Do you leave your keys in the car too?

I heard the sky was falling. Well, at least the cloud was plummeting groundward. And all it took was one tech journalist to get his iCLoud account (and essentially his entire digital footprint) hacked.

“The cloud is just like the Wild Wild West. No rules, no laws, no protection”

“Just can’t trust the cloud.”

I’ve seen those forum posts lately. Even the reigning high priest of computing Steve Wozniak (co-founder of Apple) voiced concern “I really worry about everything going to the cloud. I think it’s going to be horrendous. I think there are going to be a lot of horrible problems in the next five years.”

And now all those doom and gloom predictions are coming to pass…right?

Puh-leez! Let’s take a step away from the hyperbole headlines and look at the issue rationally.

There are a couple reasons why this latest round of Chicken Little prognostications are baseless. Let’s look at the issue with respected journalist Mat Honan.

His issue stemmed from human failure; a gross error in judgment by Apple customer support staff. Someone pretending to be Honan was given access to his iCloud account. The caller was given a new temporary password despite not answering the multi-credential security questions. It is disingenuous to blame the cloud when the true breach lies with the service staff that fell for the oldest social engineering trick. They called; they didn’t follow proper identification protocol, and allowed a password change. It all spiraled from there.

The security flaws, Honan admits, were partially his own fault. But there is plenty of blame to go around.

To this I ask, do you leave your keys in the car too? Any system, any application, any network infrastructure be it on premises or cloud is vulnerable if you leave the back door open.  Using my car analogy, if you go to the mall, park under the brightest lights, know that a $8 per hour guard is trolling around in his golf cart, you might think your car is safe…until you realize you left the keys in the ignition. You’re just asking for trouble. It’s not the car’s fault, just as security failures are not the fault of the cloud. Data, in the end, is stored in a server. And server security is only as good as the protocols, detectors and monitoring allow. The cloud by its designation doesn’t make it any less secure. In most cases, cloud providers go above and beyond industry standards to ensure security outpaces many home built or DoD supercenters locked in the basement with retina scans, voice recognition and Chuck Norris standing guard.

Point being, security is only as good as its process. Whether it is cloud-based, or is created to protect assets in the cloud, if you are not minding the store, candy will get stolen.

Which brings me to the practicality of security managed from the cloud.  Identify Access Management deployed from the cloud includes a powerful password management engine that requires multi-credentialing. More so, it also contains a lock out mechanism that prevents entry if a access is unsuccessfully applied to many time. The self-service portion allows a user to change the password, but before it does, goes through series of unique security questions before it will permit any access modifications. From an administration side an analyst can see who is trying to access dormant or de-provisioned account.  A system can even detect password traffic inconsistencies such as a CEO account inputting incorrect passwords 10 times in a minute at 1 am: This sends out a definite red flag alert. That is part of an integrated, holistic cloud security approach.

But single sign on and identity management are not the domain (pun intended!) of just the cloud. However, the flexibility and manageability of such a deployment has tremendous advantages. Not only do you get enterprise-class, best of breed capability at a fraction of the cost, but the modest cost (based on immediate and scalable business need) does not come from CapX budgets—and therefore ROI is attainable much faster and CFOs are happy with the positive cash flow. And when you include the benefits of security-as-a-service, then companies get to leverage levels of expertise currently not on payroll and redirect and reprioritize resources towards core competencies.

But the cloud is just a harbinger of data leakage…right? Again, if security protocols are followed and security solutions are properly monitored, defined, analyzed and alerted, the likelihood of breach is significantly reduced. It is just as safe as anything on premises. Problem is, not enough companies have the resources to develop the level of security needed—another reason security managed from the cloud not only makes sense, but needs to be how IT departments need to evolve. It not only protects the perceived network perimeter, but all the SaaS applications, legacy and cloud data storage, transactions, customer data, communication and any entry that requires a password.

It doesn’t need to be expensive, but it does need to be holistic. This means it has to look at the all the silos and all the servers of the  enterprise so it can accurately correlate traffic and other activity. A security strategy needs to include intrusion detection, asset management and monitoring, access control and traffic analysis. There are too many bad guys out there and it’s not necessarily the brute force attacks and social engineers you need to be most concerned about. It’s the quiet pernicious ones you don’t see coming. In terms of poor Mr. Honan, there was little that could be done once the Apple techs broke protocol.  I honestly feel for his loss, inconvenience and information violation, but the cloud is not the villain here and is definitely not to blame. In fact, I see cloud-based security as the solution.

Kevin Nikkhoo
Defender of the Cloud!

Tags: , , , , , , , , , , , , , , , , , , ,