Cloud computing: more data loss ahead
Remote data storage is booming, for companies and hackers alike
You can't always hide in the cloud.
In July, federal officials revealed that a hacker made off with personal information from more than 100 million Capital One customers in one of the largest data breaches on record. The FBI arrested Seattle software engineer Paige Thompson, who they said had downloaded 30 gigabytes of Capital One credit card application data from a rented cloud server, including some 140,000 Social Security numbers, one million Canadian Social Insurance numbers and 80,000 bank account numbers.
A number of businesses have been similarly hit because they relied on the cloud, storing information on servers that run on the internet rather than on computer hard drives that they own. Among the victims: Verizon. WWE. The political data company Deep Root Analytics. The accounting firm Deloitte. The Facebook photo nostalgia app Timehop. Most notably, it happened to the ride-hailing service Uber, which admitted that hackers broke into a cloud and made off with the personal data of 57 million customers and drivers.
There will be more of such cyberattacks as long as companies misunderstand what it means to convert to the cloud, experts said. Businesses sometimes mistakenly believe their data, applications and operating systems are safer because they're stored on a remote server.
"Migrating to the cloud doesn’t make you more secure," said Mark Orlando, chief technology officer for Raytheon cyber services, adding that a company that outsources data and processing must realize it's depending on a service provider's security controls to keep the information safe. "Corporations must understand the risks they’re accepting in migrating to the cloud and make the necessary investments in security – both within the corporate network and the external cloud environment – to deploy the necessary controls and conduct routine audits."
Cloud computing is an increasingly popular option for businesses. The cloud-services market could generate as much as $236 billion in revenue by the year 2020, according to Forrester Research. The reasons are clear: It's cheaper than maintaining on-site servers, it allows employees to work seamlessly from anywhere, and it adjusts to the size of the organization.
But just like anything else connected to the Internet, it creates opportunities for cybercriminals to attack. Cloud computing is just your information on someone else's computer. Setting it up requires the same rigor as any new IT system, Orlando said, and that means looking out for things like lax access controls and mismanaged credentials.
"Any one of these misconfigurations can potentially expose the business to unacceptable risk," he said, "and most of the major breaches we've seen in cloud services have been the result of one or more of these."
The Verizon, WWE and Deep Root Analytics breaches all appear to stem from improper cloud-security settings; media reports on all three incidents said the databases were accessible to anyone who had the URL. Thompson knew how to get to Capital One's data because she had worked for the bank's service provider, and reportedly used her inside knowledge to hack a server with the information.
In the Deloitte breach, news reports said the attackers signed onto a server that required only a login and password – less protection than many people have on their social media pages. Timehop blamed its breach on a cloud account that lacked multi-factor authentication, which requires users to verify their identity in several ways beyond a simple password.
And in the Uber hack, the intruders found a key to the company's database in an open-source coding repository – essentially an online workshop for computer programmers. By failing to disclose the intrusion for more than a year, the company missed an opportunity to raise the awareness of that threat, Orlando said.
"Hackers talk to each other. By staying silent, Uber has empowered them for a year, where they could have brought this into the light, raised public awareness of the threat and made some good come of this," he said. "Instead, the company gave its attackers exactly what they wanted – a lot of money, and a reason to try this again and again."
Other common mistakes in converting to the cloud include failure to scan old code for vulnerabilities, failure to segregate systems and forgoing "red-teaming," also known as adversary emulation testing, where security consultants play the role of hackers and attempt to breach systems critical to the business.
Securing a large scale, distributed cloud infrastructure is no easy task. Migrating to the cloud presents new and complex challenges for data security, and it doesn’t necessarily absolve corporations of responsibility for customer data.
"While it’s tempting to knock Capital One for this breach, there’s a lot they got right," Orlando said. "The arrest was made a mere twelve days after the initial vulnerability report, which is light speed in the industry. They had a responsible disclosure process in place and took swift action to investigate and coordinate with law enforcement."
Data security in the era of cloud computing isn't just about setting things up correctly – it's also about the behavior of employees, said Matt Moynahan, CEO of Forcepoint, a cybersecurity company jointly owned by Raytheon. Using technology to monitor employee activity, identify possible errors and sniff out malicious intent can help reduce risk, he said.
“Regardless of whether organizations are securing data using on-premises or cloud-based technology … organizations need to balance protecting privacy and understanding how their employees interact with critical business data and intellectual property,” Moynahan said.
Even with all the risks, cloud computing can pay off, Orlando said; it just requires planning and due diligence.
"Cloud computing can be a valuable tool for reducing management overhead, cost, and waste," he said. "The elasticity and self-service features available in the cloud can be difficult and cost prohibitive to implement in a more traditional data center solution, so we shouldn’t dismiss the cloud out of hand."