In cloud computing, more data loss on the horizon
The remote data storage business is booming, for companies and hackers alike
By now, it’s a familiar story: A major company puts massive amounts of data on a cloud – then apologizes after someone finds a way in, gaining access to personal information about millions of people.
And it will keep happening, experts say, especially when companies neglect data security in their eagerness to convert to the cloud.
“They inherently believe they get all these magical properties of security by moving (to the cloud), and it just doesn’t happen,” said Josh Douglas, chief strategy officer, Cyber Services for Raytheon, a consultant to companies and agencies of all sizes.
Cloud computing – the storage of data and software on a remote server – is an increasingly popular option for businesses. The cloud-services market could generate as much as $236 billion in revenue by the year 2020, according to Forrester Research. The reasons are clear: The cloud cuts the cost of hosting and maintaining on-site servers, it allows employees to work seamlessly from anywhere, and it adjusts to the size of the organization.
But just like any other connection to the internet, it creates ample opportunities for cybercriminals to attack, Douglas said.
“People need to design and deliver for the cloud, and not just assume they can transfer existing applications and data over without forethought of the security requirements,” he said. “The cloud is just someone else’s computer system, and you have to configure that computer system like you would your own.”
The Verizon, WWE and Deep Root Analytics breaches all appear to stem from improper cloud-security settings; media reports on all three incidents said the databases were accessible to anyone who had the URL.
Douglas said other common mistakes in converting to the cloud include failure to scan old code for vulnerabilities, failure to segregate systems and forgoing "red-teaming," also known as adversary emulation testing, where security consultants play the role of hackers and attempt to breach systems critical to the business.
But data security in the era of cloud computing isn't just about setting things up correctly – it's also about the behavior of employees, said Matt Moynahan, CEO of Forcepoint, a cybersecurity company jointly owned by Raytheon. Using technology to monitor employee activity, identify possible errors and sniff out malicious intent can help reduce risk, he said.
“Regardless of whether organizations are securing data using on-premises or cloud-based technology … organizations need to balance protecting privacy and understanding how their employees interact with critical business data and intellectual property,” Moynahan said.
But businesses shouldn’t let the risks scare them away from cloud computing, Douglas said. Companies often over-correct after cybersecurity problems, with security measures so strict they impede the growth of business. That, Douglas said, is also a mistake.
“If the pendulum swings too far to the right, security puts a standstill to the innovation and technology,” he said. “It’s important to adopt things like clouds, because that innovation is what helps our society grow.”
Last Updated: 09/07/2017