The #Cloud, Security and Breaches – Are the Barbarians at the Gate?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://cloudcomputing.sys-con.com/node/3176447

Target. Home Depot. Community Health Systems. Nieman Marcus. Their names
have been all in the news over the past year, though probably not in a way
they would like. All have had very public data breaches affecting anywhere
from 350,000 (Nieman Marcus) to 4.5 million (Community Health Systems)
customers. Add the recent high-profile celebrity nude photo hacking scandal
and cloud security has become the trending topic in all the news and social
media. Some of the discussions reminded me of a line from a short-lived TV
show called ‘Almost Human' (yes I watched it, and since it was not renewed,
apparently I was part of a small group). In the opening sequence of the
show was the line ‘technology has forever altered the criminal landscape.'
Is that where we are? Are the barbarians at the gate? Will this, or should
this, impact decisions about migrating to the cloud?

Cloud: guilt by association
Cloud has become the ubiquitous term and so overused that whenever a breach
happens, it's assumed it is a cloud problem. The reality is that out of all
the breaches I mentioned earlier, only one of them - the celebrity nude
photo scandal - had any connection to cloud technology.  In his recent
article Celebrities get phished, cloud gets blamed, David Linthicum makes
the point saying that "no matter if it's truly a cloud service or, in most
cases, internal systems that are somehow compromised. Because no one in the
general media really knows what a ‘cloud' is, it's all a cloud to them."
The other breaches I listed were all internal system breaches, with various
methods used to accomplish the breach. 11 Steps Attackers Took to Crack
Target gives a great detailed description of the process the hackers used
to breach Target's systems last year. While the first step started with a
simple email phishing campaign, it required a complex set of tasks executed
over time to eventually compromise Target's Point of Sale (PoS) systems,
which is where the actual breach occurred. None of that had anything to do
with the cloud.

No technology negates the need for design and planning
While a majority of the highly public security breaches may not be related
to the cloud, that does not mean going to the cloud has no security risks
involved. Going to the cloud does not automatically give you the security
you may need for your data. Like any other complex systems, the risks must
be understood, analyzed and planned for. Mitigation strategies should be
put in place, and test plans designed and developed to validate that the
security you have put in place is working as expected. In addition, this
should not be a ‘once and done' type of planning. Security risks are
changing at breakneck speeds in the Social, Mobile, Analytic and Cloud
(SMAC) disruptive technology landscape of today. These disruptions have
altered the criminal landscape, and while the barbarians may not be
literally at the gate, they will always be trying to storm the castle,
testing your defenses, trying to find other ways in, and seeking the
treasures behind those walls - your data.

CIO, CTO & Developer Resources

No system is ever 100 percent safe
This is not meant to be a doom and gloom prediction, just a reality of
networked systems. The only 100 percent secure system is one that has no
network connects and that no one has physical access to - obviously that
level of protection is not realistic or usable in any way. Going to the
cloud can be just as secure (if not more so) than using internal-only
systems. Whether in the cloud or not, putting security mechanisms in place
is always a delicate balancing act between protection and usability of the
system. Everything is a tradeoff. As technologists, it is our
responsibility to identify the risks and options available with their
inherent tradeoffs, and work with the business to determine the appropriate
mechanisms to put in place. Ideally, the two primary goals when designing
and testing your security measures should be:

- Make it so difficult and time-consuming to break through,that those
trying will just move on
Have mechanisms in place to detect attempts to get through those barriers
so that countermeasures can be taken (up to and including taking the system
offline if the protection of the data is critical enough)

- These always need to be balanced and measured with the business to ensure
everyone is making informed decisions based on the business benefits,
usability and risk associated with those decisions.

Are the barbarians at the gate?
Yes, they always have been and they always will be. There will always be
people out there trying to hack into systems, whether for criminal intent
or just because. It doesn't mean we should avoid going to the cloud or
avoid providing access to systems that have legitimate business value. It
just means we should always do our due diligence, identify the risks,
design and plan to deal with those risks, and work in concert with the
business so that informed decisions get made and all stakeholders have the
appropriate expectations. This process should be constantly in motion and
evolving given how quickly technology is moving in the disruptive SMAC
landscape we operate in today.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!