Insider threat for Cloud. Some thoughts.

As we move towards 100% virtualization the role of vAdministrator appears more and more important. vAdmin can rule all the infrastructure from one single console, unlike years before. One of Top3 US banks can be brought down completely by a single script, imagine that!
We start to see more and more cases when fired admin log in to ex-employers infrastructure via McDonalds WiFi and delete some critical data.
Let’s take CodeSpaces example – hackers wanted a lot of money, but didn’t get it. So they just deleted everything, including backups.

The only thing growing faster than IT security spending is the cost of security beaches. That’s the reality we see today.

Without any questions level of control will be increasing as well as pressing on privileged users and admins. But what really surprised me – 4 security pros on the stage (SEC2296, VMworld 2014) have said nothing about organizational problems in this security nightmare with insiders.

Let’s think about it a little. Insider is the person inside the company – employee most of time. And we can divide them into 3 basic categories:

  1. These people will do something bad and sell company’s secrets no matter what.
  2. People who can do something bad or do nothing.
  3. Angels. They will do nothing bad even if management will do something bad to them.

Type 1 insiders should be discovered ASAP, ideally even on interview – that’s why there are HR professionals involved and background checks performed.
Type 3 insiders are not a threat.

There are still type 2 people left, and that’s the type we ignore. Majority of any employees in any company. These people will do something bad as retaliation, they will not strike first. And guess what we’re doing to them?
– put under suspicion and constant control
– treat all their activity as they’re type 1 people
– completely ignore their personality, treating like replaceable and expendable working unit.

I can assure you – nothing is more stimulating like this kind of treatment for employer when you have an access to most critical services.

There is NO statistics on percentage of incidents caused by bad management treating employees like a trash. And we try to solve organizational problem technically, without any human interaction. Is this because we’re techno geeks lacking social skills or just because it’s more difficult and complex than to put web cams everywhere including restrooms?
At some point there can be ONLY trust. Imagine you’re on the operating table – how can you enforce security and be sure surgeon will do only permitted actions? There is no way, period. We’re giving very high rights to the surgeon, and we’re (society) also give very high responsibility.
Virtualization administrator with highest access is the very same surgeon operating on organization’s IT heart, sometimes while the heart still beats. So why we take a look on what admin is doing and not on how manager treats him / her?

So, after years of experience and thoughts I see 2 basic rules of information security when we talk about these type 2 guys and gals with full access.

  1. Insider threat becomes VERY real when you treat your employees and colleagues as insiders and threat instead of people who help. When you see them as easily replaceable and expendable working units.
  2. Employee’s loyalty to company starts with company’s loyalty to employee.

We should solve organizational and administrative problems first, otherwise technical solutions will be useless. Or even they will even lower overall security.

Leave a Reply

Your email address will not be published. Required fields are marked *