Earlier this month, as you've no doubt heard, a batch of private pictures of celebrities were circulated widely on the Internet, having been either leaked or stolen from a storage medium the celebrities considered private and trustworthy.
On the theory that one person's misfortune is another's teachable moment, the Internet has been flooded, not by the pictures, but by well-meaning explanations of how users can protect themselves from such privacy violations. Most of them give advice that is mostly good; it's certainly true that most people take far too few precautions with their most sensitive information. But some of it’s misleading, perhaps even betraying an ulterior motive and a hidden agenda.
While experts can agree on the vast majority of things you should do to be safe -- which I won't reiterate here -- sometimes their advice reflects unspoken assumptions or agendas. While there’s a great deal of consensus about how to protect data stored in a given manner, there’s much more debate about whether one type of storage is fundamentally more secure than another.
Consider the lowly flash drive. Some would tell you that the safest place to put your data is on such a drive. It's true that the lack of networking on a storage card makes it immune to network-based attacks, but instead it's vulnerable to physical ones -- those tiny drives are easy to steal, or to lose. Is your security better overall with the flash drive? It's not easy to say.
Similarly, in the recent disclosure of scandalous pictures, some have rushed to say that this shows the insecurity of the cloud. Leaving apart the fact that Apple ultimately concluded that the pictures were not stolen from their cloud service, there's a legitimate (albeit misplaced) question here: Is cloud storage less secure than other forms of large-scale storage?
Obviously it depends on what you look at. As I've said, USB vs cloud strikes me as too close to call on the personal side. But for business users, the right comparison is to on-premises systems. Many executives feel safer knowing that the data doesn't leave their site, where they believe they have complete control. However, while that control might be complete for a small number of businesses, the typical business is far from expert in matters of security, whereas for cloud providers it's a live-or-die issue. With very few exceptions, I think business data is more secure with a good cloud provider than with on overextended, undertrained IT team on premises.
So, does that mean the cloud is more secure than on-premise storage? Again, the answer isn't black and white. How do you know how good your cloud provider is? Do you trade off professional security in the cloud with perceived security in your organization? There's room for disagreement and nuance, for sure.
However, we should all beware of self-interested pundits who draw overly broad conclusions. Not only was the recent leak not a cloud leak after all, but even if it had been, we can't read too much into an isolated event, remembering that nothing is perfect. One security breach doesn't prove that the cloud is unsafe, any more than one accident with a change machine proves that change machines are a menace.
Life is dangerous. The only way to know how much a particular thing endangers us is to look at some longer-term statistics. An isolated event means nothing, but when someone uses such an event to broadly generalize, it can tell you a good deal about their own agenda.
We live in an always-on, digital world. Information is at our fingertips. Mobile devices are pervasive.
Interactive websites, allowing users to comment on posts, and social networking are de rigueur. All these things encourage us to consume—and share—information continuously and often without regard for the consequences. Criminals are increasingly using this information, often detailed about personal lives, to their advantage in social engineering exploits that specifically target individuals and that attempt to exploit the trust that they have in the technology, applications and websites that they use.
In recent years, consumers have flocked to file sharing sites that allow them to upload and share very large files such as photos and videos with friends and family. Seeing just how convenient such sites are, many users are increasingly adopting their use for business purposes as well, using them to upload information so that it’s available to them from any device that they wish to use, wherever they are. It has been recognized for some time that this creates security risks for organizations regarding sensitive data being placed on file sharing sites that are outside of the control of the IT department—often without their knowledge. Bloor Research has recently published research that discusses the problems surrounding unsanctioned use of file sharing sites in organizations and that provides pointers as to what organizations can do to provide employees with the convenience and flexibility they demand, but in a way that safeguards sensitive information and shields them from the perils of data loss.
But a relatively new problem with the use of file sharing sites is currently in the news. Criminals are turning to the use of such sites for hosting and spreading malware and viruses. In one such campaign, the Dropbox file sharing service has been targeted, with an estimated 500,000 users affected. In this case, ransomware was distributed, with attackers demanding users pay a ransom to have their files, which have been encrypted and are hence unusable, returned to them. It’s believed the attackers have so far netted $62,000 from this campaign alone.
