search menu icon-carat-right cmu-wordmark

Common Sense Guide to Mitigating Insider Threats - Best Practice 9 (of 19)

CERT Insider Threat Center
• Insider Threat Blog
CERT Insider Threat Center

Hello, this is Mike Albrethsen, Information Systems Security Analyst for the CERT Program, with the ninth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats.

The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should implement across the enterprise to mitigate (prevent, detect, and respond to) insider threats, as well as case studies of organizations that failed to do so. The ninth of the 19 best practices follows.

Practice 9: Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities.

It is important that organizations and their cloud providers have explicit agreements in place that address security services related to cloud environments. These agreements help to ensure that the organization can extend current security policies in its own infrastructure to the cloud infrastructure, which may be under the control of trusted third parties. In addition to understanding what the cloud provider will be doing, organizations must understand potential vulnerabilities associated with using a cloud environment.

The GAO identifies four types of cloud providers that are currently available to organizations:

  1. Private cloud--operated solely for one organization
  2. Community cloud--shared by several organizations
  3. Public cloud--available to any customer
  4. Hybrid cloud--two or more clouds (private, community, or public) that are connected

In the community and public cloud models, organizations must trust outside employees with access to their infrastructure. The same protections that the organization uses to secure its data and infrastructure should extend to the service provider. Regular audits and monitoring are recommended to ensure that agreements are being honored, to ensure that attacks are detected, and to help the organization fully understand the cloud infrastructure being used.

In a cloud environment, new access paths to an organization's critical assets are created that can be exploited by attackers. In particular, malicious insiders employed by the cloud provider can have significant access to the systems and the information stored within. To effectively assess threats, a thorough understanding of what type of control is afforded to administrators who have access to the underlying hardware, hypervisors, administrative interfaces, and management tools that are used to run the cloud itself is required. This level of understanding highlights the importance of also understanding the vetting process for employees of the service provider. In addition to threats from privileged users, vulnerabilities associated with the cloud infrastructure itself should be considered.

Refer to the complete fourth edition of the Common Sense Guide to Mitigating Insider Threats for a comprehensive understanding of the issues and recommendations mentioned.

Check back in a few days to read about best practice 10, Institute stringent access controls and monitoring policies on privileged users, or subscribe to a feed of CERT Program blogs to be alerted when a new post is available.

If you have questions or want to share experiences you've had with insider threats, send email to

About the Author