SEMA News—December 2013
By Joe Dysart
Rogue Cloud Use
Vulnerability Awaiting Plunder
Rogue employees working with sensitive company data in public cloud services are regularly wreaking havoc at workplaces, triggering the loss of company secrets, the defacement of company websites and the loss of control over the cloud accounts to competitors and hackers.
“Enterprise IT is rapidly losing control of corporate data,” said Andres Rodriguez, CEO of data-storage company Nasuni. “It’s a risky proposition that IT needs to be in front of and not behind.”
Security pros said that the problem is rampant across corporate America, where employees regularly flaunt company policies against the use of public cloud services such as Dropbox, Google Docs and Microsoft Office 365. The services, which are often very inexpensive and extremely powerful, are very hard to resist for today’s on-the-move employees who are often juggling an iPhone in one hand, a tablet in the other and lurching for a latte at Starbucks.
But no matter how tempting they may be, public cloud services are inherently insecure, the security pros said. At best, the public cloud offers only “consumer-grade” security—a watered down version of the “enterprise-grade” security that many corporations must maintain to meet compliance regulations, according to Nimmy Reichenberg, vice president of marketing and business development for computer security firm AlgoSec.
The result? More than 25% of companies and organizations surveyed by computer security firm Symantec said that they had lost control over one or more of their public cloud accounts, saw their websites defaced or experienced the theft of goods or services in 2012 due to security breaches in the public cloud.
Moreover, 40% of the 3,236 organizations surveyed said that they had suffered exposure of confidential company information stored in public cloud accounts, according to a survey entitled “Avoiding the Hidden Costs of the Cloud 2013”. And more than 75% of the organizations surveyed by Symantec said that their employees had shared or stored critical company data in public cloud services.
Other studies are uncovering similar devil-may-care attitudes toward the public cloud. A December 2012 Nasuni report, for example, found that 20% of the 1,300 surveyed management and staff regularly used Dropbox to share and store work-related documents. And more than half of those surveyed did so even though they knew that the practice directly violated policy. In addition, a May study released by NetIQ, an enterprise software firm, found that 70% of IT execs believe that public cloud services pose a serious risk to sensitive company data.
Besides risk offsite, public cloud use can also result in major security breaches within the walls of a company, according to security pros. Hackers can easily insert malware into the files of a public cloud account that they’ve breached, according to Jacob Williams, principal consultant at CSRgroup Computer Security. Essentially, the malware is immediately downloaded to a company’s network or an employee’s hard drive the next time the public cloud account syncs with the employee’s computer. That often happens the very next time the employee logs into his/her public cloud account after it has been breached.
All that auto syncing can also create additional risk if an employee is working with multiple devices. For example, subscribers to Apple’s iWork for iCloud—a suite of apps for the creation of documents, presentations and spreadsheets—are treated to auto syncing of the iCloud data with every Apple device they own, according to Richard Walters, CTO of web application security provider SaaSID. In such scenarios, company IT may not even be aware that company data has been breached, since the data may walk out the door on an employee’s iPhone that has not been secured for use on the company network.
Security pros also worry that unsecured storage of critical company data in the public cloud represents a severe risk when an employee moves to another company or organization—especially with an employee who is unhappy at work and is planning an unannounced departure.
“Specifically, how do you know if malicious insiders are forwarding sensitive information to themselves, where it will remain available even if they’re fired?” asked Dan Ring, director of global communications for computer security firm Sophos.
Not surprisingly, public cloud services—as well as third-party security providers—are the first to counter that they’re on the job and working to make public cloud apps more secure.
“Our goal is to allow the CIOs of the world to say ‘yes’ to Dropbox for the enterprise,” said Chris Holland, chief monk at SafeMonk, an aftermarket security solution for Dropbox. “We recognize that Dropbox’s efficiency and usefulness will only make it more prevalent among the workforce. So making the service more secure through tap-proofing is a better and more realistic option than discouraging or forbidding people from using it.”
But security pros are skeptical. They cite a major security breach at Dropbox in 2012, when scores of IDs and passwords were stolen at other websites and then used—with some success—to break into the Dropbox accounts of the victims.
Moreover, tech lifestyle magazine The Verge exposed a gaping hole in Apple iCloud security this past March. It enabled anyone with access to a user’s e-mail address and birthday—easily available on the web—to reset the password to that user’s account and then gain access to his or her iCloud account. Apple quickly plugged the vulnerability, but one wonders how long the breach-waiting-to-happen would have persisted without a spotlight from a third party.
Someday, the rising concern over the vulnerability of the public cloud may produce security safeguards that rival those found on enterprise-grade networks, but security pros advise businesses to get the word out to employees in the meantime and to bone up on state-of-the-art best practices of working in the cloud. A good place to start is the Cloud Security Alliance’s “Security Guidance for Critical Areas of Focus in Cloud Computing”—one of a slew of cloud security primers in CSA’s research domain.