Cloud Security: Take Nothing for Granted
Think you’re safe in the cloud? You might want to think again.
According to a survey by the Ponemon Institute, many U.S. cloud providers put security low on their list of priorities. For example, only 25 percent of those surveyed said their IT leaders were concerned about the level of security they offer to customers. A large majority said cloud users, not providers, bear most of the responsibility for security.
If you assume your provider is looking out for the security of your data and systems, you may be setting yourself up for trouble. You can’t eliminate every threat, but there are many steps you can take to insulate yourself from the worst.
Know the Risks
When cloud security goes spectacularly wrong, it tends to make the news. Such incidents can help teach you what to look out for and how to shield your valuable data and systems. A few recent examples:
For almost four hours in June 2011, a bug in Dropbox’s authentication software allowed users to access any of its 25 million online storage accounts using any password. An unauthorized user reportedly took advantage of the error to log in to about a hundred user accounts. The damage could have been far worse.
What you can do:
- Build in multiple layers of protection, so that no single problem can lead to catastrophe. For instance, you can set up separate databases for each account, and have the login process connect to just one database, so a mistake that exposes one client’s data won’t expose that of others.
An intruder recently broke into the systems of Epsilon, a leading email marketing firm, and stole customer data from over two dozen corporations. Epsilon’s servers may have fallen victim to a SQL injection attack—a common tactic in which a hacker smuggles in malicious database commands through a vulnerable Web application. The use of a single large database to store information may have compounded the problem, by allowing a hacker who could see one customer’s data to access the data of other users as well.
What you can do:
- Verify that your programming team employs code reviews and test protocols to detect such specific vulnerabilities. The programming team can also force all attempts to access the database to go through just a few carefully vetted classes.
- Distribute portions of your data and your application among separate databases and even separate servers. Beware of placing all your data in a single place or system.
A TV production company is suing its former cloud provider, CyberLynk, for the loss of 14 episodes of an animated children’s show. According to the lawsuit, a fired employee regained access to CyberLynk’s systems and wiped out enough data to destroy almost an entire season of “Zodiac Island.” Even worse, CyberLynk’s backup procedures allegedly failed, making it impossible to reconstruct the lost programs.
What you can do:
- Take charge of disaster recovery. Implement your own strategy, using more than one provider to back up your systems and data.
- Minimize access to backup systems, and harden your backup servers to prevent intrusion attempts.
- Run periodic data recovery tests to make sure your backups are actually in place and can be recovered.
Last year, criminals broke into the system of a cloud provider used by Honda and stole information on 2.2 million customers, including vehicle identification numbers. It’s not clear how and why VINs ended up in an email marketing database. That gave the thieves access to even more sensitive data than they already had.
What you can do:
- Review your own organization’s procedures for handling and transferring data to the cloud. Make sure you’re not transferring any more than you have to.
- Encrypt sensitive data, and architect your systems so that especially sensitive data can only be decrypted by a separate machine. That way, a compromised server won’t endanger your information.
A huge proportion of Amazon cloud customers, a security research group has found, are leaving themselves open to attack by ignoring Amazon’s security guidelines. The researchers were able to infiltrate almost one-third of the virtual machines they tested, allowing them to extract passwords and other vital data.
What you can do:
- Be sure your organization understands and follows all of your provider’s security recommendations.
Better Safe Than Sorry
These are just some of the specific steps you can take to bolster your security in the cloud. Meanwhile, a few general principles always hold true:
- Understand and vet your provider’s security procedures and capabilities, and insist on transparency.
- Assume your providers are fallible, and use techniques such as encryption and data segregation accordingly.
- Make sure you have personnel who understand cloud security and know which questions to ask. The more internal resources you can draw on, the better.
Of course, you can’t control everything that happens. But as a cloud user, you do have the power to influence events. It is up to you to be vigilant, and do all you can to manage your risks.
