Cloud Computer and Insider Threats Cloud computing is widely regarded as the wave of the future. "Cloud computing is all the rage. It's become the phrase du jour" (Knorr & Gruen 2011). However, many people throw the phrase around without truly understanding what it really is. "Cloud computing comes into focus only when you think about what IT always needs: a way to increase capacity or add capabilities on the fly without investing in new infrastructure, training new personnel, or licensing new software" (Knorr & Gruen 2011). It may include many different types of services, some of which are subscription-based, others of which are pay-per-use (Knorr & Gruen 2011). For example, with SaS (software as a service), one of the most common types of hosting, this means no "upfront investment in servers or software licensing; on the provider side, with just one app to maintain, costs are low compared to conventional hosting" (Knorr & Gruen 2011). At its essence, what is so revolutionary about cloud computing is that it obviates the need for hardware and physical storage; rather, "clients lease these resources from a cloud provider as an outsourced service" (Malik & Nazir 2012: 390).

The cloud has the potential to convey many cost savings to organizations, and improve speed and efficiency as well as reduce the physical encumbrances placed upon smaller organizations. However, there are also fears about its risks. "Cloud computing services provide a resource for organizations to improve business efficiency, but also expose new possibilities for insider attacks. Fortunately, it appears that few, if any, rogue administrator attacks have been successful within cloud service providers, but insiders continue to abuse organizational trust in other ways, such as using cloud services to carry out attacks" (Claycomb, & Nicoll 2012: 10). But many fear that this relatively strong track record thus far is merely a reflection of the relative youth of cloud computing, and it is only a matter of time before serious threats become chronic.

The lack of 'rogue' administrator attacks may cause many organizations to be sanguine about monitoring user patters. Particularly since the technology is still in its nascent stages, organizations may be uncertain of how to guard against threats and their potential for misuse resulting in a lack of appropriate monitoring that would be customary with the deployment of other technological applications. The solution to this problem is not to fear cloud computing, but to become more aware of potential risks and to develop employee monitoring systems before threats from inside do begin to assert themselves in a more pervasive fashion.

"Some observable insider activities are clearly harmful to the organization -- for instance, an insider deleting critical applications from the organization's servers. However, not all insider activity is so blatantly malicious" (Claycomb, & Nicoll 2012: 9). To accumulate data upon the subject is essential, and one critical area is the ability to compare normal user patterns in a cloud computing scenario with that of malicious attacks by insiders. "The lack of sufficient real-world data that has 'ground truth' enabling adequate scientific verification and validation of proposed solutions" lays cloud computing systems open to vulnerabilities and increases "the difficulty in distinguishing between malicious insider behavior and what can be described as normal or legitimate behavior" (Claycomb, & Nicoll 2012: 9).

Research is required to determine when and how user attacks are likely to occur, with the hope of generating a comparative framework of normal vs. malicious patterns of use in cloud computing in terms of both technical and non-technically measured behaviors. There has been a call for "automated, easy to understand, and easily verifiable policy management techniques for cloud-based systems' (Claycomb, & Nicoll 2012: 9). The extent to which this is feasible, along with the real potential scope of insider threats is hotly-debated.

Memo 2.2. Clarifying the locus of the inquiry

The focus of my study will be on how to guard against insider threats within cloud computing systems, specifically to determine if normal user patterns can be established in such a way to distinguish them against malicious use patters. The study will also seek to understand why and when insider threats are likely to occur, and how a trusted employee and business associate can potentially exploit the cloud. It will compare the value of searching for technical red flags regarding employee behavior (such as eccentric log-in patterns and violations of search policies) with non-technical, qualitative behaviors that indicate the potential for the employee to pose an insider threat (Claycomb, & Nicoll 2012: 9).

Aggrieved employees can exploit vulnerabilities in their relationship with their clients...

"Cloud computing as a process is governed, managed, and maintained by site administrators. By default, they hold the key to managing all the data, files, and privileged company resources and files. Sometimes, relationships with employers don't work. As a revenge, or for other reasons, administrators may end up spreading, or allowing privileged information to leak at the expense of the business enterprise involved" (Bailey 2012). Other employees may simply wish to exploit the cloud for 'fun,' out of the spirit of playful hacking.
Employers must be aware that cloud computing is not a self-managing system, and they cannot take a hands-off attitude in spotting vulnerabilities. However, there remains some disagreement as to what vulnerabilities and flags for misuse resemble. One school of thought suggests that "indicators suggested for cloud-based insider threats are simply reworded versions of malicious behavior indicators for non-cloud systems" (Claycomb, & Nicoll 2012: 8). Good examples of these can include users logging in during non-work hours (such as 4am or on weekends), unusual search items, and "obtaining back-door access to company data" (Claycomb, & Nicoll 2012: 8). However, there are some unique features that administrators of cloud-based service may show when they exhibit a threat to the organization. Some of these are not necessarily technical in nature, as they may include behaviors such as carelessness and a lack of consideration for user needs. Other, technical red flags include: "violating SLAs, improperly managing virtual machines, using suspicious software, or performing similar activities across different platforms and customer systems" (Claycomb, & Nicoll 2012: 8). The FBI has also issued a list of guidelines for potential behaviors that could indicate a company is vulnerable to an insider threat, such as employees asking for or taking proprietary information that does not seem necessary; working odd hours; copying material without a clear reason why, and showing a disregard for company policies regarding privacy (Economic espionage, 2012, FBI).

By better understanding what red flags are most likely to arise when policing security when using cloud computing, an organization can better guard against potential threats. Ideally, all of these vulnerabilities -- both technical and non-technical -- should be monitored, but given finite organizational resources, the most critical and likely manifestations of insider threats should be determined. It must also be determined if cloud-based insider threats differ in fundamental ways from more generic insider threats in both a quantitative and a qualitative manner.

Memo 2.3: Analytic memo

More study is needed regarding the potential risks of cloud computing. Cloud computing presents several security challenges, despite the many advantages it can convey to an organization, particularly a small one which cannot afford to have on-site data storage. One of the most formidable of these challenges includes insider threats, or threats posed to the organization by either the administrators of the cloud or in-house employees that seek to exploit the cloud (Claycomb, & Nicoll 2012: 9).

Because of the newness of the technology, little data exists at present about the most likely use pattern of a malicious attacker. There is a debate as to whether such use patterns tend to mimic typical suspicious user behavior for all types of infiltrations of security vulnerabilities, or whether there is a specific usage pattern typical to cloud computing (Claycomb, & Nicoll 2012: 9).

Insider threats can come from disgruntled employees or from individuals who simply take pleasure in hacking. They may originate with the cloud provider itself, or they may be employees who seek to exploit the vulnerabilities of the cloud. These different types of threats may manifest different patterns of suspicious use as well, although this is also not yet determined.

Given how much research has yet to be done on cloud computing and insider threats, I would like to undertake a study that combines both qualitative and quantitative research. The extent to which threats may present themselves in a technical or non-technical fashion remains debatable, and a blended research study that uses both open-ended and data-driven means of analysis would be one way to shed light on this issue.

My ideal preliminary study would not strive to come to a definitive answer about the typical exploitation pattern of use exhibited by an inside hacker. However, it would seek to interview several companies that were targets of malicious insider attacks and compare the nature of the attacks, how the misuse was finally discovered, and see whether behavior or technical patterns were the main red flags in spotting the…