Todas las entradas hechas por edmacnair

It’s time to practice what we preach in cloud security

(c)iStock.com/maxkabakov

Cloud applications are awash within businesses today – whether the organisation knows it or not. There are more than 4.2 million apps available across the Android and Apple stores alone, so it shouldn’t come as a surprise to anyone that employees are quick to download the latest app instead of going through the red tape of IT procurement, provisioning, testing and security. From Dropbox and Twitter to Facebook and Salesforce, apps have become the de facto method for sharing and storing data, allowing easy access and greater collaboration. In principle this is no bad thing, but in reality there’s risk involved and businesses are often innocent bystanders.

We’re all at the mercy of someone else’s security policies. I can have every single possible security tool, device and dashboard in place, but if a service I use is hacked? That’s out of my control. In the last couple of weeks Dropbox confirmed a hack in 2012 had resulted in 68 million user names and passwords appearing online. That’s around a third of Dropbox’s user base. A couple of days later OneLogin announced a bug had let a hacker view users’ secure notes, potentially exposing a Pandora’s box of information for anyone looking to move sideways in big businesses.

Most hackers are after a quick and easy payday. And any savvy hacker knows there’s loot to be had from cloud services. Given today’s consumer / corporate crossover world we live in, things like Dropbox are a prime target as they’re a vast cache of IP and corporate databases – and probably a fair amount of personal information that can exploited. At the same time, apps like OneLogin are designed to increase security and anyone looking to procure a few passwords would do well to try their luck here. 

The cloud industry has been hard at work dragging people over the line in the security debate for some time.  We have worked hard to tackle the issue head on and incidents like these don’t help assuage the doubts that many still have.

Enterprises are bombarded with advice about how to keep their data safe. We tell them about the importance of monitoring network activity, of knowing what their employees are doing, the need for layered solutions and access controls. But we need to practice what we preach.

It doesn’t matter if you’re a cloud app provider, a cloud security provider, an end user, or a service provider the same rules apply. If your password database is accessed and its contents downloaded or moved, big red, loud alarm bells should be ringing and, if they’re not, you’re not doing it right. Everyone needs an understanding of what normal looks like for their business, who is accessing what and from where, as well as the ability to control what can and can’t be done.  

The cloud shouldn’t be feared; it should be embraced with open arms. But, as an industry, we need to take care of our own backyard first; otherwise we’re falling at the first hurdle.

Encryption of cloud data is great – but it’s not a magic bullet

(c)iStock.com/BsWei

The headlong stampede of enterprise data into the cloud has passed by.

A few years ago I might have written it was ‘underway,’ but this would grossly understate the situation.  Data which was once stored on premise has left the building, the twinkling lights on the tin box in your racks are slowly blinking out. Data osmosis is taking place, draining life force from these antiquated shells into vast data-centres run by some of the largest companies on earth.   It is more than a trend.  It is just reality. 

So as a million barn gates are slammed, the new question on everyone’s lips is one of security.   How do we keep that perfectly curated company data safe when prying eyes hidden in a world of VPNs, bulletproof hosting and dark forums are watching?   In this world, encryption is often touted as a saviour.  People have been given hope by a technique shrouded in a complex veil of military nomenclature and supported by brain melting numbers, with billions of possible variations.

I’m not here to criticise encryption.  It brings a level of complexity that is good in many respects as it makes things harder for threat actors. Encrypted data is more secure than unencrypted data, as long as keys are stored separately and updated on a regular basis. Fact. Google agrees, and that is often a good sign. Low frequency access to data at rest will be well served by encryption because access is not required often, and it is hard to do.

This complexity also exposes one of the weaknesses of the approach, however. Encryption is a reflection of the fact that it is expecting to be stolen, a defensive posture. However, one of the main points of having data in the cloud is because it is supposed to be easy to access.  Wherever, whenever, right?

As more and more daily business is done in the cloud we need to enable this, not make it harder. Also, there is the great unmentionable that the vast majority of data breaches come from within the organisation, and it’s not a great stretch to assume that this could happen by grabbing encryption keys, using social engineering.  

For this reason, monitoring and access control needs to be a big part of keeping cloud data safe. Organisations need to know who has accessed what, where from and what they are doing with it.  Actually, the most important thing to know is, are they allowed to do what they are trying to with your cloud data? We need to know more than plain ‘access attempts’; we need to learn about every single person in any given organisation, what their role is and if they are acting within it. 

Encryption is a wall.  It is a very high wall with barbed wire around your data and a very good way of stopping people accessing things.  However, data sitting inert is just a bunch of information stored on a disc.  Data needs to be free, in motion and used by humans, if it is to be given value.  For this reason, we need to enable organisations in an intelligent manner.  Give people the tools to make the most of their data, rather than just locking it in a bunker.