Overconfidence in Cloud Vendors
Think the techies have it all figured out? Truth can be bitter sometimes and when it comes to security this is always the case. Security often say no one is safe from cyber attacks, this includes SaaS vendors. SaaS stands for software as a service, it is often referred to as the “cloud”. They’re used for everything: sales, marketing, operations management, finance, procurement, security, and whatever other business service you can think of.Companies often fall into a false sense of security when using cloud based services. The reality is that the “cloud” is just a service on someone else’s server. Meaning if they themselves are not secure, you’re not secure. Some of the largest cloud service vendors in the market today have suffered data breaches and leaked credentials. These include Google, Dropbox, and Amazon.
It should be understood by business that there is always a risk in using any third party vendor to host your sensitive information, especially if it is information that you use daily for your operations. Business seems to have developed a reliance on these cloud services, which even in the last year has shown to still be vulnerable to threats. For the past decade it seems there has been non-stop praise of the cloud and convincing businesses to shift a part of their whole operation onto the cloud rather than on-premises. Any security concerns about the cloud were downplayed.
However, in December Microsoft released a security intelligence report that detailed a new method of how hackers were turning the cloud against its user(s). In this context it was done when an attacker would compromise a virtual machine (VM) that exist within a cloud. These VMs are then used to compromise more of the public cloud. This could translate into a DDoS attack, remote SSH access, spamming, and port sweeping. In short by compromising VMs that live in the cloud, attackers would weaponize the cloud upon itself.
An interesting question that is sometimes brought up about data breaches in the cloud as well. With the interconnected nature of business right now. Who pays for the losses in the event of a data breach? According to Scott Nonaka and Kevin Rubino the answer is unclear. This is mainly because it is dependent on the service contract an organization has with a cloud service provider. In a study conducted by Ponemon Institute in 2014, 62% of survey respondents stated they had not vetted their cloud service providers. As stated in the report “cloud security” is an oxymoron. If other business decisions were handled in this way there would be too much exposure to risk for an C-Suite to handle. The uncertainty in who pays for damages in the event of a data breach makes every investment into the cloud, whether intangible assets of payments, a very risky finance decision.
There are serious legal and technical risks associated with using cloud based software, does this mean you should not use the cloud at all? Not necessarily. It depends on how large your budget is, can you afford to be on the cutting edge of cyber security while financing your core operations? Often times it is cheaper to use cloud services, and it provides a greater value in security. However you should never be overconfident in these services, they still face major threats that could have significant financial consequences. It is important to properly vet your cloud service provider. Otherwise, if there is a major breach that disrupts your operations or causes financial loss, then you could be blindsided and unable to recover from such a disruption. Keep risk in mind whenever making any decision on who you trust your data to.