Security Needs Evolve as Computing Leaves the Office

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://bits.blogs.nytimes.com/2014/06/11/security-needs-evolve-as-computing-leaves-the-office/?_php=true&_type=blogs&_php=true&_type=blogs&module=Search%&_r=0

Five years ago, people still spoke of cloud adoption as if they had a
choice.

But at company after company, cloud computing facilities miles away have
replaced computer rooms down the office hall, and what once seemed like a
choice now looks like an inevitability.

Businesses are turning to the cloud — that nebulous term that describes
computing and applications run remotely over the Internet — to handle their
data and computing faster and cheaper, relying on providers like Amazon,
Google, SoftLayer, Rackspace and others.

And many of the companies’ employees are turning to consumer cloud
services, like Google Docs and Dropbox accounts, to readily access files —
work and personal ones — wherever they are, including at home or at the
neighborhood Starbucks.

A hitch to all this newfound speed and convenience? Security. In most
cases, specialists say, cloud security still lags far behind the layers of
physical and network security of computer rooms down the hall.

“We’re seeing growing confidence in the cloud — not because we magically
solved the security problems — but because we’ve seen them put aside as
operational practicalities trump security,” said Hugh Thompson, the chief
security strategist of Blue Coat Systems, a provider of security technology.

But as the drumbeat of data breaches has intensified in recent years, cloud
security start-ups have cropped up to offer secure, end-to-end encryption
and authentication schemes, and to make sure corporate servers aren’t
talking to strangers. Last year’s $3.2 billion cloud security services
market is predicted to nearly triple by 2017, to $9.2 billion, according to
a report last October by Infonetics, a market research firm.

“There’s no more debate,” said Rajat Bhargava, co-founder of JumpCloud, a
cloud security start-up. “When you don’t own the network, it’s open to the
rest of the world, and you don’t control the layers of the stack, the cloud
— by definition — is more insecure than storing data on premises.”

The risks to cloud-stored data are all too familiar. The top method for
cloud-based data compromises, Mr. Bhargava and other experts say, is stolen
or cracked passwords. Hackers gained access to Target’s data by stealing a
vendor’s login information. More recently, at eBay, hackers gained access
to its entire customer database by stealing an employee’s passwords.

Those cases, experts say, are increasingly the norm, not the exception.
Getting a password can be easy. Hackers often just send an email to a
corporate administrator or trusted vendor containing a malicious link. If
clicked, the link can download password-stealing malware onto a machine, or
redirect users to a fake webpage that baits them into entering their login
credentials.

Because cloud providers aggregate data for so many companies, a breach of a
cloud provider’s account can start a costly chain reaction. That was the
case at MongoHQ, a cloud provider, last year. An attacker stole a MongoHQ
employee’s password, gaining access to the company’s customer database and
its customers’ social media accounts. In some cases, he even got access to
customers’ storage accounts with Amazon Web Services, Amazon’s cloud
computing offering, which stores vast amounts of data for companies
worldwide.

There are also unsettled legal issues. Microsoft is challenging the right
of American authorities to compel it to turn over customer emails storied
in an Irish data center. The court fight is being carefully watched by
other big Internet companies, worried that the data of customers from other
countries could be subject to seizure by American investigators, regardless
of where that data was stored.

The most basic defense, security experts say, is strong authentication
schemes — and strong, unique passwords to different cloud applications are
only the start. Security specialists recommend that companies enable
multifactor authentication, perhaps requiring users to sign in with their
password as well as a one-time code, like one texted to their phones or
momentarily displayed on a security token.

But, security experts add, businesses would be wise to monitor where login
requests are coming from. New security technologies offered by companies
like ThreatMetrix and 41st Parameter can track where and from which machine
a request is originating.

A login request to an American company’s human resources database may sound
alarms if, say, its origin is an unrecognized I.P. address in China, or
from a machine that relies on Russian language fonts.

Servers are also a hacking target, researchers say, and administrators must
be vigilant about regular updates.

Even with all those protections, computer security remains a cat-and-mouse
game. Experts say companies would be wise to plan for the worst case —
assuming that somebody with the will and wherewithal to steal data from a
cloud provider will find a way. One option is to make the data unreadable,
by encrypting it even before it reaches a cloud provider. Young companies
like CipherCloud and Voltage Security offer encryption for data as it moves
from employees’ computers to the cloud.

But only a small percentage of businesses are employing such services,
according to an April study by the Ponemon Institute, which studies data
privacy. Over half of the 4,000 organizations the group studied admitted
that they stored their most sensitive data unencrypted in the cloud.

With breach after breach, security experts say the status quo is simply no
longer acceptable.

“Encryption is an overhead. It’s a hassle; there’s no great way to do it
easily or simply, it causes performance issues and it’s just a pain, but
you have to do it,” said Mr. Bhargava. In addition, experts say, companies
should safely store the cryptographic keys that decipher their data — not a
simple task.

Many companies store their keys on the servers the keys can decrypt — the
digital equivalent of leaving the house key under the doormat. The risk of
storing the keys in that way was demonstrated recently, when security
researchers exploited the recently disclosed Heartbleed bug by pulling
encryption keys off a server.

If there’s any upside to the recent breaches, security experts say, it is
that executives now have a greater awareness of the cloud’s perils.

Executives who once thought of themselves as gatekeepers now recognize that
employees will find a way to use cloud services regardless of whether their
company allows it, and that the company needs to take steps to protect the
data that is stored and shared.

“There’s been a mind shift,” said Rajiv Gupta, the co-founder of Skyhigh
Networks, a start-up that helps companies get a handle on rogue apps.

“Earlier, they felt that information technology had to be provided to
employees. Now they’re asking how to enable employees to use the cloud in a
way that meets the organization’s security, privacy and compliance
requirements.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!