Security In The Cloud Mon 02 Feb 09
Recent High Profiles Breaches Highlight Security Flaws That Are Not Just In The Cloud
In the past few months there have been some high profile security breaches involving cloud applications that may give people pause in using the cloud. These got a lot of publicity because of the victims involved.
The first was Vice Presidential candidate Sarah Palin's Yahoo email account being hacked. The second was a hacker gaining control of then President-Elect Barack Obama's Twitter account.
If it can happen to them it can happen to anyone, right? Good reason to stay away from the cloud isn't it? Well yes, it could happen to anyone. However, if we look at these closer you could see it happening on your on systems too.
Palin's emailed was hacked by using the automated password reset function. By answering some questions that in theory only Palin knew the answer to the hacker was able to reset the password and gain control of her account. The problem is that as a public person much of the "secret" information was available to the public.
Password resets are probably the biggest single HelpDesk incident in our companies. Automated password reset system are therefore especially attractive and doubly so if we also have Single-Sign-On systems.
Given the familiarity we have with our co-workers, the public information available about the executive management, and the personal information we publish on sites such as LinkedIn and Facebook even the "secret" information of not so public people may be easily found.
The Twitter breach was a true hacking of a password. The account hacked had a easy password that was easily cracked through a dictionary attack especially since they did not limit login attempts. Once the hacker had control of the account they realized just how luckily they were. They had control of a Twitter admin account! Once you have admin privileges the world is users. Fortunately the hacker was more interested in touting his skills than in doing actual damage.
The security weaknesses that allowed these breaches aren't unique to the cloud. You could find them just as easily on the systems you control. They were:
Automated systems that asked questions for which the answers could easily be found
Weak password on an admin account
Allowing unlimited login attempts without locking the system
Each of these flaws are a very basic item and yet they were allowed to occur. In dealing with system security there are 3 things everyone always wants:
Low cost to setup and maintain
Easy to use
The problem with security is that when you actually set it up you can only pick two of the three. Any two, but only two, the third is sacrificed. What you actually do is try to strike a workable balance between the three. Obviously Yahoo and Twitter favored low cost and ease of use too heavily thereby jeopardizing security.
We do need to be concerned about security with our cloud applications. When deciding on using a cloud application you should review the security provision just as closely as you to the feature, functionality and costs of the application. Don't get mislead by the hype into thinking our own internal operations are inherently safer than the cloud. As these examples show it only takes a little laxity in the security setup to leave us vulnerable whether it is in the cloud or our internal operations.
How do you balance security, cost and ease of use? Please leave a comment.
"Lock" photo by AMagill
If this topic was of interest, you might also like these:
- Or the posts in the "Web / Web 2.0 / Internet" category