CyberArk Responds: Amazon Web Services and the Insider Threat

By Andrey Dulkin

A Slashdot poster recently highlighted the “Windows Flaw that Cracks Amazon Web Services.” The overarching point of the post is that if an attacker can get a copy of a Windows machine hosted on Amazon (or any other hosting provider), they can reset the admin password and get full access to the machine and its information. 

This is not a new method of attack (physical access attacks and password resets have been around for a long time – and the issue isn’t relegated to just Windows).  But, as the poster astutely points out, employees of the cloud hosting providers have the actual physical access to the machines and can indeed copy them to perform this attack. 

This is one way businesses can unknowingly extend their insider-threat vulnerabilities to their partners and third-party vendors. This is a very similar issue to local admins handling on-premise servers.  The big difference is that as a business, you have more control over who is getting internal access – you can screen employees and put internal policies in action that control access.   When a business moves to the cloud, these internal mechanisms are lost.  The organization has little recourse in screening the hosting providers’ employees, or even knowing who they are. 

This is why any organization moving to the cloud need to make sure the hosting providers engage in privileged session monitoring to manage the activity of its employees regarding the use of customer machines. This way, the service provider can provide verifiable logs of which employee accesses which machine, when, and for what purpose.  For both the business and the hosting provider, this provides full accountability of all employee actions.

In a recent CyberArk survey, we found that 56 percent of respondents stated they had no idea what their cloud provider was doing to protect and monitor privileged accounts; while 25 percent of respondents partner with cloud providers that they believe to be less secure than their own organization when it comes to protecting confidential information. 

Moving data and infrastructure to the cloud is a proposition that keeps many CSOs up at night.  Accountability for the movement and actions of their employees is one part of the SLA that every company should demand of their hosting providers.

If you’re moving to a cloud environment and have questions on the questions to ask – a great resource is offered by the Cloud Security Alliance in its Security as a Service Implementation Guidance.  The CSA addresses the topic of privileged users on the provider side, and a host of other issues that you should be aware of when moving to a cloud environment.

Thursday, September 19, 2013