In cloud computing, more data loss on the horizon
The remote data storage business is booming, for companies and hackers alike
By now, the story is familiar: A company takes a trove of data and puts it on a remote cloud server. Then someone hacks into it.
It happens to all kinds of businesses. Verizon. WWE. The political data company Deep Root Analytics. The accounting firm Deloitte. The Facebook photo nostalgia app Timehop. Most notably, it happened to the ride-hailing service Uber, which admitted that hackers broke into a cloud and made off with the personal data of 57 million customers and drivers.
And it will keep happening, experts say, as long as companies continue to misunderstand what it means to convert to the cloud. Businesses often believe their data, applications and operating systems automatically become safer on a remote server.
"This is a very dangerous assumption," said Mark Orlando, chief technology officer for Raytheon cyber services. "There are many cloud service providers and cloud services that are designed only to provide a platform. A common and potentially very damaging mistake is moving to the cloud without understanding what the business is responsible for, and what the cloud service provider is responsible for, from a security perspective."
Cloud computing is an increasingly popular option for businesses. The cloud-services market could generate as much as $236 billion in revenue by the year 2020, according to Forrester Research. The reasons are clear: It's cheaper than maintaining on-site servers, it allows employees to work seamlessly from anywhere, and it adjusts to the size of the organization.
But just like anything else connected to the Internet, it creates opportunities for cybercriminals to attack. Or, as Raytheon's cybersecurity experts tell their clients, cloud computing is just your information on someone else's computer. Setting it up requires the same rigor as any new IT system, Orlando said, and that means looking out for things like lax access controls and mismanaged credentials.
"Any one of these misconfigurations can potentially expose the business to unacceptable risk," he said, "and most of the major breaches we've seen in cloud services have been the result of one or more of these."
The Verizon, WWE and Deep Root Analytics breaches all appear to stem from improper cloud-security settings; media reports on all three incidents said the databases were accessible to anyone who had the URL. In the Deloitte breach, news reports said the attackers signed onto a server that required only a login and password – less protection than many people have on their social media pages. Timehop blamed its breach on a cloud account that lacked multi-factor authentication, which requires users to verify their identity in several ways beyond a simple password.
And in the Uber hack, the intruders found a key to the company's database in an open-source coding repository – essentially an online workshop for computer programmers. By failing to disclose the intrusion for more than a year, the company missed an opportunity to raise the awareness of that threat, Orlando said.
"Hackers talk to each other. By staying silent, Uber has empowered them for a year, where they could have brought this into the light, raised public awareness of the threat and made some good come of this," he said. "Instead, the company gave its attackers exactly what they wanted – a lot of money, and a reason to try this again and again."
Other common mistakes in converting to the cloud include failure to scan old code for vulnerabilities, failure to segregate systems and forgoing "red-teaming," also known as adversary emulation testing, where security consultants play the role of hackers and attempt to breach systems critical to the business.
But data security in the era of cloud computing isn't just about setting things up correctly – it's also about the behavior of employees, said Matt Moynahan, CEO of Forcepoint, a cybersecurity company jointly owned by Raytheon. Using technology to monitor employee activity, identify possible errors and sniff out malicious intent can help reduce risk, he said.
“Regardless of whether organizations are securing data using on-premises or cloud-based technology … organizations need to balance protecting privacy and understanding how their employees interact with critical business data and intellectual property,” Moynahan said.
Even with all the risks, cloud computing can pay off, Orlando said; it just requires planning and due diligence.
"Cloud computing can be a valuable tool for reducing management overhead, cost, and waste," he said. "The elasticity and self-service features available in the cloud can be difficult and cost prohibitive to implement in a more traditional data center solution, so we shouldn’t dismiss the cloud out of hand."