One of the biggest security challenges now facing all organisations is the “insider threat”: either accidental or malicious activity by an individual with access to their network. It seems concerns around those with privileged access to the company’s data assets are significant and, from our own survey with more than 500 IT security experts, 70 per cent of respondents considered the insider threat more risky than an outside attack. When attackers gain insider access they can stay undetected within the network for months and cause real and lasting damage. Risks could include loss or theft of data or even malware being introduced to the network.
[easy-tweet tweet=”One of the biggest #security challenges now facing all organisations is the insider threat” hashtags=”Cloud”]
Now, in the age of the cloud, assumptions made about who the ‘insiders’ are need to be re-considered. The perimeters are shifting and, if our data is no longer under our own watchful eyes, what’s at risk when we don’t know and haven’t been responsible for hiring or vetting the very people entrusted to look after our most valuable asset? After all, we can’t simply walk into the data centre and oversee the individuals that are responsible for managing our IT estate. So how do we regain control of the human risk of ‘insiders’ at third party providers?
The shifting network boundaries
As cloud computing has become ubiquitous, businesses of all sizes have reaped the benefits of flexibility and scalability. However, shifting network boundaries have given rise to misunderstandings about where the lines of responsibility start and finish when it comes to data security. When users can more easily access and share data, there’s not always clarity around when the user is responsible and when this responsibility rests with the cloud provider. Yet, given their privileged access rights, the consequences of damage done by a malicious insider, such as a cloud administrator, might be far more devastating than anything that could be perpetrated within the company itself.
The added challenge is that ‘insiders’ have an advantage of knowing the best way to infiltrate the network. With privileged access rights, they may have intelligence on knowing where to strike for maximum effect and how to disguise what they’ve done. And of course, there’s an impact on the service provider. When even minor performance issues, delays or downtime can result in significant damage to their reputation, the impact of activity at the hands of a rogue employee could be devastating.
Best practices for visibility and control
There’s always some risk involved in handing over responsibility to a third party, however there are ways to control the partnership through a combination of sound processes, transparency and visibility of their activities.
- Establish the partnership parameters. From an operational perspective, organisations should exercise due diligence when selecting their partner and ensure that there are contractual obligations governing security policies and procedures that the cloud provider will adhere to. Organisations should also not be afraid to ask questions about those with privileged access rights. These are the systems administrators that will be managing the cloud computing environment, so it’s important to understand what kind of checks and controls are in place for these individuals.
- Monitor administrator’s activity. Restricting external administrator access is also a challenging exercise. For this reason, it’s essential to have tools in place that can monitor third party and external administrative activity. Organisations must know what is happening across the network in real time and protect against unauthorised access.
- Identify anomalies. New approaches, known as User Behaviour Analytics (UBA) are enabling organisations to understand what is really happening on the network and identify any unusual activity. They work with machine learning algorithms, which create a profile of users and can pinpoint abnormalities in their day-to-day activity. This can identify if there has been a data leakage, or database manipulation and the cause of the incident can be quickly identified.
[easy-tweet tweet=”The added challenge is that ‘insiders’ have an advantage of knowing the best way to infiltrate the network”]
Fundamentally, organisations need to take control of the partnership with their provider and apply the same strict security standards that they would have within their own organisation. Visibility of the activities of privileged users helps to control the ‘human risk’ and means that any actions at the hands of a malicious ‘insider’ can be quickly stopped in its tracks.
Csaba Krasznay, Product Manager, Balabit
Csaba Krasznay received his MSc in 2003 in electrical engineering at Budapest University of Technology and Economics. He works for BalaBit as a Product Manager and is responsible for the vision and product strategy of BalaBit's Shell Control Box (SCB).
He is the member of board at Magyary E-government Association and Voluntary Cyberdefence Coalition. He received his PhD at National University of Public Service, where he’s assistant professor, and his research topic is the security of e-government systems. He was elected to the “Most Influential IT Security Expert of the Year 2011”
Csaba Krasznay has a PhD in Military Technology.