The threat of a malicious insider is well-known to most organizations. This threat is amplified for
consumers of cloud services by the convergence of IT services and customers under a single management
domain, combined with a general lack of transparency into provider process and procedure. For example,
a provider may not reveal how it grants employees access to physical and virtual assets, how it monitors
these employees, or how it analyzes and reports on policy compliance. To complicate matters, there is
often little or no visibility into the hiring standards and practices for cloud employees. This kind of
situation clearly creates an attractive opportunity for an adversary — ranging from the hobbyist hacker,
to organized crime, to corporate espionage, or even nation-state sponsored intrusion. The level of
access granted could enable such an adversary to harvest confidential data or gain complete control over
the cloud services with little or no risk of detection.
The impact that malicious insiders can have on an organization is considerable, given their level
of access and ability to infiltrate organizations and assets. Brand damage, financial impact, and
productivity losses are just some of the ways a malicious insider can affect an operation. As
organizations adopt cloud services, the human element takes on an even more profound importance.
It is critical therefore that consumers of cloud services understand what providers are doing to
detect and defend against the malicious insider threat.
- Enforce strict supply chain management and conduct a comprehensive supplier assessment.
- Specify human resource requirements as part of legal contracts.
- Require transparency into overall information security and management practices, as well as compliance reporting.
- Determine security breach notification processes.