The Next Frontier

Many companies have embraced the benefits of cloud computing because of its pay-per-use cost model and the elasticity of resources that it provides. But from a data confidentiality and integrity viewpoint, moving a company's IT systems to a public cloud poses some challenges. System protection is often based on perimeter security, but in the cloud, the company's systems run on the cloud provider's hardware and coexist with software from both the provider and other cloud service consumers. Simply put, the cloud blurs the formerly clear separation between the trusted inside and the untrusted outside.

Malicious insiders represent a particularly significant concern for security in the cloud, as cloud operators and system administrators are unseen, unknown, and not onsite. Confidential data such as passwords, cryptographic keys, or files are just a few commands away from access by a malicious or incompetent system administrator.

This ReadyNote addresses the threat of malicious insiders in the context of clouds that provide the infrastructure as a service (IaaS) model, in the sense of clouds where consumers can run virtual machines. The text is complementary to several guidelines and reports on cloud security that have been published by organizations like the National Institute of Standards and Technology (NIST), the European Network and Information Security Agency (ENISA), and the Cloud Security Alliance.