The latest Dropbox hack revelations got me to thinking cloud security access
It’s time that cloud security access is properly addressed. As the move toward cloud gathers momentum, more fears about security are inhibiting the use of public cloud services by some organizations.
The 2012 hack of online storage provider Dropbox Inc. has been revealed to be much larger than previously disclosed, with the details of some 68 million account holders finding their way online. A selection of files that were being traded on a “database trading community” (likely on the dark web), and found the files contained details of email addresses and hashed passwords for 68,680,741 Dropbox users.
When the hack first became public Dropbox stated, “Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts.” At the time the company blamed the hack on an employee’s password being obtained and apologized for the massive failure of internal security.
The biggest threat with employees using file sharing programs like Dropbox is that once an account is compromised, it can be used as an attack vector for delivering malicious links to a network. Although it would look like the email came from someone that the employee knows, it could end up being malware or ransomware that has the potential to take down an organization’s entire system.
Some say that concerns about cloud access security have become counterproductive, and are distracting CIOs and CISOs from establishing the organizational, security and governance processes that prevent cloud security access and compliance mistakes. In fact, Gartner predicts that, through 2020, 95% of cloud access security failures will be the customer’s fault.
The belief that cloud providers are entirely responsible for cloud access security means that many enterprises are failing to address how their employees use external applications, leaving them free to share huge amounts of often-inappropriate data with other employees, external parties and sometimes the entire Internet.
Virtually all public cloud use is within services that are highly resistant to attack and, in the majority of circumstances, represent a more secure starting point than traditional in-house implementations. Only a very small percentage of the security incidents that have affected enterprises using the cloud have been due to vulnerabilities on the part of the cloud provider.
“The cloud business model provides huge market incentives for cloud service providers to place a higher priority on security than is typical for end-user organizations,” explained Mr. Heiser Research VP at Gartner. “Cloud service providers can afford to hire experienced system and vulnerability managers, and their economies of scale make it practical to provide around-the-clock security monitoring and response.”
Organizations should not, however, assume that using a cloud service means that whatever they do within that cloud will be secure. The characteristics of the parts of the cloud stack under customer control can make it easy for inexperienced users to adopt poor cloud practices, which can lead to widespread cloud access security or compliance failures.
Organizations that don’t take a strategic approach to the secure use of cloud computing could find themselves in an unsecure, inflexible or uncompetitive situation.
In 2016 alone, over 50% of all data created by organizations is currently or will be stored in the cloud in some form. It’s the new frontier for nation state and other cyber criminals to target consolidated “data farms” like Dropbox. From a hacker’s view, it’s like opening up a “Cracker Jack” box, dumping out the popcorn to get the prize, only in this case, multiply that by about 70 million! Cloud is quickly becoming the one stop hacker shopping given the interdependencies of mobile platforms, app driven accessibility, and cross functional “As-A-Service” enterprise and consumer functions.
Users are advised to change their Dropbox passwords if they have not done so already…