Cloud Insecurity

Often, one sees the views of those raising reasoned doubts about cloud security dismissed as fogeyish and cloud-phobic. Of course, it’s a persuasive argument that cloud security is actually a non-issue, since under-investment means that the on-premise infrastructure of many organizations is a less secure environment for their applications than the cloud. The ClimateGate evidence, for example, would have been more difficult to get had it been stored in the cloud. However, as recent large-scale security breaches at giants such as Adobe and LinkedIn prove, cloud security can and will be breached, and probably more frequently as hackers turn their attention to the increasing use of cloud storage for personal and financial information.

So is a concern about cloud security an irrational fear? In short, we have no way of knowing. In the case of almost all the data breaches of the past year, the custodians of the data weren’t aware of the extent of their security weaknesses until their vulnerabilities were exposed by hackers. In some cases, they didn’t even know of the breach until the hackers boasted about it. What if they don’t boast?

Successful intrusions may be infrequent – getting thirty million IDs and passwords is a difficult task, even from leaky on-premise infrastructures – but the consequences are devastating. Finding out the extent of a data breach is hard. The seminal book on the topic of SQL Server forensics remains Kevvie Fowler’s SQL Server Forensic Analysis, which explains in gory detail the tools, processes, data and logs required to identify and collect the various data fragments (artifacts) that will allow reconstruction the activity of the intruder.

If part of all of your infrastructure, platform or software is hosted in the cloud, the situation is even more interesting. How do you plan your response to a security breach? How could you find out what cloud data has been stolen? How do you detect and repair any damage inflicted?

This article alone raises a raft of questions to which you need to know the answers, including:

  • What mechanisms the cloud firm has for logging?
  • If it’s a multitenant cloud, how will they separate your logs from those of other tenants?
  • Will the provider preserve data and hard drives for forensic analysis?

Unless you have solid and satisfactory answers to all these questions, the obvious solution is to ‘scope’ your data very carefully, isolating the proportion that requires regulatory compliance and leaving it on-premise; in other words, a hybrid solution. That would, of course, require you to understand and categorize your data but you do that already, I’m sure?