Such attacks have been known about for some five years or so, but appear to be increasingly common. Just this month, an emerging practice came to light in terms of using file sharing sites for high-value, low-volume attacks against high-profile, lucrative industries that include banking, oil, television and jewelry businesses. Discovered by Cisco, these attacks are attributed to a group calling itself the “String of Paerls” group, which has been flying under the radar or security researchers since 2007, constantly changing their tactics to avoid detection.
These attacks highlight the problems many organizations are facing with the use of consumer-oriented services. Many organizations are still grappling with the issue of controlling the deluge of personally owned devices that are connecting to their networks—often outside of the purview of the IT department—as well as the use of cloud-based services by individuals or particular business units, many of which are not officially sanctioned by the organization. Now there is further evidence that they must add control of consumer-oriented file sharing services into the mix—not just to guard against the loss of sensitive information, but to prevent them being used as another vector for attacking the organization.
There are options available to IT that allow them to offer the same levels of convenience to users, but in a way that can bring back control over who is sharing what and with whom. Some of these options are discussed in the research published by Bloor Research referenced above. Centralized control and high levels of security are paramount. They must also be as easy to use as the consumer-oriented services employees are already used to if they are to gain widespread acceptance.
Today’s generation of consumers and employees demand convenience and the freedom to work as they wish. But that convenience brings many dangers to organizations if they cannot control where sensitive information is being posted or transferred, and who is accessing it, or guard against the dangers employees might be exposing the organization to through the use of unsanctioned services. There is a fine line to be tread between ensuring employees are satisfied and productive, and guarding the organisation from malicious exploits and data loss that could dent their revenues, brand and reputation.
London was again the venue for the 18th Infosecurity Europe conference last week. Along with over 100 other exhibitors, it was a busy three days for Mimecast - security workshops (summarized in our blog post last week), talking to crowds attracted to our eye-catching stand and some great conversations with media, customers and prospects.
As expected at the premier security event, security was hotly discussed with topics such as mobile security, cyber warfare, threat detection and prevention reoccurring themes.
Given security is a vital part of our offering, we’re most interested in the evolution of the security landscape and how it impacts communication technology in business. From this viewpoint, we noticed a clear point emerging from the conversations this year – we’re entering a new chapter in the maturation of how businesses consider cloud services.
Gone are the days of businesses questioning whether its data is safer in the cloud, now the focus is on issues such as whether a vendor truly believes in industry standards – for instance, there is an increasing expectation of vendors to be accredited against third party standards e.g. ISO 27001 and participate in transparency initiatives such as the CSA STAR registry.
In addition, IT teams are becoming increasingly sophisticated in testing whether vendors can stand by their SLAs. On this subject, one of our customers Paul Dryden invoked a vivid example in one of our workshops about how he evaluates cloud vendors – during a tour of the data centre he spontaneously asks the vendor to cut the power to see how the system reacts. Apparently, only one vendor has managed to perform the immediate simulated power cut for Paul and while this is one of the most extreme examples, we’ve encountered other customers and prospects that have indicated that they’re testing the SLAs of cloud vendors more rigorously.
With increasing pressure to comply with industry standards and more demanding tests around the strength and depth of their service, cloud vendors seem to be at a cross-road. Those services which have the scale and rigour to meet these growing expectations can look forward to growing recurring revenue, while the others will find themselves outside of the commercial conversation.
It’s possible that we’ll look back at 2013 as the year that there was a shake-out of the cloud service vendors, with security one of the key drivers for this change.
Spring finally arrived and ironically, the sun was shining in London at Infosecurity Europe with no clouds to be seen. The good news for us was this didn’t deter people from joining our Chief Scientist Nathaniel Borenstein and Technical Evangelist, Orlando Scott-Cowley to talk about the cloud. The session was so well received, we thought it’d be useful to summarize the content of the presentation (below):
They started by agreeing what the cloud is and what it means for security. There’s the public cloud (fully open and accessible), which many vendors use for customer’s data; private cloud (closed), which offer private, business-sensitive uses, and hybrid cloud, which combines features of both. Each allows you different levels of control and security.
