The blogosphere was atwitter last week with scintillating details about nude selfies and what you should and shouldn’t be doing with your phone. Blame has been assigned all around, from criticizing the exposed celebrities for being entirely too truthful with password reset answers to pointing the fingers at Apple for not doing more to protect data in the cloud.
The reality is that this iCloud attack actually brings up very important considerations on data security, not only for consumers, but for any enterprise that uses the cloud:
• Cloud providers are indemnified when it comes to data breaches – Read the small print in their terms of service. Under the shared responsibility model, a cloud provider is not responsible for the access and usage of cloud applications. This is true for consumer based cloud applications (SugarSync, iCloud). It’s also true for enterprise cloud applications that store more than your personal pictures– financial data, customer information, and intellectual property. Don’t take my word for it, here are the Cloud Security Alliance guidelines: “When data is transferred to a cloud, the responsibility for protecting and securing the data typically remains with the collector or custodian of that data.”
• End users (including you) are the weakest link – Any application, even cloud applications, is only as secure as the users using them. In this particular case, Apple issued a statement attributing the iCloud incident to “a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the internet.” However, even if an enterprise has great password practices, there are more successful targeted attacks like phishing which require only one user to click on a link. Yes, focusing on security education and the dangers of clicking on a link is important, but mistakes are inevitable.
Therefore, in the context of enterprise security, any organization that is subject to a data breach while using a cloud application cannot hold their compromised user or their SaaS provider accountable. But at the same time, they have a responsibility to their customers and shareholders for any damages resulting from this breach. What it really means is that we need to be more vigilant in protecting our data, and be prepared for more innovative cloud security approaches that are usage and data-focused.
It’s All About Usage and Data
Any security system can be defeated – hackers will continue to be innovative, and users will continue to be human. Therefore, any cloud security solution must focus not only on mitigating threats, but on reducing the attack surface by governing appropriate data sharing activities. When it comes to securing cloud applications, here are new principles to consider:
1) Don’t trust your users: Utilize the principles of Zero Trust – “never trust, always verify”. This means monitor and log access to these applications, have a complete audit trail for user activities, in particular when critical files or folders are being accessed. In particular, focus on the privileged users within your organization such as executives and IT administrators. Privileged users are the biggest security risk because their access makes it easier for them to do more damage when they are intentionally being malicious, or if their credentials are stolen. Focus on governing zombie administrator accounts that haven’t been used in several months, and super admins who have more privileges than their job requires.
2) Consider behavioral analysis around usage: When end-users are the attack vectors, and credentials have been phished or passwords have been hijacked, to every other security system, it looks just like authenticated, normal access. This is where advanced heuristics or behavioral analytical capabilities come in, and will become more and more important in securing cloud applications. By understanding user behavior and developing a profile for what’s normal, alerts can be raised on any deviations. For example, when terabytes of data is downloaded off a cloud application within a short period of time. Of course, this must go hand-in-hand with actual security incidents, for example, blocking users that are accessing from blacklisted IPs.
3) Mitigation, not just prevention: Yes, security solutions that focus on prevention are important, but in light of the success and volume of attacks today, you should also focus on mitigation. Mitigation techniques lower the severity of the consequence from an attack, equivalent to wearing a hard hat in a construction zone that minimizes the impact of objects falling on your head. In a cloud scenario, mitigation means addressing risky behavior such as oversharing of files publicly, or limiting confidential file access to only managed devices.
In summary, there are a number of lessons that enterprises can learn the iCloud hack; the most important is to develop and adopt a new user and data-focused “zero trust” mentality. By focusing on securing your critical data, and actively mitigating risks, your company is less likely to become another breach in the headlines.