Insider threats in cloud computing environments

¶ … Prep: The Insider Threat in Cloud Computing

Cloud computing is still an emerging concept and reality for many businesses, though with the powerful, efficient, and highly cost-effective nature of many cloud computing services it will be an all-but-ubiquitous part of the business model for any medium or larger enterprise within the next decade (Joshi & Ahn, 2010; Subashini & Kavitha, 2011). As powerful and compelling as these tools and the opportunities they provide may be, there is a host of new concerns that is attached to this new technological capability. One of these problems is the insider security threat, which though a known and well-understood threat in traditional settings takes on new and dangerous dimensions in cloud computing (Jansen, 2011; Subashini & Kavitha, 2011). With off-site non-employees now responsible for maintaining the security of information stored in and/or transmitted through cloud computing services, new threats to business security are accompanying this new business opportunity.

This research will examine manners in which the risks associated with cloud computing can be appropriately assessed and used to inform business decisions. Weighting information risks has always been a complex and somewhat nebulous task, and the new details and intricacies of cloud computing render this task all the more difficult, however such assessment is necessary as business move forward and cloud computing becomes the normative mode of information technology procurement and utilization (Chow et al., 2009). The lack of clear risk assessment techniques and means of addressing these risks is the problem that will be addressed by this research.

Purpose Statement

The purpose of this research is two-fold, though the two different purpose are very closely related and mutually dependent in terms of achieving meaningful and relevant results from either research area. First, the research will attempt to establish a reliable framework and system of variables for quantitatively assessing the risk of insider threats when it comes to cloud computing and its use to procure and utilize various it services in standard business settings. Second, the research will attempt to identify means by which the specific concrete risks found to exist in cloud computing utilization can be countered or corrected through business entity controls. Establishing a clear framework for identifying and measuring risks is necessary in order to develop effective and proportional controls and counters to these risks, and this notion of control is what makes the framework itself practically useful.

Establishing a framework for assessing the risk of insider threats to cloud computing, while making up only part of the research purpose, will form a significant part of the research. This is a highly complex task, and will require a multitude of different service models and operations to be taken into account, along with a variety of different business needs (Chow et al., 2009; Jansen, 2011). The complexity of tackling this specific purpose in the proposed research is more than warranted by the importance of such a framework to the business community and to further studies of cloud computing risk, however, and is the primary reason that this research is being undertaken as specifically proposed.

The second purpose, though admittedly not the primary motive behind the undertaking of the research, is an equally vital piece of the completed research for the added concrete and practical usefulness that it provides, and for the ability it gives to test the framework developed in the first research purpose. Without the ability to test the cloud computing insider threat risk assessment framework through the development of best practice recommendations for controlling these risks, this framework would be all but useless, and thus the concrete and practical nature of the second research purpose is important internally to the research as well as to the real-world business and technology communities. Research that is immediately and practically useful tends to find greater support and also leads to more extensive and meaningful discussions while also promoting more related research, and this purpose is considered valuable for this element, as well. Through the practical recommendations made in the fulfillment of this second research purpose, the academic and the practical knowledge gained in this area will both be greatly enhanced.

These research purposes will directly address the problems identified as central to this research. Through the creation of a risk assessment framework for insider threats to cloud computing and the making of recommendations to address identified threats, the problem of a lack of appropriate understanding and knowledge will be directly tackled. As it is the purpose of all research to address problems identified by knowledge gaps, and ideally to provide recommendations of a practical nature, it is believed these research purposes will make this research endeavor highly successful.

Research Questions

What specific risks do companies face from insider threats in cloud computing situations?

This basic question was selected because it is a fundamental piece of knowledge that must be obtained before the research problem can be more adequately and specifically addressed. Identifying risks is necessary for developing a reliable framework and for making recommendations for combating those risks. This will add to current literature in the field by providing more concretely defined and validated risks than are currently available. A variety of malicious and accidental risks are expected to be strongly represented in the findings.