After the recent well-publicized theft of celebrities’ private data from iCloud, many business decision makers are thinking hard about how much they can trust the cloud. I’m not going to discuss the more salacious details of the iCloud breach here; there’s been enough of that elsewhere, but I do want to address the issue of cloud security in general and consider the questions that businesses should be asking cloud vendors before entrusting them with data.
What does the iCloud breach tell us about cloud security?
There are two things to consider here. The first is the way in which the data was stolen, and the second is a vulnerability that occurred around the same time but was not the cause of that breach.
The iCloud data theft was not particularly high-tech, it relied on social engineering, brute-force, and poor password management by the users in question. Which is not to blame the victims: user behavior should be taken into account when cloud systems are designed. The weakness was in how iCloud handles user verification. Apple has to walk a fine line between security and convenience, and as a result their authentication protocols were weak. The first security question potential cloud clients should ask their vendor is about their authentication protocols and user verification because if a cloud account is hacked, this will be the likely vector.
The second vulnerability was due to a simple development error. Part of the API wasn’t properly rate limited so, in theory, malicious parties could repeatedly attempt to authenticate using that API, trying thousands of username and password combinations in an attempt to brute-force valid credentials. A proof-of-concept called iBrute was created to exploit the vulnerability, but Apple quickly fixed the problem and there’s no evidence that any data was stolen using this method.
The iBrute issue is one that could happen to any vendor. Apple’s among the best in the business, but they’re not perfect, and nor is any other development team. What’s important is not so much that vulnerabilities in services occur, but that they’re dealt with swiftly and transparently when they do. Of course, if a cloud vendor has a reputation for sloppy coding and inadequate testing, then clients should steer clear.
It’s important to note that neither of these vulnerabilities are specifically cloud issues. Bad coding and poor authentication practices can make any service vulnerable, whether its hosted in the public cloud or within a company’s private data center.
What else do cloud clients need to ask about?
The cloud is not a magical realm divorced from the reality of networking and information technology. The same principles apply in the cloud that apply everywhere else: there must be strict separation between networks internal to the cloud and the open Internet. Ask your cloud vendor about the firewall systems they have in place.
In an ideal world we could think of the cloud as simply a source of compute and storage without having to worry about the underlying hardware and its location. But in the real world, different jurisdictions have radically different privacy and security laws and different standards for allowing access to third-parties like government agencies. Companies need to be sure where their data is being held so that they can implement processes to take local laws into account.
There’s little point having an incredibly secure cloud platform if authentication credentials can be snatched from the air by anyone with a WiFi connection. Providing VPN access and SSL encrypted connections ensures that communication between cloud services and clients cannot be snooped on.
Finally, there’s no replacement for educating users about security. If users fail to manage their credentials securely, then even the smartest security systems aren’t going to help. As the old saying goes, frequently, the error occurs between the chair and the keyboard.
The security of a network has very little to do with whether it’s a “cloud” service or not. In-house networks do no better than cloud networks when it comes to security, and often they do worse. A cloud provider is strongly incentivized to provide strong security because a serious breach will destroy their reputation and their revenue streams. In businesses with in-house networks, different priorities influence security decisions, as we’ve seen with recent breaches like the one at Target. Provided businesses choose their vendor wisely, the cloud is a safe and secure place to keep data.
About John- John Mack is a technical writer for Datarealm, one of the oldest web hosting companies. You can follow Datarealm on Twitter, @datarealm, Like them on Facebook, and check out more of their web hosting articles on their blog, http://www.datarealm.com/blog.