Cloud computing: You are probably ignoring the biggest security flaw
Re-using passwords? Not a great idea if you want to stay secure.
There's an ongoing debate about the security implications of using cloud computing services versus running IT systems in-house.
Cloud advocates note that the largest cloud companies will have hundreds, or even thousands, of security staff and the time and money to keep their systems up to date. In contrast, the average enterprise may only have a handful of security staff to cover a wide range of different systems, many of which may be ageing and incapable of being entirely secure. However, some businesses feel more secure holding their critical data themselves rather than trusting it to a cloud company that may spread it across datacenters in different countries.
But however good the systems are, the weak link is always the humans, according to ethical hacker and penetration tester Jamie Woodruff
One of his clients asked him to do a penetration test -- to attempt to access a company's systems in order to evaluate its security.
He identified one of the systems administrators from social media and was then able to find, posted online, passwords connected to that email address from a previous hack. And as the systems administrator had been using the same password for all their online logins -- and hadn't changed it even after one of them had been hacked -- Woodruff was able to use that to get into the employee's cloud service.
"The cloud itself was not vulnerable. I'd scanned it and tested it with tools, it was up to date, but it was the individual that let the security down. There was no two-factor authentication and I was able to gain access to the box and that was the end of my test. The technology is secure, it's wonderful, but the people behind it aren't secure."
Cloud systems are more vulnerable to this sort of attack because they will have a web interface whereas a business with clunky old internal systems that don't have a web interface may be harder to get at -- the concept of security by obscurity.
Woodruff said that disgruntled or lazy employees are potential targets for attackers, who will try to use social engineering rather than hacking to get into systems.
"Imagine you're going through checkout. The assistant says 'they' rather than 'we never have any carrier bags'. They're distancing themselves from the company," he said. "Subliminally she does not want to be there so you can exploit that individual."
Disgruntled people will let the infrastructure down, he warned, speaking at a cloud security event organised by Rackspace.
"Sometimes it's really easy to walk up to someone and find who likes their job and who hates their job. There's always one always," he warned.
There are ways to boost your company's defences against such attacks, he said, like implementing two-factor authentication for logging into systems, or using other security measures where users need physical devices to access. Although, he noted, many companies are often reluctant to do this because the customer or user experience becomes more complicated as a result. Education is the key, he said -- teaching users not to put themselves or their company systems at risk.
Companies are looking at how to make their use of the cloud even more secure, said Brian Kelly, chief security officer at Rackspace. "We've got a couple of clients that have found a way to take their most sensitive data and literally stripe it across a number of cloud providers. Granted, that puts a burden on them for the orchestration of all their data. They have figured out how to do that, and are quite comfortable that if any one of these cloud providers was exposed in any way, they still have a level of resiliency, because you would have to expose two or more cloud providers to actually get to the secret that they're trying to protect."
However, this approach is not without its risks: as Woodruff pointed out, it gives hackers more systems to try to break into. "Let's say we have six or seven deployments. One holds personal information, the other holds 16 digits. The hacker can't use one of those alone. It's great for me, because there are several different entry points."
And hackers are less interested in just grabbing data and more interested in waiting to see if there is a bigger prize.
"It used to be about digital graffiti, and that would be it. Now, you hack a system, you compromise a system, you sit there and you wait, and you don't modify it, because you can get a lot more in the long run. It's not a case of going public anymore; it's a case of what you get out of it."