« Blog Design Updated | Main | IT Doesn't Have To Be Annoying »

Security In The Cloud Mon 02 Feb 09

Recent High Profiles Breaches Highlight Security Flaws That Are Not Just In The Cloud

Lock_AMagill In the past few months there have been some high profile security breaches involving cloud applications that may give people pause in using the cloud.  These got a lot of publicity because of the victims involved.

The first was Vice Presidential candidate Sarah Palin's Yahoo email account being hacked.  The second was a hacker gaining control of then President-Elect Barack Obama's Twitter account.

If it can happen to them it can happen to anyone, right?  Good reason to stay away from the cloud isn't it?  Well yes, it could happen to anyone.  However, if we look at these closer you could see it happening on your on systems too.

Palin's emailed was hacked by using the automated password reset function. By answering some questions that in theory only Palin knew the answer to the hacker was able to reset the password and gain control of her account.  The problem is that as a public person much of the "secret" information was available to the public.

Password resets are probably the biggest single HelpDesk incident in our companies.  Automated password reset system are therefore especially attractive and doubly so if we also have Single-Sign-On systems.

Given the familiarity we have with our co-workers, the public information available about the executive management, and the personal information we publish on sites such as LinkedIn and Facebook even the "secret" information of not so public people may be easily found.

The Twitter breach was a true hacking of a password.  The account hacked had a easy password that was easily cracked through a dictionary attack especially since they did not limit login attempts.  Once the hacker had control of the account they realized just how luckily they were.  They had control of a Twitter admin account!  Once you have admin privileges the world is users.  Fortunately the hacker was more interested in touting his skills than in doing actual damage.

The security weaknesses that allowed these breaches aren't unique to the cloud.  You could find them just as easily on the systems you control.  They were:

  • Automated systems that asked questions for which the answers could easily be found
  • Weak password on an admin account
  • Allowing unlimited login attempts without locking the system

Each of these flaws are a very basic item and yet they were allowed to occur.  In dealing with system security there are 3 things everyone always wants:

  1. Tight security
  2. Low cost to setup and maintain
  3. Easy to use

The problem with security is that when you actually set it up you can only pick two of the three.  Any two, but only two, the third is sacrificed.  What you actually do is try to strike a workable balance between the three.  Obviously Yahoo and Twitter favored low cost and ease of use too heavily thereby jeopardizing security.

We do need to be concerned about security with our cloud applications.  When deciding on using a cloud application you should review the security provision just as closely as you to the feature, functionality and costs of the application.  Don't get mislead by the hype into thinking our own internal operations are inherently safer than the cloud.  As these examples show it only takes a little laxity in the security setup to leave us vulnerable whether it is in the cloud or our internal operations.

How do you balance security, cost and ease of use?  Please leave a comment. 

"Lock" photo by AMagill

If this topic was of interest, you might also like these:

            Tell A Friend Tell a Friend    View blog reactions   Bookmark    rss RSS Feed

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8341c5de753ef010536c89780970c

Listed below are links to weblogs that reference Security In The Cloud:

» Analyzing The Cloud from Beyond Blinking Lights and Acronyms
A recent report says cloud computing may not be cost effective for big companies. But that's not the whole story. A few weeks ago, I had lunch with an old friend and his associate, who happened to be an analyst... [Read More]

» Responsible Twittering from Beyond Blinking Lights and Acronyms
The company's security issues are well-known, but users also need to be more responsible about what they tweet. Twitter, the popular social media app was recently awarded a Pwnie (pronounced "pony") at the BlackHat Security Conference. The reason for t... [Read More]

» The IT Security Balancing Act from Beyond Blinking Lights and Acronyms
Ultimately, IT is responsible for security breaches even if it's not at fault. Late last year, Plano, Texas-based Hillary Machinery lost $800,000 to cyber theft when attackers stole the money in a series of transfers from Hillary's PlainsCapital bank a... [Read More]

Comments

michael_schaffner


tell_a_friend Tell a Friend About Mike's Blog







Creative Commons License 
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 2.5 License.

My photos on
www.flickr.com
Mike Schaffner's items Go to Mike Schaffner's photostream

Free Subscriptions
  Free RSS Subscription

Free RSS Subscription


For An Email Of New Articles
Enter your email address:


Read On Your Mobile Device

mofuse


Join the Conversation
Subscribe to Comments
  Free RSS Subscription

For New Comments Email
Enter your email address:






This is the personal blog of Michael W. Schaffner. The opinions expressed in this blog are soley mine and those of commenters. You should not infer that these opinions are the opinion of or have been endorsed by any current or former employer.

Please review the Privacy Policy.   I do love comments and trackbacks but I do reserve the right to remove any that don't comply with the Comments and Trackback Policy.  Rather than clutter up the front page with badges and statistics that are of little interest to anyone other than me I thought it would be best to establish a separate page for statistics and rankings.


Copyright © 2006, 2007, 2008, 2009 Michael W. Schaffner       You may copy or quote sections of this blog if you provide an attribution consisting of a reference to the Michael Schaffner and ''Beyond Blinking Lights and Acronyms" along with a hyperlink (if a web reference) to the blog posting.     

Creative Commons License 
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 2.5 License.