Cloud Security Risks Assessed – The Story of the Lion and the Tent
Cloud applications, or Software-as-a-Service applications, are here to stay – that’s for sure. The tipping point has passed , with IDC and Gartner stats showing that around 85% of new software being created is for the Cloud and that 25% of all applications ever written will be available in Cloud by 2016. Already, nearly three-quarters of software developers are using Cloud-based services in some part of their applications. Yet many CIOs, CEOs and CFOs continue to push back on this new model of computing because of strongly-held concerns about Cloud security risks.
High-profile security breaches at the world’s largest companies don’t help. Most recently, ‘The Fappening’ (where personal photographs have been stolen from the Apple iCloud accounts of high-profile celebrities) has made the press in hundreds of countries. Earlier this week, a breach at JP Morgan compromised tens of millions of bank accounts. Last year, the card details of 40 million customers were compromised at US retailer Target and before that another 56 million cards at Home Depot. Even the activities of governments, for instance, the hacking of politicians’ phones by security services, further amplify the Cloud security risks perceived by business leaders.
It’s a scary world out there, but in an environment where that Cloud is becoming mainstream, King Canute would perhaps agree that it’s impossible to stop the tide. So is it better to examine, understand and mitigate Cloud security risks, rather than run scared of them?
Which brings us to an old joke – twisted roughly here to become a parable about Cloud security risks. You’ve probably heard it before.
There are two guys camping out in the bush. It’s the dead of night and suddenly they hear a blood-curdling roar from just outside their tent. ‘That was a lion,’ says the first guy. ‘It’s going to eat us alive!’
The other guy doesn’t say anything. He just reaches for his bag, takes out his shoes and starts to put them on.
‘You’re crazy,’ says the first guy. ‘You’ll never outrun a lion.’
The second guy replies, ‘I don’t have to, I just have to outrun you!’
The joke isn’t the greatest. Perhaps, at best, it belongs in a Christmas cracker. But it is a useful parable to help explain how to perceive, prioritise and mitigate Cloud security risks in the real world.
Who can run the fastest?
The inference in the joke is that the guy with the shoes on will be safe as he will outrun his friend. A little mercenary, perhaps, but a valid enough analysis in a crisis. When it comes to Cloud security risks, who can outrun whom?
Most Cloud security companies spend thousands, or perhaps millions of dollars on their Cloud security technology, process, provisions and people. They have to. The moment they lose their customer’s data, they’re finished. A world-dominating brand like Apple iCloud or Sony Playstation can possibly weather a breach once. But for a commercial Cloud software company, trust and integrity is everything. So they make sure, as best they can, that their shoes are on and tightly laced, ready for when a lion attacks.
Does this make them impregnable? No, of course not. No data is completely safe. In a world where the designs for the latest American fighter plane can be stolen electronically by a foreign government, you can be fairly reassured that if a state-actor-level hacking operation wants the contents of your e-mail inbox, they can get it. As FBI director James Comey says in the news today, ‘There are two kinds of big companies in the United States. Those who’ve been hacked and those who don’t know they’ve been hacked.’
But it does perhaps mean that when faced with a hungry lion outside their tent, the security-paranoid Cloud company is a target which is harder to catch than the typical in-house IT department of a mid-sized company.
To put it another way, if the bad guy really wants your data, would he most likely try to steal it from your Cloud company? Or just get it straight from you?
Which moves us onto our next question.
Who gets caught by the lion?
In professional IT security, we use a term, ‘attack vectors’. Attack vectors are the different ways we can imagine bad guys trying to get at our data. We make a list of them and rank them for likelihood and severity. Then we put in place mitigations for each one.
Attack vectors can be all sorts of things. The obvious one that perhaps springs to minds is ‘being hacked’. The idea of a hacker is usually of someone on the other side of the world, probably sat in a dingy cellar bathed in only the light of their computer monitor, doing some nifty but nefarious computer stuff and walking right through your firewalls to steal your customer list.
