Malicious Insiders:
The threat of a malicious insider is well-known to most organizations. This threat is amplified for consumers of cloud services by the convergence of IT services and customers under a single management domain, combined with a general lack of transparency into provider process and procedure. For example, a provider may not reveal how it grants employees access to physical and virtual assets, how it monitors these employees, or how it analyzes and reports on policy compliance.
To complicate matters, there is often little or no visibility into the hiring standards and practices for cloud employees. This kind of situation clearly creates an attractive opportunity for an adversary — ranging from the hobbyist hacker, to organized crime, to corporate espionage, or even nation-state sponsored intrusion. The level of access granted could enable such an adversary to harvest confidential data or gain complete control over the cloud services with little or no risk of detection.
Examples
- No public examples are available at this time.
Remediation
- Enforce strict supply chain management and conduct a comprehensive supplier assessment
- Specify human resource requirements as part of legal contracts.
- Require transparency into overall information security and management practices, as well as compliance reporting.
- Determine security breach notification processes.
References:
http://blogs.bankinfosecurity.com/
http://technicalinfodotnet.blogspot.com/
|
Our Services:
Cloud customers need assurance that providers are following sound security practices in mitigating the risks facing both the customer and the provider (e.g., DDoS attacks). They need this in order to make sound business decisions and to maintain or obtain security certifications.
Our Cloud Security Assessments provide means for customers to:
1. assess the risk of adopting cloud services; 2. compare different cloud provider offerings; 3. obtain assurance from selected cloud providers; 4. reduce the assurance burden on cloud providers. 5. select and deploy the security monitoring tools needed and customizing the flow analysis features available on routers.
Our Cloud Security Assessment evaluation will cover all aspects of security requirements.
For a complete Cloud Security Assessment and Penetration Testing for an existing configuration please select:
|