Insider Threat Hovering in the CloudPart 2: Risks to Avoid and How to Create Trust with Providers
Before resigning, Cappelli says, the employees synchronized 78,000 files using the online file sharing application Dropbox not only to retrieve the files, but to change the data in some files stored on their former employer's servers. "The organization had no idea that they had set up Dropbox in this way," Cappelli says. "They not only lost their information, but they didn't know it, and they were using information which was incorrect."
In the second part of a two-part interview on cloud computing with Information Security Media Group, Cappelli and her colleague at Carnegie Mellon University's CERT Insider Threat Center, Senior Cybersecurity Analyst Alex Nicoll, discuss:
- Ways organizations can build trust with their cloud computing providers to assure their employees don't pose an insider threat;
- The evolution of the insider threat landscape within the cloud; and
- The complexity virtualization presents in keeping tabs on activities occurring on cloud servers.
In the first part of the interview, Cappelli and Nicoll discussed the responsibilities cloud providers must take to assure their employees don't tamper with clients' data, the types of threats insiders pose in the cloud and the limited technical approaches organizations can adopt to monitor potential insider threats from their cloud providers [see Mitigating Insider Threat From the Cloud].
Cappelli, who joined CERT in 2001, founded the Insider Threat Center, part of Carnegie Mellon's Software Engineering Institute. Her teams research cyberthreats; develop and conduct assessments; and provide solutions and training for preventing, detecting and responding to illicit cyber-activity. Before joining CERT, Cappelli served as the director of engineering for the Information Technology Development Center of the Carnegie Mellon Research Institute.
Before joining CERT, Nicoll was a senior technology research fellow at the University of Nebraska at Omaha, where he served as the associate director of the Nebraska University Consortium on Information Assurance. Earlier, at the U.S. Strategic Command working for contractor BAE Systems, he served as the primary systems architect on the distributed command and control systems, designing data centers and large-scale redundant/fault-tolerant computing systems.