CyberArk Responds: Amazon Web Services and the Insider Threat

September 19, 2013 Andrey Dulkin

By Andrey Dulkin

A Slashdot poster recently highlighted the “Windows Flaw that Cracks Amazon Web Services.” The overarching point of the post is that if an attacker can get a copy of a Windows machine hosted on Amazon (or any other hosting provider), they can reset the admin password and get full access to the machine and its information.

This is not a new method of attack (physical access attacks and password resets have been around for a long time – and the issue isn’t relegated to just Windows).  But, as the poster astutely points out, employees of the cloud hosting providers have the actual physical access to the machines and can indeed copy them to perform this attack.

This is one way businesses can unknowingly extend their insider-threat vulnerabilities to their partners and third-party vendors. This is a very similar issue to local admins handling on-premise servers.  The big difference is that as a business, you have more control over who is getting internal access – you can screen employees and put internal policies in action that control access.   When a business moves to the cloud, these internal mechanisms are lost.  The organization has little recourse in screening the hosting providers’ employees, or even knowing who they are.

This is why any organization moving to the cloud need to make sure the hosting providers engage in privileged session monitoring to manage the activity of its employees regarding the use of customer machines. This way, the service provider can provide verifiable logs of which employee accesses which machine, when, and for what purpose.  For both the business and the hosting provider, this provides full accountability of all employee actions.

In a recent CyberArk survey, we found that 56 percent of respondents stated they had no idea what their cloud provider was doing to protect and monitor privileged accounts; while 25 percent of respondents partner with cloud providers that they believe to be less secure than their own organization when it comes to protecting confidential information.

Moving data and infrastructure to the cloud is a proposition that keeps many CSOs up at night.  Accountability for the movement and actions of their employees is one part of the SLA that every company should demand of their hosting providers.

If you’re moving to a cloud environment and have questions on the questions to ask – a great resource is offered by the Cloud Security Alliance in its Security as a Service Implementation Guidance.  The CSA addresses the topic of privileged users on the provider side, and a host of other issues that you should be aware of when moving to a cloud environment.

Previous Article
Policy First for Privileged Identity Management
Policy First for Privileged Identity Management

In the world of privileged account security, we tend to get stuck in the tall grass of technology.  As a re...

Next Article
How Bouygues Telecom Chose CyberArk to Secure their Critical Business Systems
How Bouygues Telecom Chose CyberArk to Secure their Critical Business Systems

By Christy Lynch As one of the largest communications service providers in France, Bouygues Telecom priorit...