But real world attack vectors are often a lot more simple. Sure, the above one exists. But usually it’s much easier for the hacker to get at the data in some other way. How about just ringing up someone in your company and asking, in a convincing voice, ‘Can you e-mail me the customer list? Just send it to my personal account because I am out of the office’ (this is called a social engineering attack, and they’re used all the time). Or how about just stealing a laptop from someone’s bag whilst they chat in a bar after work? Then there’s the most likely hack of all – an employee, or former employee taking data from inside your own network.
Microsoft Excel is another, perhaps unexpected, but potentially massive source of security breaches. Have you ever hit ‘Reply to All’ instead of ‘Forward’ or ‘Reply’ on an email, then accidentally sent a message to people you didn’t intend to? What if that email had an Excel spreadsheet attached to it, which happened to be a list of all your customers? Or your product prices including margins? Ouch.
In the above scenarios the Cloud often represents a much more secure alternative to traditional business processes. Or to put it another way, the place you’re going to lose your data isn’t likely to be through your highly-secure cloud app. It’s likely to be from the pub, or the back seat of a sales person’s car. Or one of your staff is just going to email it to someone (hopefully, by accident).
Do lions even like the taste of you?
Something that all the ‘famous’ data breach stories have in common is, just that – they’re famous. Why? Because if a hacker, or hacking organisation, is going to go to the trouble of getting past your (or your Cloud provider’s) security, there needs to be something worth it for them on the other side of the firewall. Credit card details, bank accounts, embarrassing pictures of undressed celebrities. These are all worth stealing. And what about the hackers who just do it for fun? For these guys, discrediting global brands is often the name of the game.
So if you’re a global brand with databases full of credit card details, bedroom photos and missile schematics, then it’s probably a good idea to both have a world-class in-house security set-up and also be judicious about what parts of your corporate data you choose to upload to the Cloud.
If your data isn’t quite that volatile, then it’s likely you’re not going to be targeted by the same intensive hacking effort as a global brand, bank or consumer electronics company. You still need to be secure, but this security should be right-sized to the scale of your business and the market value of your data.
So in conclusion, what can we learn from our lion story?
Is your Cloud company 100% secure? No, and nor is anyone else, including you. They are however probably as secure, if not more secure, than you are already. It’s their bread and butter, after all.
Is your data likely to be stolen from the Cloud? It’s possible, of course. But it is nowhere near as likely as losing it on a laptop, having it stolen by a disgruntled employee, or even by actively emailing to an external party (accidentally or maliciously). Of course, that doesn’t mean that your Cloud security shouldn’t be super-important – just that it should be seen in context with other attack vectors.
Finally, does anyone want to hack you? The answer here is yes AND no. At a basic level, any company in the world that is connected to the internet and that leaves the front door wide open will get hacked – just by someone doing it for fun or to make mischief. At Matillion, we get dozens of electronic ‘knocks at the door’ every week, from people looking for weak defences. They don’t get anywhere, so go on their way. You need to ensure your basic security is up to speed (ideally validated with a penetration test) to protect yourself from this type of attack and, of course, your Cloud provider(s) will have this sort of protection, and then some, already.
‘No’ is sometimes the answer when it comes to hackers making more sustained efforts than this – people actively trying to hack you and just you to get specific data from your network. That’s only going to happen if your data is valuable to the open market. If you store credit card or bank account details in your systems then these need treating with the utmost respect to security and, as a Cloud software company, we would actually recommend not uploading these into our systems. If you’re a global brand whose website being defaced would make the news, then again, tread carefully. But apart from this, unless you design jet fighters or microchips, then it’s pretty unlikely anyone is going to go to the effort of trying to steal your data. It’s super valuable to you, but probably not to them.
As such, right-size your security, and your concerns about cloud security risks, to fit with your situation.
To learn more about the advanced security offered by Matillion BI, visit our features page.