How Secure Is the Cloud, Really?securenvoy 10/09/2012, Archive
About two thirds of organizations moving data to the cloud have little or no knowledge about what measures their providers have put in place to protect data, a recent survey found.
It was observed however, "Whether your data is on your own servers or in the cloud, it is still your data, and ensuring its security is ultimately your responsibility,"
The hack attack on journalist Mat Honan underscored some of the weak points infiltrators can use to slip past cloud systems' security. Those insecurities can effect companies as well as individuals. About 39 percent of the businesses that responded to a recent Ponemon survey said moving to the cloud has negatively affected the security of their organizations.
Cloud security skeptics were given yet another reason to doubt the fortitude of online storage when the strange tale of Mat Honan emerged earlier this month. Through the clever use of social engineering, a hacker was able to wreak havoc on the journalists digital life!!
Apparently, the hacker talked Amazon tech support into providing the last four digits of Honan's credit card number. This information was then used to fool Apple into thinking the hacker was Honan and issuing a temporary password for Honan's email account.
The hacker used this information to ultimately delete Honan's Gmail account, permanently reset his AppleID and Twitter passwords, and remotely wipe his iPhone, iPad and MacBook.
Apple and Amazon closed the specific security holes that enabled this attack after news of Honan's problem hit the headlines. But the question remains: How secure is information in the cloud, really?
Hey! You! Come Onto the Cloud!
More than 80 percent of 4,000 business and IT managers worldwide, surveyed by the Ponemon Institute , are transferring, or plan to transfer, sensitive or confidential data into the cloud.
Nearly half of the respondents' organizations already do so, and another one-third of respondents' organizations are very likely to transfer sensitive or confidential data to the cloud within the next two years.
Evil Is Always Possible
Moving to the cloud has negatively affected the security of their organizations, 39 percent of the respondents surveyed said.
About two thirds of organizations moving their sensitive data to the cloud believe their service providers are primarily responsible for protecting that data. Also, about two thirds of organizations moving data to the cloud, though not necessarily the same organizations, have little or no knowledge about what measures their providers have put in place to protect data, the survey found.
About half the respondents said their organization applies persistent encryption to data before transferring it to the cloud, and the other half rely on encryption applied within the cloud environment.
However, "Whether your data is on your own servers or in the cloud, it is still your data, and ensuring its security is ultimately your responsibility," Richard Wang, manager of Sophos Labs US, told TechNewsWorld.
Organizations moving to the cloud should continue to look at misconfigured systems, default passwords, shared accounts and other problems that have always plagued IT.
Safety Is an Illusion
The employee endpoint is "the Achilles heel [of cloud security]". In the cloud, that end point would be the support representative. When users call in saying they forgot their password or don't remember the answers to their security questions, for example, the cloud service "is left with the options of either assisting the user or telling them that they can no longer access their data," Sophos Labs' Wang said.
"The latter option is rather unpopular with customers, so cloud services generally need to have some flexibility, which leaves the door open for social engineering,"
The conclusion that companies arrive at is two factor authentication is the absolute method in which to authenticae the end user. Furthermore in this instance; the use of stronger authentication particularly for unlocking forgotten passwords, is the easiest method of bringing better control to the user, a product SecurEnvoy invented (referred to as SecurPassword) and has an ROI of less than 6 months!!