By Linus Chang, CEO of Scram Software.
IT departments are most often praised for implementing productivity enhancing initiatives without security being top of mind. The rush to the cloud for convenience in sharing and transferring data, for example, has opened the door for data breaches.
As former CIA director Michael Hayden recently said, “We’ve taken things that we at least would keep in a desk drawer or a wallet, sometimes even in a safe, and we’ve decided to put them in our phones or in something called the cloud. And I think we did it indifferent to the dangers we were creating for ourselves by putting our precious information in locations that were not nearly as safe as they were when we kept them in the physical domain.”
Nowadays, people are uploading documents to the cloud, commonly to store offsite backups and to facilitate the sharing of data between parties for improved productivity. However, because it is so convenient to upload data there, security is often forgotten. Sometimes due to misconfiguration, there’s no security at all – allowing public access to data. Other times there’s one level of security, in the form of access level security, and once an attacker is in, they can download huge amounts of data at once. The attack can happen remotely, from a different state or country. We know that on average, 96% of breached data is unencrypted, meaning that the attacker can use the breached data with no further effort.
There is no single silver bullet for securing your data in the cloud. Instead, a multi-layered approach will protect against a wider variety of situations – including active hacking and human error.
The essential steps to take are:
1. Secure your infrastructure.
2. Secure your access to that infrastructure.
3. Secure your data directly using client-side encryption.
To expand on step 3, the safest way to implement encryption is to choose client-side encryption with client-held keys. This means that the keys are held by the owner of the data, and the encryption/decryption is performed on-premise (and not in the cloud). The cloud provider therefore has no way of decrypting the data and serving it to an attacker.
The final procedure for security revolves around backup. If the cloud contains your only copy of important data, you run the risk of suffering permanent data loss, even if you think your cloud provider has been taking backups.
In 2014, SaaS provider Code Spaces and all of Code Spaces’ customers learnt that lesson the hard way. Code Spaces provided source code management tools such as Git to its customers – in effect the company was a “safe haven” and repository of data for its customers, offering what it advertised as a robust cloud service, fully backed up and with the security of being hosted on Amazon AWS.
However, a hacker managed to gain access into Code Spaces’ AWS control panel account, and subsequently started to cause chaos. After a melee with Code Spaces’ engineers and a failed ransom attempt, the hacker proceeded to delete all of Code Spaces’ AWS objects: S3 buckets, EC2 machine instances and all the backups. This led to permanent data loss, and without a local copy of the data, it subsequently put Code Spaces out of business. Worse still, their customers also faced permanent data loss, unless of course they were savvy enough to have kept their own backup of their data instead of relying on Code Spaces.
Ultimately, you are responsible for your own data. If you choose to delegate that responsibility, you will suffer the consequences if your provider gets hacked or otherwise fails to meet their obligations.
The lesson here is clear: Security can no longer be an afterthought when uploading highly confidential information to the cloud, as this will leave the data vulnerable to attack and theft. Thankfully, organisations need not revert to storing information in a locked filing cabinet, but should – instead – implement client-side encryption to optimise data security, while simultaneously harnessing the cloud’s undisputed productivity benefits.