If you've ever been an IT hiring manager, you know the scrutiny that goes into the interview process as you seek to bring trustworthy and effective talent into your organization. (Also, it's a bonus when those potential employees like the same beer as you.) But just as cloud adoption has forced organizations to re-think their definition of network perimeters, so too must they consider redefining the 'insider threat.'
Private cloud and the insider threat
Clearly, despite our best efforts to hire good people, we're still doing something wrong.
Depending on which research you read, insiders are responsible for anywhere from 14% of data breaches (as published in the Verizon 2013 Data Breach Investigations Report), to over 36%, as Forrester Research has published. Both of these reports make the important distinction between malicious insiders, who seek access for profit or revenge, and the employees who simply make mistakes -- leaving data exposed or vulnerable. Frankly, from a compliance or breach notification standpoint, these nuances don't matter. If sensitive or regulated data gets out, you've got problems.
But when you think about how you address the problems, understanding how these types of threats impact your organization does matter. Further, I would argue that it is even more important to understand if you have a highly virtualized data center, and/or if you are outsourcing infrastructure to a public cloud.
As I've discussed in previous posts, most cloud infrastructure is built on server virtualization, and virtualized infrastructure requires unique security. In a nutshell, virtualized infrastructure lacks the physical separation and more isolated administrative controls present in physical servers, while applications and their data become co-mingled in storage and backup environments.
It would seem that in your data center, you ostensibly have better control. You hire your IT staff (or outsource to a trusted provider). You have physical security controls like locks, key cards and cameras. You've hopefully got the budget for the critical network security technology like firewalls, vulnerability management and remediation, monitoring, access controls and encryption.
And yet, Ponemon Institute research shows that "on average, it takes 87 days to first recognize that insider fraud has occurred and more than three months (105 days) to get at the root cause of the fraud."
So what are we doing wrong? Do we need better tools? Do we need better training? Even if we can train to prevent the bulk of employee errors, there is still the issue of 'bad egg' employees.
And, if we can't control the behavior of our own employees, how can we possibly entrust our mission critical applications to a cloud service provider (CSP)?
Public cloud -- when insiders become outsiders
While most statistics consistently rank 'security concerns' among the top 3 inhibitors to public cloud adoption, I think it would be a fascinating study to compare the types of incidents and breaches that occur at the average enterprise to those that occur at a cloud service provider.
It's an interesting question. While many companies allocate responsibility for security and data privacy to a security or compliance officer, I've certainly talked to many companies where this role has yet to receive definitive power or control over the IT organization.
Further, most of these companies' core business does not have to do with providing IT services. They are manufacturers, who want to make sure their intellectual property or trade secrets don't end up in their competitors' hands. They are healthcare providers, whose primary business is to heal their patients. Building a truly effective infrastructure that meets all their operational, security and compliance needs may not only be expensive, it may be increasingly challenging to achieve.
Is it possible that cloud service providers, whose business presumably depends on providing IT infrastructure that is available and secure, have better incentives to hire and train good IT people than your average fortune 1000 company?
Trust no-one.
I think the unfortunate reality of the world we live in today is that no matter what we do, human error and human frailty in the face of profit or revenge will always exist. Good hiring practice will remain critical -- to CSPs and to companies. But technology will continue to be crucial to consistently guide and enforce the right behavior.
Do you think CSPs will ultimately offer better security than what you can support in house? How are you mitigating these threats?