BreachExchange mailing list archives
Security Needs Evolve as Computing Leaves the Office
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 13 Jun 2014 14:25:10 -0600
http://bits.blogs.nytimes.com/2014/06/11/security-needs-evolve-as-computing-leaves-the-office/?_php=true&_type=blogs&_php=true&_type=blogs&module=Search%&_r=0 Five years ago, people still spoke of cloud adoption as if they had a choice. But at company after company, cloud computing facilities miles away have replaced computer rooms down the office hall, and what once seemed like a choice now looks like an inevitability. Businesses are turning to the cloud — that nebulous term that describes computing and applications run remotely over the Internet — to handle their data and computing faster and cheaper, relying on providers like Amazon, Google, SoftLayer, Rackspace and others. And many of the companies’ employees are turning to consumer cloud services, like Google Docs and Dropbox accounts, to readily access files — work and personal ones — wherever they are, including at home or at the neighborhood Starbucks. A hitch to all this newfound speed and convenience? Security. In most cases, specialists say, cloud security still lags far behind the layers of physical and network security of computer rooms down the hall. “We’re seeing growing confidence in the cloud — not because we magically solved the security problems — but because we’ve seen them put aside as operational practicalities trump security,” said Hugh Thompson, the chief security strategist of Blue Coat Systems, a provider of security technology. But as the drumbeat of data breaches has intensified in recent years, cloud security start-ups have cropped up to offer secure, end-to-end encryption and authentication schemes, and to make sure corporate servers aren’t talking to strangers. Last year’s $3.2 billion cloud security services market is predicted to nearly triple by 2017, to $9.2 billion, according to a report last October by Infonetics, a market research firm. “There’s no more debate,” said Rajat Bhargava, co-founder of JumpCloud, a cloud security start-up. “When you don’t own the network, it’s open to the rest of the world, and you don’t control the layers of the stack, the cloud — by definition — is more insecure than storing data on premises.” The risks to cloud-stored data are all too familiar. The top method for cloud-based data compromises, Mr. Bhargava and other experts say, is stolen or cracked passwords. Hackers gained access to Target’s data by stealing a vendor’s login information. More recently, at eBay, hackers gained access to its entire customer database by stealing an employee’s passwords. Those cases, experts say, are increasingly the norm, not the exception. Getting a password can be easy. Hackers often just send an email to a corporate administrator or trusted vendor containing a malicious link. If clicked, the link can download password-stealing malware onto a machine, or redirect users to a fake webpage that baits them into entering their login credentials. Because cloud providers aggregate data for so many companies, a breach of a cloud provider’s account can start a costly chain reaction. That was the case at MongoHQ, a cloud provider, last year. An attacker stole a MongoHQ employee’s password, gaining access to the company’s customer database and its customers’ social media accounts. In some cases, he even got access to customers’ storage accounts with Amazon Web Services, Amazon’s cloud computing offering, which stores vast amounts of data for companies worldwide. There are also unsettled legal issues. Microsoft is challenging the right of American authorities to compel it to turn over customer emails storied in an Irish data center. The court fight is being carefully watched by other big Internet companies, worried that the data of customers from other countries could be subject to seizure by American investigators, regardless of where that data was stored. The most basic defense, security experts say, is strong authentication schemes — and strong, unique passwords to different cloud applications are only the start. Security specialists recommend that companies enable multifactor authentication, perhaps requiring users to sign in with their password as well as a one-time code, like one texted to their phones or momentarily displayed on a security token. But, security experts add, businesses would be wise to monitor where login requests are coming from. New security technologies offered by companies like ThreatMetrix and 41st Parameter can track where and from which machine a request is originating. A login request to an American company’s human resources database may sound alarms if, say, its origin is an unrecognized I.P. address in China, or from a machine that relies on Russian language fonts. Servers are also a hacking target, researchers say, and administrators must be vigilant about regular updates. Even with all those protections, computer security remains a cat-and-mouse game. Experts say companies would be wise to plan for the worst case — assuming that somebody with the will and wherewithal to steal data from a cloud provider will find a way. One option is to make the data unreadable, by encrypting it even before it reaches a cloud provider. Young companies like CipherCloud and Voltage Security offer encryption for data as it moves from employees’ computers to the cloud. But only a small percentage of businesses are employing such services, according to an April study by the Ponemon Institute, which studies data privacy. Over half of the 4,000 organizations the group studied admitted that they stored their most sensitive data unencrypted in the cloud. With breach after breach, security experts say the status quo is simply no longer acceptable. “Encryption is an overhead. It’s a hassle; there’s no great way to do it easily or simply, it causes performance issues and it’s just a pain, but you have to do it,” said Mr. Bhargava. In addition, experts say, companies should safely store the cryptographic keys that decipher their data — not a simple task. Many companies store their keys on the servers the keys can decrypt — the digital equivalent of leaving the house key under the doormat. The risk of storing the keys in that way was demonstrated recently, when security researchers exploited the recently disclosed Heartbleed bug by pulling encryption keys off a server. If there’s any upside to the recent breaches, security experts say, it is that executives now have a greater awareness of the cloud’s perils. Executives who once thought of themselves as gatekeepers now recognize that employees will find a way to use cloud services regardless of whether their company allows it, and that the company needs to take steps to protect the data that is stored and shared. “There’s been a mind shift,” said Rajiv Gupta, the co-founder of Skyhigh Networks, a start-up that helps companies get a handle on rogue apps. “Earlier, they felt that information technology had to be provided to employees. Now they’re asking how to enable employees to use the cloud in a way that meets the organization’s security, privacy and compliance requirements.”
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Security Needs Evolve as Computing Leaves the Office Audrey McNeil (Jun 23)