Insiders can become a real cyber threat to organizations for an obvious reason: they are already part of the organization and they are considered to be trusted. Whether malicious or careless, they can pose a bigger risk than external intruders since they do not have to breach external security fences.
According to the Carnegie Mellon University CERT, insider threat to an organization “[is] the potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization.”
With organizations increasingly migrating services and data to the cloud, it is important to understand the various insider threat factors are associated with cloud security. Anton Chuvakin, Head of Security Solutions for Google Cloud, highlights two factors: human error and malicious intent.
A non-malicious human error could lead to sensitive data and asset disclosure, loss, or theft. Sensitive data and assets could be personal data, medical information, or even the encryption keys. Although human errors are not closely associated with cloud platforms and can be witnessed in on-premises deployments as well, their impact tends to be more damaging in public cloud environments.
During the recent Capital One data breach, a criminal exploited a misconfigured cloud firewall to gain access to data on 100 million card customers and applicants. While there are thousands of potential cloud misconfiguration mistakes, these errors can be classified into the following categories:
Many cloud customers believe that only “authenticated users” have access to storage buckets. However, this is far from being the truth. An authenticated user is anyone with authentication credentials to access the cloud service provider, which is effectively every service customer. Because of this misunderstanding, and the resulting misconfiguration of the control settings, storage objects can end up fully exposed to public access.
Weak secrets management can cause serious disruptions to an organization. It is essential to secure secrets such as passwords, API keys, admin credentials, and encryption keys. If they are left unprotected in open repositories or misconfigured cloud buckets, it is the equivalent of leaving the key to your home's entrance taped to the front door.
Disabled monitoring settings
Many organizations fail to enable, configure, or even review the logs and telemetry data that public cloud platforms provide. This data can become valuable to flag security-related events, which go undetected, paving the way for external actors.
Loose access controls to hosts, containers, and virtual machines
Although we would never connect a physical server to the internet, without a firewall to protect it, this happens quite often in cloud instances. The examples are numerous: containerized value stores are exposed to the internet, legacy protocols like FTP are enabled on cloud hosts, and insecure telnet has been virtualized and migrated to the cloud.
Lack of validation
Organizations often fail to establish mechanisms to validate cloud security controls and identify any misconfigurations. An auditor, whether internal or external, should verify that services and permissions are properly configured and applied.
Malicious insiders are where things become really interesting. Carnegie Mellon University states that all malicious insider incidents “involve misuse of authorized access to an organization’s critical assets, which presents unique security challenges. Perimeter-based security strategies are not adequate to identify and prevent malicious behaviors from insiders. Moreover, insiders know which assets are most critical and how their organization protects them. Static and traditional security models focused on threats from external threat actors, therefore, are ineffective against insider threats.”
The way that cloud security is modeled around the shared responsibility principle, implies two different malicious insiders:
- Insiders from the cloud customer organization, and
- Insiders from the cloud service provider.
It is the disgruntled insiders of cloud service providers that usually make the news headlines. Researchers Claycomb and Nicoll of the Carnegie Mellon University say that “The common notion of a cloud insider is that of a rogue administrator of a service provider.” In addition, they have identified “two additional cloud-related insider risks: the insider who exploits a cloud-related vulnerability to steal information from a cloud system, and the insider who uses cloud systems to carry out an attack on an employer’s local resources.”
For example, a former employee gained unauthorized access to the company’s cloud infrastructure and deployed malicious code that deleted 456 virtual machines used for Cisco’s WebEx Teams application. As a result, approximately 16,000 users of WebEx could not access their accounts for two weeks. The former employee used his knowledge of the firms security mechanisms and abused their weaknesses to gain access to cloud infrastructure and deploy his code. Seemingly, access to sensitive resources was not protected with two-factor authentication or other access management tools.
Besides the cloud providers insiders, the cloud customer insiders can also become a serious threat, since most of the times they own the valid credentials to access the data. While some cloud provider employees could access the data, it is the cloud customers’ insiders who actually have direct access to their data in the cloud via valid credentials.
Why are insiders a risk to cloud security?
Insiders, whether negligent or malicious, present a serious risk to a robust cloud security posture because insider attacks are harder to detect and respond to. Most organizations do not have the tools for monitoring “abnormal user behavior across their cloud footprints.”
Researchers Kandias, Virvilis and Gritzalis of the Athens University of Economics and Business, iterate that “Mitigation of the insiders’ problem is often complicated, as they can focus on a variety of target systems and orchestrate their attack motivated by several reasons, from personal profit to narcissism. To make things worse, the insider usually has the privilege of time, to study the information system and deploy a serious attack, which is very difficult to predict and detect in due time.”
Besides the complicated detection and prevention of insider attacks, these attacks are dangerous because they “open up avenues for other attacks.”
In fact, insiders rank as the top cloud security threat facing public clouds. The Cybersecurity Insiders 2020 Cloud Security Report found that organizations ranked misconfiguration of the cloud platform (68%) as the highest threat. Insecure interfaces and APIs (52%) and malicious insiders (36%) were also among the top 10 cloud security threats.
How a Cloud Security Professional can help
The foundational principle behind the mitigation of insider threats to cloud security is the one of least privilege. Organizations should establish and enforce strong identity and access management (IAM) policies and controls to restrict the users’ access and permissions to cloud instances and services.
However, access management alone is not enough. It has to be complemented by various preventative cloud security measures. This is exactly where a Cloud Security Professional comes in handy. They possess all the essential and foundational knowledge to fortify an organization’s cloud security posture by selecting the controls that would effectively mitigate the insider threat.
These countermeasures should include:
- Encrypt all data at rest and in transit and safeguard the encryption keys to avoid compromise or theft.
- Automate cloud secure configuration and infrastructure provisioning activities to reduce vulnerabilities linked to misconfiguration, mismanagement, missing patches, and mistakes.
- Establish secure landing zones to prevent new attack surfaces from opening in new environments like development, staging and production. Landing zones allow security professionals to standardize cloud environments that are provisioned to DevOps teams. They offer consistency across all tenants in naming, scaling and access control, creating a security baseline that preempts (accidental) non-compliant or unauthorized configurations.
- Continuously monitor the effectiveness of cloud security measures. Monitoring allows to identify new risks, determine visibility and alerting, and prevention requirements per cloud environment to prevent potentially dangerous actions.
- Establish incident response and recovery procedures and map them to business continuity plans to ensure business resilience.
How the CCSP Certification Can Help You to Succeed
Putting all these controls in place is not an easy task. Cloud security is not a one-off exercise and cloud security professionals should always revisit these policies to align them to current business initiatives. Applying cloud security through due diligence is an enabler for business innovation.
The ISC2 Certified Cloud Security Professional (CCSP) is the answer to all your concerns. CCSP is the benchmark of cloud security certifications and is repeatedly recognized as the most valued and well-rounded cloud security certification.
CCSP is a vendor-agnostic certification that ensures that certified practitioners have the security knowledge to successfully secure any cloud environment. It is CCSP’s unique criteria that has elevated it to a standard that has allowed it to be identified as the premier cloud security certification, providing an advantage in an increasingly competitive corporate landscape.
Attaining CCSP certification shows you have the advanced technical skills and knowledge to design, manage and secure data, applications, and infrastructure in the cloud using best practices, policies, and procedures established by the cybersecurity experts at ISC2.
To learn more about how the CCSP credential can help you gain expertise and advance your career, download our white paper Cloud Security Skills Can Take Your Career to Infinity (And Beyond).