When evaluating cloud services, many CIOs ask how well a vendor will be able to ward off groups of hackers. The bigger question to ask a cloud vendor may be, "Can you trust your own employees?"
While outsiders certainly try to break into these systems, internal employees already have access and can -- and unfortunately sometimes will -- do significant damage.
Insider threats come in a few variations. Businesses put many processes in place to protect information, but success or failure revolves around their employees' ability to follow directions. "Good people sometimes become very busy and make mistakes," noted Larry Ponemon, chairman and founder of Ponemon Institute, a market research firm focused on computer security.
[The struggle is real. Read 8 Reasons IT Pros Hate the Cloud.]
Compounding the problem, cloud system infrastructure has become large and complex. For instance, Amazon Web Services makes 50 million updates to its computer systems annually, which translates to one every 1.5 seconds. Vendors have deployed various automation tools to manage system workflows in such high-paced environments, but behind the tools are often harried data center technicians.
In other instances, workers willingly bypass established procedures. Employees may not be aware that they put themselves and their employers at risk when they transfer customer data to their personal computers, tablets, smartphones, or cloud file-sharing applications. In certain cases, they think their actions are justified because they deem the business processes unnecessary and inefficient.
Disgruntled employees are a significant threat. Employees may be angry with the way the organization conducts its business and see themselves as an Edward Snowden-like whistleblower. In other cases, an individual may feel unappreciated, be bypassed for a promotion, or feel undercompensated. He or she then takes steps to "right the wrong."
Greed plays a role in internal threats. "Corporate espionage is becoming more common," said Dan Blum, managing partner and principal consultant at security consulting firm Security Architects. Firms are putting more confidential information in digital formats, so it becomes more difficult for them to monitor use of that data.
Unfortunately, internal threats are quite common. A July 2015 Ponemon study, "Unintentional Insider Risk in United States and German Organizations," surveyed 1,071 IT and IT security practitioners in the US and Germany who understand and are familiar with the security risks created by negligent or careless employees and other insiders in their organizations. The study, which was sponsored by Raytheon and Websense, found that nearly half (46%) of respondents in the US said their organizations do not have the necessary safeguards in place to protect themselves from careless or malicious employees.
Those numbers may be low, because tracking insider threats is difficult. "Companies need to make information available to employees so they can do their jobs," said Randy Trzeciak, technical manager of the CERT Insider Threat Center at the Carnegie Mellon Software Engineering Institute. "Determining who is using the information inappropriately becomes a challenge."
Compounding the problem is the fact that the most productive employees are often the ones making the most mistakes. The vast majority of US respondents to the Ponemon Institute study (79%) said multitaskers are more likely to be careless than other employees.
The insider problems have a significant impact on the organization. Ponemon Institute found that each threat costs a company about $1.5 million.
Cloud customers are often in the dark about breaches that result from the actions of insiders. "Three out of four insider breaches are handled internally," said CERT's Trzeciak. Firms do not want to risk the public embarrassment that comes with disclosing such problems, so they deal with the malfeasance or incompetence internally.
So, what steps can the CIO take to ensure that its cloud provider staff members are doing their jobs properly? Data analytic tools are emerging that help businesses identify system aberrations, and better identify and potentially thwart insider threats.
However, cloud customers need to be proactive in their use of such tools. Often, the vendor is unwilling to let the customer access the data analytics system or talk directly with its employees.
But such steps can be written into the customer's service level agreement. "In the SLA, the customer should have the ability to audit the service on occasion, examine system logs, and hire an outside firm to investigate any potential internal breaches," explained Security Architects' Blum.
Businesses are turning to cloud services for many good reasons. However, CIOs need to be aware of the potential problems and put safeguards in place to protect themselves from suppliers' malicious or incompetent employees.
New deadline of Dec. 18, 2015 Be a part of the prestigious InformationWeek Elite 100! Time is running out to submit your company's application by Dec. 18, 2015. Go to our 2016 registration page: InformationWeek's Elite 100 list for 2016.Paul Korzeniowski is a freelance contributor to InformationWeek who has been examining IT issues for more than two decades. During his career, he has had more than 10,000 articles and 1 million words published. His work has appeared in the Boston Herald, Business 2.0, ... View Full Bio