Citing the need to protect data from internal threats as well as external threats, HyTrust has announced a limited initial rollout of a new feature that sniffs for disconnects between cloud administration activities and the roles of the people who execute those activities.
"We need to shift our thinking from an outside-in approach to an inside-out cloud security approach, especially when so much is at stake and we are dealing with infrastructure that has much greater risk," said Eric Chiu, president and founder of HyTrust, a Mountain View, Calif.-based security, compliance and governance vendor. "An often overlooked danger comes from the insider who has access to everything, as well as the threat of people posing as insiders. These are people who hijack the credentials of top-level people and then have everything. The bad guys are getting smarter, so we believe there is a need for role-based monitoring, which makes it easier to detect bad actions from good actions."
As an example, Chiu recounted last year's incident involving a drug company that terminated an IT administrator who allegedly regained access to the system at a later date and deleted massive quantities of data in less than five minutes. Prior to the attack, the suspect had apparently logged onto the system as many as 20 times in preparation for the attack.
"Each server and networking and storage device and data center could conceivably have their own set of configurations and management consoles," Chiu explained. "If you can hack into one of those, you could cause quite a bit of trouble. But with virtual infrastructure, all of that collapses onto one single software platform. So your customer may have gotten a 10x increase in efficiency and cost savings, but they now have out 100x increase in risk. This makes the super-admin even more powerful because they can access every system in the cloud, and they can copy and steal the data, and they could tamper with controls."
Chiu compares IDS and IPS to "building a moat around a castle," thereby taking action against external threats while doing nothing to protect against attacks from within the castle walls. He claims that SIEM platforms fall short of accurately detecting problems caused by internal malfeasance.
"Most internal attacks go unnoticed," he said. "Role-based monitoring provides a deeper examination of the context, looking at what was done as well as who executed the action, what is their job, what resources are they allowed to manage and what do they usually do. This enables you to zero-in and separate appropriate administrative operations from malicious ones."
NEXT: A Response To Customer Requests