SEI Insights

Insider Threat Blog

Real-World Work Combating Insider Threats

Insider Threats Related to Cloud Computing--Installment 9: Two More Proposed Directions for Future Research

Posted on by in

Hi, this is Bill Claycomb and Alex Nicoll with installment 9 of a 10-part series on cloud-related insider threats. In this post, we discuss in detail two final areas of future research for cloud-related insider threats: normal user behavior analysis and policy integration.

Normal User Behavior Analysis

Some observable insider activities are clearly harmful to the organization--for instance, an insider deleting critical applications from the organization's servers. However, not all insider activity is so blatantly malicious. A clever insider seeking to avoid detection will attempt to use authorized access to the target information/systems, and do so in a manner unlikely to raise suspicion.

In reviewing the literature, we find many novel proposals for detection of specific insider-related activity, but few that compare the proposed insider behavior to similar non-malicious behaviors, or even acknowledge the necessity of doing so. One counter-example of this trend is Greitzer and Hohimer, who note in their article Modeling Human Behavior to Anticipate Insider Attacks, "There are several reasons why development and deployment of approaches to addressing insider threat, particularly proactive approaches, are so challenging: (a) the lack of sufficient real-world data that has 'ground truth' enabling adequate scientific verification and validation of proposed solutions; (b) the difficulty in distinguishing between malicious insider behavior and what can be described as normal or legitimate behavior."

Few publicly available data sets exist that characterize normal user behavior in relation to indicators of insider threats, much less indicators related to cloud-based insiders. Researchers addressing the challenge of collecting and analyzing normal user behavior should be careful to include attributes useful for cloud-based research as well. Researchers should consider correlating access requests across multiple disparate systems, exploring how often and how much data users transfer from the organization to cloud-based systems (e.g., web-based mail), and how often cloud-based administrative tools are used. Collecting and sharing such information will greatly enhance the ability of other researchers to propose and validate indicators of malicious cloud-related insider behavior.

Policy Integration

A final suggestion for future research topics is exploring how organizations can better manage discrepancies among cloud-based security policies. These discrepancies may arise due to conflicts between local and cloud-based policies, different policies for each service consumed, or the use of multiple cloud service providers, each with different security policies. Other barriers further exacerbate seamless policy integration, such as differences in operating systems and less control of auditing capabilities in the cloud (e.g., physical). In their paper Security and Privacy Challenges in Cloud Computing Environments, Takabi et al. propose developing a trust management framework for policy integration and an ontology to address semantic heterogeneity among policies.

Researchers should carefully consider the danger of combining inadequate cloud policy management with the limited resources many organizations have to implement costly or complicated policy management systems. One solution would be to propose automated, easy to understand, and easily verifiable policy management techniques for cloud-based systems.

Coming up next: We'll conclude our discussion of the current state of cloud-related insider threats.

More from CERT Insider Threat Center


View other blog posts by CERT Insider Threat Center.