Earlier this week, I saw this article describing a security breach by an internal Google employee where a site reliability engineer (now fired) had violated the privacy of multiple email accounts. From the article:
Barksdale’s intrusion into Gmail and Gtalk accounts may have escaped notice, since SREs are responsible for troubleshooting issues on a constant basis, which means they access Google’s servers remotely many times a day, often at odd hours. “I was looking at that stuff [information stored on Google's servers] every hour I was awake,” says the former Google employee.
There are a couple of immediate lessons from this. First, insider threats are real for our own organizations and they are real for cloud providers. There are multiple ways to protect ourselves from internal threats, but one of the foundational elements is to limit and monitor all privileged access as well as baseline and investigate abnormal behavior. However, the article goes on to state:
And the company does not closely monitor SREs to detect improper access to customers’ accounts because SREs are generally considered highly-experienced engineers who can be trusted, the former Google staffer said.
Another lesson is that when assets are concentrated, the damage from an individual incident can be greater. In other words, the same type of incident can cause more damage. We face this in our own data centers with the shift to virtualization platforms where multiple workloads are now dependent on the integrity and separation provided by the virtualization platform underneath. Public cloud-based services providers face the same problem on an even greater scale. That means the level of due care we require from the provider meet must be higher.
One approach is monitoring (as discussed above). Another would be to limit the scope of administrative access for any given employee. Another would be to put a tight process around how and why administrators are granted administrative access. Nothing new here, it’s just the impact of a lapse is magnified. And the issue isn’t just Google, it relates to any cloud-based services provider.
So, how do we gain confidence (trust) that the security basics are sufficiently addressed by a cloud provider? We must become excellent in our ability to incorporate specific security requirements in our request for information and request for purchase processes. The Cloud Security Alliance’s Cloud Controls Matrix is an excellent resource to get started in understanding the types of controls that should be required.
Category: Cloud Cloud Security Next-generation Data Center Virtualization Security Tags: Best Practices, Cloud Security, Information Security, Next-generation Security Infrastructure, Virtualization Security