Why cloud security is something businesses must take into their own hands

5 Comments

Security in the cloud is on a lot of people’s minds following the hacking of celebrities’ iCloud accounts. When we hear about user accounts on cloud services and SaaS applications getting compromised, we start thinking more about he types of security capabilities that cloud providers offer versus what they leave unaddressed, and where responsibility should lie.

Although many people think that security is a monolith, in reality it’s much more of a mosaic — full of nuances and subtleties. There are undoubtedly various kinds of threats associated with cloud services. From the perspective of the cloud service provider, the most pressing security issue involves protecting its back-end infrastructure from outside attackers. An attacker who can break in through the back door can abscond with a wealth of data.

Businesses using SaaS services, or individual users of iCloud, have other concerns. Account compromise through the back door is worrying, but in particular, organizations must worry about attacks through the front door. User accounts may be compromised through phishing attacks (targeted or otherwise). There’s a risk of devices being lost or stolen. Or end-user systems may be infected with malware that results in session hijacking.

Let’s also remember that not all threats originate from the outside. What happens if malicious insiders decide to purloin sensitive data, like customer names and intellectual property, as they get ready to leave the company? And, along similar lines, how do you address inadvertent insiders — who may simply succumb to human error by mistyping an email address that causes data to be shared with someone who shouldn’t have access to it? The list goes on.

I mention this demarkation between front door and back door attacks because it seems to me that the lion’s share of cloud service providers and SaaS vendors focus on protecting their back door, while taking more of a laissez-faire attitude about safeguarding the front door. That stance is of little solace to organizations who need to be concerned about the full spectrum of threats to their data.

These issues, while longstanding, can be addressed. Front door attacks can be mitigated through a number of well understood mechanisms. For starters, two-factor authentication is common in many places, but not in all. It would be extremely helpful if we made this simple, but effective, approach more ubiquitous.

Financial institutions have, for a long time, used fraud detection algorithms to identify account compromise and misuse. The same techniques can be applied in the broader context of cloud services. Encryption and data loss prevention tools have helped mitigate risks of data breaches when the enterprise perimeter was more well-defined. Analogous approaches (assuming they are well thought through) can be applied in the context of cloud services. Finally, organizations would be considered foolish if they failed to scan files on endpoint systems for malware and viruses, yet they appear to have blinders on when those same files are in the cloud.

I think we are seeing the same fundamental misalignment of incentives for organizational data that we have seen play out in the world of consumer data. On the one hand, my cloud service provider or SaaS vendor has my organization’s data. On the other hand, if my organization’s data gets compromised, so long as it wasn’t due to some inherent gross negligence on the part of the cloud service provider, then the onus is on me to deal with the ramifications. Unfortunately, I don’t think we can reasonably expect that cloud service providers and SaaS vendors will take on the mantle of providing a more comprehensive set of security capabilities to customers.

After all, how much would you trust an organization whose accounting department audited their own books?

That raises the question of what organizations need to do. For starters, being aware of the distinction between back-door protection and front-door protection goes a long way. Organizations need to know what capabilities their SaaS vendor will provide and the point at which they need to fend for themselves. They also need to understand what they can do to strengthen their half of the equation.

My perspective is that net-net, the benefits of leveraging online services outweigh the risks. That said, for many, news of cloud account compromises can cast a shadow of doubt around using such online services. However, I like to take a more optimistic view. These issues help more people crystallize their understanding of what leveraging the cloud provides (and doesn’t provide). As people better comprehend all the ramifications, I believe they are not only more likely to embrace the cloud, but will do so with greater confidence.

Zulfikar Ramzan is the CTO of Elastica, where he drives the company’s efforts in leveraging data science and machine learning techniques toward improving the security of clowd services. He was previously chief scientist at Sourcefire, which was acquired by Cisco.

5 Comments

Jack

Per NSA PRISM revelations, Microsoft Public Cloud services & Google Public Cloud services have Backdoor Access….Once your Data is in the Public Cloud services, the Vendor OWNS your Data…

Zulfikar Ramzan

I think you’re hitting on a broader issue that more people need to understand: at the very minimum, your cloud provider always has access to your data. You are trusting that they won’t do anything bad with it, but there’s a theoretical risk that you have to be cognizant of. So, if there is anything sensitive (e.g., a personal picture) that you absolutely would not want leaked, then placing it in a third-party cloud service is not a good idea. On the other hand, if there is data that you’d like to keep confidential (but can survive in the hopefully unlikely event that it were leaked), then it makes more sense to consider third-party alternatives.

Zulfikar Ramzan

I would also argue that most users should trust their cloud provider to safeguard their data more than they trust themselves. That said, you are absolutely on point that there is a fundamental element of trust involved (and trust is not the same thing as trustworthiness!).

Comments are closed.