Next year will see the first major public cloud security breach.
According to LogLogic CEO Guy Churchward, the development and launch of public cloud services have occurred at lightning speed and the amount of information that cloud service providers now hold on customers is immense, and more data is collected every second.
He said: “From my experience, many of the ‘household named' cloud services are used to protecting ‘non-critical' data; however, the acceptance of cloud and relative trust by consumers has increased to the point that the data criticality has increased faster than their security measures.
“It is here that I think some cloud providers could be open to attack as they've not been (from my experience thus far) as stringent with their security and audit trails as they could be. I'd go as far as saying that some providers have been pretty complacent about their security – a position they perhaps need to revisit.
“We all saw what happened with the Sony breach earlier this year: it can and it will happen.”
He claimed that there is a level of complacency and a lack of control that he expects will lead to the first major external security attack early next year in the cloud.
“It probably won't be a malicious attack, more likely a statement to prove and publicly acknowledge that it can be done. This will set in motion the needed refresh of security measures (kicking policy, compliance and security cloud practices into overdrive) across the industry as consumers demand that their data is better protected,” he said.
“We may even see consumers insist on their providers meeting the ISO 27002 standard in response to such an attack, which guarantees a certain level of cover and service.”
Asked if this breach will occur because standard cloud services were not built with enterprise-level security in mind, Churchward told SC Magazine said it would. Then asked why he felt why this would be due to an attack rather than employee or user negligence, he said: “I had a quote from a customer along the lines of ‘if everyone in my company followed our security policies we would not have an issue, the problem is that some of our employees skip steps to expedite rather than following the rules and this leaves a vulnerability that can be exploited'.
“So I am not sure if I would call it deliberate or negligence, more ‘slap dash' or taking short cuts. Based on this I would say the hole will be caused by three factors: some of the initial cloud services were not set-up with security front and centre; the policies that are in place are antiquated and not stringently followed; there's a really big red target painted on this market's back, which is why I think the initial attack will not be specific to theft but more a creative DIY hacker.”
In reference to the private cloud, Churchward said the enterprise market has been much more cautious as to how they use these types of service and what data they share.
He said: “Their traditional soft and slow approach will serve them well as they try to ensure that the appropriate security solutions and protocols are in place to better safeguard their business.
“Don't get me wrong, a breach will eventually happen in the private cloud too: it's not about ‘if', it's about ‘when'. But since the enterprise community moving at full bore, the targets are likely to be the softer underbelly of the consumer public cloud service sites first.”
Asked why private cloud is more safe than the public cloud, Churchward said: “The public cloud has more entry points, more consumerisation, interoperability and a larger variety of moving parts and people. Private clouds went private for a reason - locking down as much of the variables as possible.
“The cost economics of the public cloud are massively attractive, so if a company wants to move there, but stick their toe in the water as a first move, then they either go for managed services or private cloud, as this infers a greater control and concern.”
Finally, Churchward was asked if there should be a global regulatory standard for cloud providers (such as ISO 27001 here in the UK). He said there "most definitely should be", but this was about giving the consumer or user of the service the right facts for them to make informed decisions.
“This means we need something externally policed, not self-certified, and a recognised industry body (FYI, VMware is requiring ISO 27002 for VCloud datacentre offerings to be certified as secure, which is great). It doesn't mean you cannot do business if you don't or won't have these measures in place, but it does mean that the consumer can visibly understand what they are paying for and enable companies to offer premium services for peace of mind,” he said.