As we roll into Friday the 13th, we see that Cloud security is a hot topic again this week. A review of news feeds, blog posts, Twitter feeds and more reveals a plethora of publications and posts generating FUD regarding Cloud security.
The net feeling across all of these is that Cloud is big and scary. The negative quotes cited all seem to be from IT “security experts” and providers of IT security. Hmmm.
The most-cited security breaches include the December 2013 Target breach (not Cloud; failure to develop and manage adequate security within Target), various laptop and memory stick thefts beginning in the 1990s (obviously not Cloud; failures of security management and practice), and the October 2013 MongoHQ breach, which suffered an attack through social media app provider Buffer.
Note the lack of examples occurring since the 4th quarter of last year, when the global stampede to Cloud had really just begun. Again, hmmm.
Was MongoHQ’s failure the first big, true Cloud security failure? Nope. The breach came through what MongoHQ calls “unauthorized access to an internal support application using a password that was shared with a compromised personal account.” Kudos to @alexwilliams of TechCrunch, who perfectly summed up the MongoHQ problem thusly: “In other words, an employee was fooled into giving up their account credentials.”
As in so many other security breaches, the security technology put in place did not fail. The Cloud technology did not fail. Management of IT resources failed, first in that an internal support application was exposed to Internet access, which by itself would not have been a problem if a MongoHQ employee had been properly trained and managed in security practices.
In that same case, Buffer CEO Joel Gascoigne also took the blame, telling Hacker News a few days later that the access tokens used were not encrypted, and that if the access tokens had been encrypted, then the breach would have been avoided. Again, this was not a Cloud failure, and not a technology failure, but a simple management failure. In their defense, Buffer’s management policy almost immediately began requiring access tokens to be encrypted: “In short, we encrypted all access tokens for Twitter and Facebook and also added other security measurements to make everything much more bullet-proof.” Buffer CEO Joel Gascoigne, 26Oct2013.
Cloud enables businesses to utilize vast and scalable resources at low, low affordable prices, and so that’s what businesses are doing placing vast amounts of information in Clouds, and relying upon vast amounts of storage and processing, all at low, low affordable prices. Cloud providers’ architectures are more sound, and remain more secure and reliable, than almost any private enterprise IT architecture.
What continues to fail is the management of security. The known security problems related to Cloud, to date, have been engendered and enabled by management failure.
Some of this comes from continuing inadequate, perimeter-focused, technology-first IT security practices in itself a large and prolonged management failure. The fact that even some Cloud providers, typically thought to be leading-edge in technology and business, continue to apply these same types of security practices amazes me.
But some management failure also comes from Cloud providers’ customers, the companies that outsource storage, processing, apps and more to Cloud. It’s not blaming the victim to suggest that too many businesses don’t look far enough into, or demand enough from, Cloud providers’ security management. Too often, we find businesses satisfied with explanations of Cloud provider security as part of its architecture and technologies. We don’t probe enough about security management practices, about exposures, about testing, and about responses. And we don’t pay enough attention to the simple fact that relying upon Cloud-based resources means relying upon a series of interconnected, Cloud and on-premises resources, and that the more connections there are, the more exposures there are.
Our traditional perimeter-first, technology-centered IT security approach cannot address this; as Jim Hurley and other Saugatuck analysts have said, perimeter-focused security can’t work when there’s no perimeter.
How are you going to deal with this?
This blog was originally published on Saugatuck's Lens360 blog on June 13, 2014. Published with permission.