“There’s plenty of cloud washing going on with many vendors claiming things to be in the cloud that aren’t.” -- Orlando Scott-Cowley
The Cloud is now accepted as being more secure than your own network.
Putting your data in the cloud does give you an opportunity for better security, as cloud vendors’ security is usually a core part of their business. They’ll have more security and cloud expertise available to them, and are strongly motivated to do a great job – developing a reputation for poor security would likely destroy them. Generally, reputable cloud vendors have the resources to keep up to date with advances in technology and are highly motivated to do a good job and continue innovating.
But it’s also fair to say that cloud providers are bigger targets for attack. So a good place to start your assessment is taking a look at the vendor’s security reputation. If they've been around for a while (Mimecast has been here for over 10 years BTW) and you haven’t found any horrifying stories then as Nathaniel said they’re “…likely to be good at cloud security. Cloud vendors live or die by their security. The trick is really knowing whether or not a particular vendor is good at it”. Good cloud vendors are deeply committed to security and very open to talking about it.
So once you know you want a cloud how do you assess a vendor – what questions do you need to ask about them?
Talk to them about security standards. ISO 27001 accreditation is important. But assessing the scope of their compliance is vital – ensure the scope of the accreditation includes the production systems that process customer data, rather than unrelated systems like internal HR or billing platforms.
Also, the workshop discussed the CSA STAR registry from Cloud Security Alliance which allows customers to see detail on participating vendors’ activities and procedures, helping you to compare and evaluate how they protect your data.
Willingness to be open about security standards is an important test for vendors. If they’re happy to share this they have nothing to hide. (Of course, there are certain kinds of data that they don’t disclose because it would be a security leak to do so; passwords are just the most obvious example of this class of information.)
Where is my data?
Some customers also need to know where their data is housed and under what jurisdiction it sits. Assess what this means for your business. If this matters to you, then the cloud vendor should be willing to discuss this with you. This is not just a matter of legal concerns. Think also about connectivity – businesses in areas with poor Internet connectivity will often be much better off accessing servers that are nearby.
Will you get the service you want if the data is located somewhere you can’t guarantee the network performance you need? What continuity plans does the vendor have in place to keep their performance guarantees? It’s always acceptable to ask questions about the service – a good vendor will say ‘yes’ to allowing you to test the reliability of their service too. (However, if they’ve already been tested by several independent auditors that you’re inclined to trust, it’s not necessary that you burden them by repeating the tests.)
What do you take to the cloud?
When you've a service or application that is commoditized, it’s well suited to benefiting from the cloud. There’s also a whole set of apps, such as data mining, that largely can’t exist outside the cloud – they’re made possible by the characteristics of processing data aggregated in the cloud, or analytics for example. With older apps and services hybrid systems are often a good option – ask, ‘can you get the benefits of the cloud without going fully to the cloud?’
Nathaniel then laid out a list of questions customers should get answers to from all vendors – the questions that vendors “dread being asked.” The questions were:
- How do you manage your cryptographic keys?
- How do you handle change control in your software?
- How do you handle patches to your OS and other key software?
- How do you encrypt all client data at rest? Do you guarantee its integrity? What is my role in keeping it safe?
- Are your development and operational platforms well separated?
- What access do your administrators have to customer data?
- What are BCPs on matters like testing, documentation etc?
- How redundant is your data and how do you prevent/recover from outages?
- Do your employees have constrained, granular roles that are easily configured?
- How do you manage security incidents? What is logged? How long is it retained?
- Who are your third party security auditors?
- Do you do regular penetration testing and vulnerability scanning?
- Is your platform and business IOS 27001 accredited? If not, why not?
By the end of the session, it was clear both that there’s a strong appetite for this kind of help in assessing cloud vendors, and that there are even more questions that belong on the list.
Watch this space for more on this as we will explore the questions in a future post.
If we’ve missed out a great question that worked for you we’d love to hear it – post the question here or email Orlando at firstname.lastname@example.org.