Cloud security: We're asking the wrong questions

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.infoworld.com/d/security/cloud-security-were-asking-the-wrong-questions-250089

In the wake of the celebrity photo breach, the media is humming with
stories disparaging the safety of the cloud. Many longtime cloud critics
are crowing, "I told you so!" and waiting for the world to go back to
on-premises solutions only.

News flash: 1) the cloud was never touted as being perfectly secure and 2)
the cloud will continue to grow and grow. The number of servers in your
physical environment will shrink over time. Security doesn't sell solutions
-- features and pricing do. Features are cheaper in the cloud.

The cloud vs. you
Let's address the central question: Is the cloud more or less secure than
your on-premises solution?

To get an accurate answer to that question, you'd have to compare your
on-premise solution (the entirety of it, including all your relationships)
to the security offered by a particular cloud vendor. That's hard to do in
real life for a few reasons, led by the fact that most companies don't know
the security reality of their on-premise solutions -- and followed by the
fact that most cloud vendors won't let you do onsite, direct security
auditing of their systems. It's a guessing game.

But in general, in my experience, the biggest cloud vendor services have
pretty good security. That is, they have fairly strong physical security,
patch their servers, use strict firewall controls, use 2FA authentication
for admin access, have hardened configurations and good backups, and
largely do computer security better than most of the on-premise solutions
I've seen.

To tell the truth, in most cases it isn't even close. For example, with a
typical on-premises solution, I have a hard time finding a fully patched
server or a directory without dozens of godlike admins -- both terrible
security practices.

Special vulnerabilities
Clouds, of course, have unique challenges. They have every security issue,
plus more, mainly because cloud providers have to worry about multitenancy,
where the compromise of (or by) one customer can lead to the compromise of
another.

Services and apps offered by cloud providers are typically come one, come
all. Malicious hackers create accounts and start scouring for
vulnerabilities. If they get lucky and find a major one, many accounts may
be in jeopardy. You can argue, however, that the biggest problems are the
unknowns: Clouds are still in their infancy and we're still learning about
cloud-specific security issues.

All that said, I find it hard to impugn the overall security of clouds when
almost every company can be broken into easily. Let me rephrase that: Most
companies are currently, actively compromised.

I've never met a penetration-testing team that didn't easily break into its
target within a couple of days. If penetration-testing teams are being paid
to break in only once every year or two, why wouldn't the bad guys, who are
trying every day, be more successful?

I'm frequently contacted by readers who've not only find out they've been
hit by an advanced persistent threat (APT), but ultimately discover that
the APT has had access for years -- sometimes for nearly a decade. Often,
they discover that other APT exploits also made themselves at home long
ago. This isn't the exception, it's the rule ... if you're looking.

The original cloud: Credit data
Vast reservoirs of critical data have existed far outside your control for
decades, long before the "cloud" nomenclature was invented.

Take credit card information. It goes without saying that you shouldn't
worry about your credit card being stolen from the latest vendor -- like
Home Depot -- because your credit card company (or other service provider
with your financial information) is likely owned by multiple APT groups as
well. Your credit card is probably already compromised.

What's stopping the bad guys from using your credit card/debit card if they
already have it? For one, they have so many credit cards it's hard to use
them all at once. That's why your stolen credit card gets replaced by the
bank every two or three years rather than every year.

The groups that steal or buy credit cards aggregate them in large
databases, then offer them for sale to other people. Your credit card is
likely on multiple criminals' credit card selling lists, for offer to
anyone willing to pay the fee (usually ranging from $2.50 to $50, depending
on the likelihood of it netting revenue for the buyer). The credit card
selling operations have auction boards, satisfaction ratings, shopping
carts, customer support services, and money-back guarantees.

If you want to read about the complexities -- and openness -- of these
criminal enterprises, peruse a few articles on Brian Krebs' website. It's
stunning to behold the maturity and sophistication of these operations.
Some even buy credit card information directly from the credit card rating
agencies! This stuff is organized. It's not merely one bad seed with a
direct link to one credit card rating agency.

State of insecurity
The state of computer security basically defaults to insecurity. I don't
say this to scare anyone. It's been this way for a long, long time. For
now, society accepts this state of insecurity as an inconvenience -- a cost
of doing business.

I can guarantee you, however, that it's going to get worse. I've been asked
the same question for 20 years: "Is computer security going to get better
this year?" I've always replied no, and I've always been right. Sure, we
are finally catching many of the big players, but for everyone we catch,
more move in. It's a big game of Whack-a-Mole.

Yes, the cloud introduces new vulnerabilities, but that's balanced by
better security practices on the part of cloud providers than most
customers can muster on their own. The cloud isn't the problem.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!