be looking for when evaluating CSP hiring practices and security controls around administrators? Here are some questions to help guide you:
- Ask to see documented employee handbook guidelines and specific hiring guidelines for performing background checks on employees and prospective employees. There are a variety of background checks that can be performed, and the most common include criminal history and credit history reviews. Ideally, there will be more stringent checks for CSP employees who have administrative access to and control over customer-related systems and data.
- Ask the CSP whether any sort of privileged user monitoring (PUM) tools are in place to keep tabs on administrator access and activities. Ideally, these should exist, and service providers should also have a follow-up process for logging and alerting that ties into their incident response processes. Many CSPs may be reluctant to share this much detail with you, but it’s worth pushing for.
- Ask the CSPs about their process for identifying suspect administrator behavior, and what they do about it. Ask pointedly if they have experienced any incidents related to this, and how they learned from the experience. Again, this may be “out of bounds” for many CSP dialogues, but you should ask the questions.
- Ask about termination procedures for administrators, for both planned resignations and layoffs as well as HR-directed terminations for cause. There should be procedures for both, and these should be documented. Preferably, the CSP should have audit trail examples of these controls (sanitised) that can be shared as proof, or this should be documented in its SSAE 16 report.
- If you require a CSP with strict data sensitivity guidelines or need a cloud environment that will contain and access sensitive data like military information, you’ll need a much more stringent set of documented proof that employees have clearances or other, more rigorous hiring practices applied.
- Ask to speak to existing and previous customers about their impressions of the CSP’s administrators. The CSP should be able to provide you with references easily.
In the CSA’s Top Threats to Cloud guide (.pdf), threat No.3 (out of seven) is “Malicious Insiders.” This is a topic we’ve been acknowledging for some time, yet many organisations aren’t getting the detailed information they need to determine how diligent the CSP’s hiring practices may be. With the huge potential impact of a cloud provider insider attack, it’s critical we push CSPs to provide more detailed information about their hiring processes in order to mitigate this and other major cloud computing threats.
About the author:
Dave Shackleford is owner and principal consultant at Voodoo Security, senior vice president of research and CTO at IANS, and a SANS analyst, instructor, and course author. He has consulted with hundreds of organisations in the areas of security, regulatory compliance, and network architecture and engineering. He is a VMware vExpert and has extensive experience designing and configuring secure virtualised infrastructures. He has previously worked as CSO for Configuresoft, CTO for the Center for Internet Security, and as a security architect, analyst, and manager for several Fortune 500 companies. Dave is the co-author of Hands-On Information Security from Course Technology as well as the "Managing Incident Response" chapter in the Course Technology book Readings and Cases in the Management of Information Security. Recently, Dave co-authored the first published course on virtualisation security for the SANS Institute. Dave currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.