How Secure Is the Cloud, Really?
Aug 28, 2012 5:00 AM PT
Cloud security skeptics were given yet another reason to doubt the fortitude of online storage when the strange tale of Mat Honan emerged earlier this month. Through the clever use of social engineering, a hacker was able to wreak havoc on the Wired journalist's digital life.
Apparently, the hacker talked Amazon tech support into providing the last four digits of Honan's credit card number. This information was then used to fool Apple into thinking the hacker was Honan and issuing a temporary password for Honan's email account.
The hacker used this information to ultimately delete Honan's Gmail account, permanently reset his AppleID and Twitter passwords, and remotely wipe his iPhone, iPad and MacBook.
Apple and Amazon closed the specific security holes that enabled this attack after news of Honan's problem hit the headlines. But the question remains: How secure is information in the cloud, really?
Hey! You! Come Onto the Cloud!
More than 80 percent of 4,000 business and IT managers worldwide surveyed by the Ponemon Institute on behalf of Thales E-Security are transferring, or plan to transfer, sensitive or confidential data into the cloud.
Nearly half of the respondents' organizations already do so, and another one-third of respondents' organizations are very likely to transfer sensitive or confidential data to the cloud within the next two years.
Meanwhile, in the United States, the federal government is implementing a strategy to move en masse to the cloud to cut costs and be more responsive. The strategy's author, then-federal CIO Vivek Kundra, aimed at moving about US$20 billion of the federal government's estimated $80 billion in IT expenditure to the cloud.
Evil Is Always Possible
Moving to the cloud has negatively affected the security of their organizations, 39 percent of the respondents to the Ponemon survey for Thales said.
About two thirds of organizations moving their sensitive data to the cloud believe their service providers are primarily responsible for protecting that data. Also, about two thirds of organizations moving data to the cloud, though not necessarily the same organizations, have little or no knowledge about what measures their providers have put in place to protect data, the survey found.
About half the respondents said their organization applies persistent encryption to data before transferring it to the cloud, and the other half rely on encryption applied within the cloud environment.
However, "Whether your data is on your own servers or in the cloud, it is still your data, and ensuring its security is ultimately your responsibility," Richard Wang, manager of Sophos Labs US, told TechNewsWorld.
"The first step is to realize that all the normal security steps are still necessary in the cloud," said Mario Santana, vice president of cloud security at Terremark.
Organizations moving to the cloud should continue to look at misconfigured systems, default passwords, shared accounts and other problems that have always plagued IT, Santana told TechNewsWorld. "It's surprising how many folks assume that all that stuff is handled as a default part of a cloud service."
The Symptom of a Vacuum
As the federal government moves more data online, social engineering attacks could become more of an issue, Sander Temme, a sales engineer at Thales E-Security, told TechNewsWorld.
"The larger the organization, the greater the attack surface," Temme said. "On the other hand, larger organizations may have the kind of processes and procedures in place that make it much harder to carry out a social engineering attack."
However, the size and technical expertise of Apple and Amazon didn't protect the journalist, Honan, from having his accounts hacked.
The U.S. federal government, with its drive to the cloud, may be particularly vulnerable. Cybersecurity in federal government agencies has been found to be well short of where it should be, audits by the Government Accountability Office (GAO) and some agencies' internal inspectors-general have repeatedly found.
For example, the National Aeronautics and Space Administration (NASA), which spends about $58 million a year for IT security, is still lacking in the information security area, the agency's Inspector-General, Paul Martin, told Congress in February.
Safety Is an Illusion
Several vendors offer security of one sort or another in the cloud. They include AppRiver, McAfee, Panda, Symantec and Safenet.
However, cloud security is "still in its infancy," Torsten George, a vice president at Agiliance, told TechNewsWorld. "The industry still has a ways to go before organizations understand and adopt methodologies and technology to secure data in the cloud."
The employee endpoint is "the Achilles heel [of cloud security]," George Tubin, senior security strategist at Trusteer, told TechNewsWorld. It "must be protected by automated methods that can actually prevent malware from compromising the device."
In the cloud, that end point would be the support representative. When users call in saying they forgot their password or don't remember the answers to their security questions, for example, the cloud service "is left with the options of either assisting the user or telling them that they can no longer access their data," Sophos Labs' Wang said.
"The latter option is rather unpopular with customers, so cloud services generally need to have some flexibility, which leaves the door open for social engineering," Wang continued.