Silver linings while clouds gather
There's no denying that cloud adoption is growing at a tremendous pace, along with a subsequent expansion of the threat landscape. Keeping mountains of data from numerous organisations on a third-party's servers might be a scary prospect for the security minded. But, Max Metzger asks, should we be worried?
Should we be worried?
We haven't yet seen the kind of headline-making hack of a cloud provider on the scale of those which have befallen so many in the industry. Perhaps, as the industry cliché goes, it's not a matter of if, but when.
A report released in the second quarter of this year by Experian noted that: “As more information gets stored in the cloud and consumers rely on online services for everything from mobile payments and banking to photo editing and commerce, they become a more attractive target for attackers.” That report, notably, also detailed how most breaches these days have something to do with someone on the inside.
The problem might not necessarily come from outside that metaphorical gaseous form of storage that so many of us use today, but from within. The human threat looms large in the minds of those concerned with data security − whether it's by accident or through the machinations of a disgruntled employee. A recent threat report from Clearswift noted that: “BYOD and cloud coupled with a lack of user awareness are seen as biggest reasons for an increased insider threat.” Clearswift's research goes on to say that 64 percent of those surveyed believed that growth in the use of personal cloud apps is one of the biggest reasons for the increase in insider threats.
The vulnerable cloud
And in fact, the thing that makes the cloud so great, might also be what makes it vulnerable. The ability for an organisation to use what is essentially one workspace has been an unparalleled boon for the workplace, but it also means that data is both distributed and stored in one place. That same workplace shares data with, on average, nearly 1,000 external domains. Some 37 percent of documents used within that workplace are shared with someone who is not that document's owner.
While we have not yet seen a major headline-making breach on a cloud provider; we are seeing small ones.
Research by Skyhigh in the US, released earlier this year, showed that 92 percent of companies had cloud credentials available on the darknet. It also found that less than 10 percent of the 16,000 cloud services used met its data security requirements and a similar amount didn't encrypt data at rest. Clearswift also carried out research earlier this year on 23 million cloud users and found that the average organisation undergoes several cloud-enabled data exfiltrations a month, at an average size of nearly 500 MB. We're also seeing cyber-criminals piggybacking on the cloud. In its research, Clearswift identified one cyber-attack which exfiltrated data from an employee's laptop using Twitter to get the data out using nearly 100,000 tweets, “140 characters at a time”.
So why more companies haven't been breached through the cloud remains something of a mystery even as the threat landscape has become more visibly well, threatening?
SC spoke to David Emm, principal security researcher at Kaspersky Lab: “You look back and although there have been incidents to do with the cloud, there hasn't been anything on the scale of Ashley Madison, TalkTalk, or Carphone Warehouse in cloud-land.”
There are a couple of reasons that one might be more vulnerable than the other. Simply, if you're Amazon or Ashley Madison, passwords are about authentication. The place where cloud providers have one up over retailers is that almost from the outset, says Emm, you have to think about security from a data theft point of view: “If you're a cloud provider, almost upfront you're in the business of holding something for somebody in a way that, let's say a normal online retailer isn't.”
To be sure, Emm is not saying it couldn't happen, just that it hasn't happened yet. The fact that there is risk associated with the cloud doesn't mean people shouldn't be engaging with cloud providers, but that they should go in conscious of that risk. “In my view,” says Emm, one should still be working, “on the basis that it's your data: What would you do if you had to look after it and you weren't outsourcing it? Now you need to make sure they're doing that.”
Emm's big worry is that cloud security, “becomes potentially a single point of failure for multiple companies”. So why haven't we seen that apocalyptic headline yet? Well, it's still early days for the cloud, says Emm. We might be used to seeing breaches like Ashley Madison, they're relatively common these days, “but they weren't two years ago, probably because two years ago, people weren't routinely trying to target them. I suspect the same is true of cloud providers.” Sooner or later, cloud providers will become the bigger target: “I think it will change over time. It's just an inertia thing. Like everybody else in life, cyber-criminals have been doing this, it's been working for them, why change?”
These things can happen at a more sluggish rate than many expect: “We saw the first mobile malware in 2004, everyone kept saying [it was] the next big thing, but it was 2011 before we saw any real uptake.”