Cloud Providers' Hiring Methods Pose RisksPaper: Dubious Employment Practices Raise Insider Threat Concerns
In a peer-reviewed paper released Monday at the RSA security conference in San Francisco, the not-for-profit Cloud Security Alliance issued its top threats to organizations employing cloud computing, including the risk from malicious employees of cloud computing providers.
Vetting conducted by some large cloud computing customers reveal that the hiring of cloud providers' technical staffers lack the robust and uniform practices followed by other technology companies, said Jim Reavis, Cloud Security Alliance co-founder and executive director, citing interviews conducted by the alliance in preparation for the report, Top Threats to Cloud Computing.
"There's no perfect world and we have bad actors wherever we go, but we do have concern because of the rapid growth of cloud providers," Reavis said in an interview. "A lot of them will literally tell us, 'We're trying to hire anyone with pulse and got some knowledge of the technology component needed to build this.'"
Reavis said a significant gulf exists between the staffing needs of the information technology sector and employees with the appropriate education and expertise, especially at times that a disrupted technology shift occurs. "This is generically not cloud specific problem. but it is, in fact, something very relevant to cloud environment," he said. "There's absolutely a dearth of people.
"I just had a conversation with a very large organization that is essentially an integration partner for a very large platform as a service cloud provider, and (he said facetiously) 'We can't hire people fast enough. Anybody who can spell the name of the cloud provider, we're hiring.'"
According to the report, the impact that malicious insiders can have on an organization is considerable, given their level of access and ability to infiltrate organizations and assets. "Brand damage, financial impact and productivity losses are just some of the ways a malicious insider can affect an operation," the report said. "As organizations adopt cloud services, the human element takes on an even more profound importance. It is critical, therefore, that consumers of cloud services understand what providers are doing to detect and defend against the malicious insider threat."
Besides malicious insiders, the CSA study listed six other threats from cloud computing:
Abuse and Nefarious Use of Cloud Computing: Hackers actively target cloud providers, partially because their relatively weak registration systems facilitate anonymity and providers' limited fraud detection capabilities.
Insecure Interfaces and APIs: Reliance on a weak set of interfaces and APIs exposes organizations to a variety of security issues related to confidentiality, integrity, availability and accountability.
Shared Technology Vulnerabilities: Cloud providers never designed disk partitions, CPU caches and other shared elements for strong compartmentalization.
Data Loss or Leakage: Depending on the data that is lost or leaked, there might be compliance violations and legal ramifications.
Account, Service or Traffic Hijacking: With stolen credentials, attackers can often access critical areas of deployed cloud computing services, allowing them to compromise the confidentiality, integrity and availability of those services.
Unknown Risk Profile: When adopting a cloud service, the features and functionality may be well advertised, but information on details or compliance of the internal security procedures, configuration hardening, patching, auditing and logging aren't always adequately disseminated.
According to the Cloud Security Alliance, its research paper, commissioned by Hewlett Packard, is the result of a broad examination of information security experts across 29 enterprises, solution providers and consulting firms exposed to some of the world's most demanding and complex cloud environments.