Can You Trust Your Cloud Vendor's Employees? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

09:06 AM

Can You Trust Your Cloud Vendor's Employees?

Insider threats run rampant, and cloud customers often find it difficult to pull back the veil and see what their supplier is doing with their data.

Insider Threats: 10 Ways To Protect Your Data
Insider Threats: 10 Ways To Protect Your Data
(Click image for larger view and slideshow.)

When evaluating cloud services, many CIOs ask how well a vendor will be able to ward off groups of hackers. The bigger question to ask a cloud vendor may be, "Can you trust your own employees?"

While outsiders certainly try to break into these systems, internal employees already have access and can -- and unfortunately sometimes will -- do significant damage.

Insider threats come in a few variations. Businesses put many processes in place to protect information, but success or failure revolves around their employees' ability to follow directions. "Good people sometimes become very busy and make mistakes," noted Larry Ponemon, chairman and founder of Ponemon Institute, a market research firm focused on computer security.

[The struggle is real. Read 8 Reasons IT Pros Hate the Cloud.]

Compounding the problem, cloud system infrastructure has become large and complex. For instance, Amazon Web Services makes 50 million updates to its computer systems annually, which translates to one every 1.5 seconds. Vendors have deployed various automation tools to manage system workflows in such high-paced environments, but behind the tools are often harried data center technicians.

No Need to Follow the Rules

In other instances, workers willingly bypass established procedures. Employees may not be aware that they put themselves and their employers at risk when they transfer customer data to their personal computers, tablets, smartphones, or cloud file-sharing applications. In certain cases, they think their actions are justified because they deem the business processes unnecessary and inefficient.

Disgruntled employees are a significant threat. Employees may be angry with the way the organization conducts its business and see themselves as an Edward Snowden-like whistleblower. In other cases, an individual may feel unappreciated, be bypassed for a promotion, or feel undercompensated. He or she then takes steps to "right the wrong."

(Image: Chesky_W/iStockphoto)

(Image: Chesky_W/iStockphoto)

Greed plays a role in internal threats. "Corporate espionage is becoming more common," said Dan Blum, managing partner and principal consultant at security consulting firm Security Architects. Firms are putting more confidential information in digital formats, so it becomes more difficult for them to monitor use of that data.

The Threat From Within

Unfortunately, internal threats are quite common. A July 2015 Ponemon study, "Unintentional Insider Risk in United States and German Organizations," surveyed 1,071 IT and IT security practitioners in the US and Germany who understand and are familiar with the security risks created by negligent or careless employees and other insiders in their organizations. The study, which was sponsored by Raytheon and Websense, found that nearly half (46%) of respondents in the US said their organizations do not have the necessary safeguards in place to protect themselves from careless or malicious employees.

Those numbers may be low, because tracking insider threats is difficult. "Companies need to make information available to employees so they can do their jobs," said Randy Trzeciak, technical manager of the CERT Insider Threat Center at the Carnegie Mellon Software Engineering Institute. "Determining who is using the information inappropriately becomes a challenge."

Compounding the problem is the fact that the most productive employees are often the ones making the most mistakes. The vast majority of US respondents to the Ponemon Institute study (79%) said multitaskers are more likely to be careless than other employees.

A Million Dollar Problem

The insider problems have a significant impact on the organization. Ponemon Institute found that each threat costs a company about $1.5 million.

Cloud customers are often in the dark about breaches that result from the actions of insiders. "Three out of four insider breaches are handled internally," said CERT's Trzeciak. Firms do not want to risk the public embarrassment that comes with disclosing such problems, so they deal with the malfeasance or incompetence internally.

Get Assurances in Writing

So, what steps can the CIO take to ensure that its cloud provider staff members are doing their jobs properly? Data analytic tools are emerging that help businesses identify system aberrations, and better identify and potentially thwart insider threats.

However, cloud customers need to be proactive in their use of such tools. Often, the vendor is unwilling to let the customer access the data analytics system or talk directly with its employees.

But such steps can be written into the customer's service level agreement. "In the SLA, the customer should have the ability to audit the service on occasion, examine system logs, and hire an outside firm to investigate any potential internal breaches," explained Security Architects' Blum.

Businesses are turning to cloud services for many good reasons. However, CIOs need to be aware of the potential problems and put safeguards in place to protect themselves from suppliers' malicious or incompetent employees.

New deadline of Dec. 18, 2015 Be a part of the prestigious InformationWeek Elite 100! Time is running out to submit your company's application by Dec. 18, 2015. Go to our 2016 registration page: InformationWeek's Elite 100 list for 2016.

Paul Korzeniowski is a freelance contributor to InformationWeek who has been examining IT issues for more than two decades. During his career, he has had more than 10,000 articles and 1 million words published. His work has appeared in the Boston Herald, Business 2.0, ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
11/27/2015 | 9:13:31 PM
Ample Opportunity
What's even scarier is that an employee at most companys can only cause problems at that one company, while an employee of a cloud provider can affect many. Perhaps greater screening is needed.
CIOs Face Decisions on Remote Work for Post-Pandemic Future
Joao-Pierre S. Ruth, Senior Writer,  2/19/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
CRM Trends 2021: How the Pandemic Altered Customer Behavior Forever
Jessica Davis, Senior Editor, Enterprise Apps,  2/18/2021
White Papers
Register for InformationWeek Newsletters
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll