The 16th practice described in the newly released edition of the Common Sense Guide to Mitigating Insider Threats is Practice 16: Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities. In this post, I discuss the importance of including provisions for data access control and monitoring in agreements with cloud service providers.

The CERT Division announced the public release of the fifth edition of the Common Sense Guide to Mitigating Insider Threats in December 2016. The guide describes 20 practices that organizations should implement across the enterprise to mitigate (prevent, detect, and respond to) insider threats, as well as case studies of organizations that failed to do so. The 16th of the 20 best practices follows.

Practice 16: Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities.

Cloud service providers are trusted business partners that provide data and infrastructure services to organizations. These providers enable organizations to scale elastically while keeping their costs low.

However, relationships with cloud service providers extend the organization's network perimeter and potentially introduce new attack opportunities for malicious insiders. Such relationships also create dependence on the service provider and its business practices. As a result, the same protections that an organization uses to secure its own infrastructure and data should extend to the service provider. An organization should work with its general counsel and contracts team(s) to ensure that the organization is compliant with federal, state, and local laws and that contracts are written to protect the critical assets of the organization.

The confidentiality, integrity, and availability of data at rest, in motion, and in use must be protected. Therefore, before using a cloud service, an organization must take a comprehensive look at the service provider and thoroughly understand, document, and assess its physical and logical access and security controls. Regular audits, conducted independently or by the organization, ensure that the service provider's policies and procedures adequately protect the organization at necessary levels.

Sufficient monitoring of the cloud environment must also occur regularly; the service provider may offer monitoring on behalf of the organization. To ensure that all binding rules, laws, and regulations are being met, the organization's security and operations personnel should have access to auditing and monitoring information as needed.

The organization should also account for risks related to the countries where its data could go and determine whether contracts with the cloud service provider offer adequate assurance of data security in those countries. This practice helps ensure that the organization can effectively manage the environment and maintain its contractual obligations.

Organizations also need to identify potential insider threat risks relevant to cloud services--including risks that the service provider recognizes in its enterprise risk assessment--and determine if the service level agreements (SLAs) and the service provider's insurance cover those risks.

Organizations may find it challenging to contract with cloud service providers due to the provider's business model. It may be difficult to find a service provider that meets the physical and logical security expectations of the organization. Some providers may even leave security to the organization.

However, organizations should treat cloud services like any other contracted service and require that service providers meet or exceed the organization's security standards. Senior management must also formally accept the risk of using the service.

Before entering into an agreement, organizations planning to use cloud services should

• Conduct a risk assessment of the data and services that are planned to be outsourced to a cloud service provider.
• Ensure the service provider poses an acceptable level of risk and offers controls to reduce residual risk.
• Ensure the service provider meets or exceeds the organization's own security practices.
• Verify the hiring practices of the service provider to ensure that background security investigations on personnel are conducted before they are hired.
• Ensure the service provider conducts periodic credit checks and reinvestigations to ensure that changes in employees' lives have not caused additional unacceptable risks.
• Control or eliminate remote administrative access to hosts providing cloud or virtual services.
• Understand how the service provider protects data and other organizational assets.
• Identify and confirm the responsible party for restricting logical and physical access to organizational assets in the cloud.
• Work with legal counsel to review all service level agreements.

Refer to the complete fifth edition of the Common Sense Guide to Mitigating Insider Threats for a comprehensive understanding of the issues and recommendations mentioned in this post.

Check back next week to read about Practice 17: Institutionalize system change controls, or subscribe to a feed of the Insider Threat blog to be alerted when a new post is available.

For more information about the CERT Insider Threat Center, see https://www.sei.cmu.edu/research-capabilities/all-work/display.cfm?customel_datapageid_4050=21232, or contact us at info@sei.cmu.edu.