It seems that every other week the Internet is abuzz with the latest exploit of a cloud service, with many quick to jump the gun and label these services insecure. Recently popular cloud service, Evernote received a lot of flak from the media when the Evernote security team released a service-wide password reset because of suspicious activity on their network. Despite the similarities between this recent attack and the 2012 LinkedIn Hack, Evernote’s passwords were somewhat protected with one-way encryption however this should not take away from the fact that data was stolen.
There were several blog posts following the Evernote service-wide announcement that highlighted the strengths or weaknesses of cloud services. These posts tackled everything from password protection to encryption strengths, and per usual there were those who took this as an opportunity to focus on the inherent risks of using a cloud service. As CTO of Cloud at AppSense, I find it frustrating that “so-called” security experts take these instances as opportunities to exploit cloud services and label the term with a laundry list of negative connotations.
The term cloud means a lot of different things to different people but overall we can agree that it is a form of Internet delivered technology. On the list of Cloud service poster-children you’ll find Salesforce, Workday and Box. These cloud services and an increasing number that follow are enabling richer, more flexible workforce environments. With the rapid emergence of cloud service technology it is understandable that issues within code will occur and from time to time these issues will be exploited. What isn’t often covered in cloud gossip news is that these exploited services only make up a tiny fraction of cloud services available and aren’t much different from some of the security issues that have come up in other systems in the past.
Any system has its weakness. In the past, hackers would take advantage of modems attached to unprotected systems, allowing them to be used as access points to otherwise protected networks. While this approach compromised a great number of systems over time, it didn’t necessarily mean that remote computer access was insecure, just that people’s implementation of it was. In his book Ghost in the Wires Kevin Mitnick highlights that through social engineering, he was often able to access information from systems that were not available externally.
I’ve said it before and I will say it again. When you take into account physical data center control to IDS, the security offered by some of these cloud services is better than that of many enterprise organizations. Yes it’s true that service exploitations do happen and data is often stolen but the real question to ask is whether or not this would happen anyway. The use of cloud services in the enterprise offer a way to access corporate data easier and in a more frictionless fashion, negating the need for VPN connections and such in many cases. While I agree that removing the VPN does remove a layer of security it is simply moving the attack vector. And as we know, history is littered with VPN exploits and a numerous number of issues with other security layers.
The security of cloud services is a two-way street with part of the responsibility on the vendor and the other part on the user. Yes, some service providers will write bad code, which is exploitable, but unfortunately this is no different than it has always been, and where possible the consumer of such technology should provide as much verification of their solution as possible. Let’s not forget that the user is also responsible for a significant portion of security and age-old lessons such as, the use of complex passwords with frequent changes. By mashing different technology together, organizations can often secure data locally before storing it on a cloud service provider, thus controlling the keys and the lock separately.
The key message here is that a small number of exploited cloud services do not demonstrate that the use of cloud technology is fundamentally flawed. As always education is key, and understanding the ins-and-outs of all of your technology providers is important when protecting your assets. Don’t be afraid to demand detailed explanations from vendors. The evolution of IT means that we must rise above the noise and educate ourselves appropriately. After all, if we bought into the hype of all of the security pessimists of the past, none of us would be using the Internet.