Cloud Providers' Hiring Methods Pose Risks
Paper: Dubious Employment Practices Raise Insider Threat Concerns
By: Eric Chabrow, Executive Editor, GovInfoSecurity.com
A dearth of quality IT experts to staff cloud computing companies could present security risks to the government and business customers of these infrastructure, platform and software as a service providers.
In a peer-reviewed paper released Monday at the RSA security conference in San Francisco, the not-for-profit Cloud Security Alliance issued its top threats to organizations employing cloud computing, including the risk from malicious employees of cloud computing providers.
Vetting conducted by some large cloud computing customers reveal that the hiring of cloud providers' technical staffers lack the robust and uniform practices followed by other technology companies, said Jim Reavis, Cloud Security Alliance co-founder and executive director, citing interviews conducted by the alliance in preparation for the report, Top Threats to Cloud Computing.
"There's no perfect world and we have bad actors wherever we go, but we do have concern because of the rapid growth of cloud providers," Reavis said in an interview. "A lot of them will literally tell us, 'We're trying to hire anyone with pulse and got some knowledge of the technology component needed to build this.'"
Reavis said a significant gulf exists between the staffing needs of the information technology sector and employees with the appropriate education and expertise, especially at times that a disrupted technology shift occurs. "This is generically not cloud specific problem. but it is, in fact, something very relevant to cloud environment," he said. "There's absolutely a dearth of people.
"I just had a conversation with a very large organization that is essentially an integration partner for a very large platform as a service cloud provider, and (he said facetiously) 'We can't hire people fast enough. Anybody who can spell the name of the cloud provider, we're hiring.'"
According to the report, the impact that malicious insiders can have on an organization is considerable, given their level of access and ability to infiltrate organizations and assets. "Brand damage, financial impact and productivity losses are just some of the ways a malicious insider can affect an operation," the report said. "As organizations adopt cloud services, the human element takes on an even more profound importance. It is critical, therefore, that consumers of cloud services understand what providers are doing to detect and defend against the malicious insider threat."
Besides malicious insiders, the CSA study listed six other threats from cloud computing:
Abuse and Nefarious Use of Cloud Computing: Hackers actively target cloud providers, partially because their relatively weak registration systems facilitate anonymity and providers' limited fraud detection capabilities.
