World Security Report News2017-09-29 07:30:01
In cloud computing, more data loss on the horizon
By now, it's a familiar story: A company puts massive amounts of data on a remote cloud server – then someone finds a way in, gaining access to sensitive business documents or the personal information of millions of people.
It happened to Verizon. It happened to WWE. It happened to the political data company Deep Root Analytics. Most recently it happened to the accounting firm Deloitte, according to a news report that said hackers tapped into the company's email system simply by logging on as an administrator.
And it will keep happening, experts say, especially when companies neglect data security in their eagerness to convert to the cloud.
"They inherently believe they get all these magical properties of security by moving (to the cloud), and it just doesn't happen," said Josh Douglas, Raytheon's chief strategy officer for cyber services.
Cloud computing is an increasingly popular option for businesses. The cloud-services market could generate as much as $236 billion in revenue by the year 2020, according to Forrester Research. The reasons are clear: The cloud cuts the cost of hosting and maintaining on-site servers, it allows employees to work seamlessly from anywhere, and it adjusts to the size of the organization.
But just like any other connection to the internet, it creates ample opportunities for cybercriminals to attack, Douglas said.
"As we tell our clients, cloud computing puts your information on someone else's computer," Douglas said. "So it's vital to protect the cloud exactly as you would your own servers."
The Verizon, WWE and Deep Root Analytics breaches all appear to stem from improper cloud-security settings; media reports on all three incidents said the databases were accessible to anyone who had the URL. In the Deloitte breach, news reports said the attackers signed onto a server that required only a login and password – less protection than many people have on their social media pages.
A common measure known as "two-factor authentication" would require both a login/password combination and another means of verifying identity, such as a fingerprint or PIN code that appears on a secondary device.
"It is a basic part of cyber hygiene, and while it might not have prevented the intrusion altogether, it would have at least slowed the attackers and forced them to use more sophisticated methods," Douglas said.
Douglas said other common mistakes in converting to the cloud include failure to scan old code for vulnerabilities, failure to segregate systems and forgoing "red-teaming," also known as adversary emulation testing, where security consultants play the role of hackers and attempt to breach systems critical to the business.
But data security in the era of cloud computing isn't just about setting things up correctly – it's also about the behavior of employees, said Matt Moynahan, CEO of Forcepoint, a cybersecurity company jointly owned by Raytheon. Using technology to monitor employee activity, identify possible errors and sniff out malicious intent can help reduce risk, he said.
"Regardless of whether organizations are securing data using on-premises or cloud-based technology … organizations need to balance protecting privacy and understanding how their employees interact with critical business data and intellectual property," Moynahan said.
Even with all the risks cloud computing can present, businesses shouldn't fear conversion to the cloud. Companies often over-correct after cybersecurity problems, with security measures so strict they impede the growth of business. That, Douglas said, is also a mistake.
"If the pendulum swings too far to the right, security puts a standstill to the innovation and technology," he said. "It's important to adopt things like clouds, because that innovation is what helps our society grow."