Misconceptions: Safe in the Cloud

By Chris Williams

A cloud of confusion

“Just put it in the cloud, and it’ll be safe. Right?”

Well, it’s not nearly that simple. While cloud applications are often viewed as a great way to offload security concerns to a third-party that act alone does not necessarily make your data more secure. On the contrary, a poor choice of cloud service provider might instead make your data less secure.

The cloud really isn’t a specific thing or place, nor is it defined by a new or emerging technology. It’s a metaphor and a buzz-word at the same time. All “cloud” actually means is that the resource in question is remotely located and Internet-accessible. This definition includes many rather mundane concepts such as offsite data centers, hosted web and/or application servers, as well as web-based email such as Yahoo. Google Docs and Dropbox, which many users take for granted (both in terms of accessibility and security) are located in the cloud.
In summary, if you’re using it, and you or your organization does not support it onsite using your own resources, then it’s probably cloud.

Cloud security characteristics

What characteristics make the cloud more secure than your environment? Scale is most likely one such characteristic, as cloud service providers are typically large enterprises that bring almost immeasurable resources to the table. Unless your organization utilizes all of the latest technologies and techniques to manage threats, supported by an elite stable of IT security professionals, chances are that a malicious attacker will get through your defenses before, for instance, Amazon’s.

Cloud providers also have to meet at least a minimum of security standards to stay in operation, based on whatever laws are pertinent to the service in question. These standards vary greatly, from Federal laws to unenforceable industry recommendations, but they do exist. As a cloud customer, your Service Level Agreement should specify that data security is an integral part of the services being performed; therefore, liability (in the event of a breach) may to some extent fall upon the third party. However, the concept of cyber indemnity is still somewhat a grey area.

Now, scale can work the other way as well. This is due to two factors: one, cloud data centers hold much more data from a variety of end users when compared to private onsite storage facilities. Consequently the risk/reward ratio leans much more heavily towards the “reward” side as far as hackers are concerned; the fact that large enterprises handle so many customers’ data means they can, for lack of a better way of putting it, generally afford to get hit a couple times before consequences are felt. Imagine it from a criminal’s perspective: would you rather infiltrate a single company, or get the data from a dozen companies all in one campaign?

Other considerations

There’s also the issue of data-in-transit; many administrators forget about this topic, focusing on the more obvious issue of data-at-rest. But there needs to be a discussion about how your data gets to the cloud (Internet connection), what the ramifications are for supporting that connection, and what might go wrong even if the connection is configured properly.

Suppose your environment is not intended to be connected to the web—it is an enclosed network segment with no publicly visible IP addresses, nor any gateway between that LAN and the outside world. Then, suppose we add a router and a public IP (which is Network Address Translated to a bunch of private IPs)—now, we have Internet access and can access our cloud storage and backup services, but there’s also an additional access point for bad guys that did not exist before. Was that a net security increase, or decrease?

Let’s also suppose that your data is encrypted while in transit, as it should be. Can it be intercepted while traversing public Internet infrastructure? Technically, yes, although the encryption would be hard (not impossible) to break. And, although you could potentially get a VPN from your gateway to the other endpoint, that adds additional cost, more overhead such as key management, etc. while still not achieving 100% security.

The takeaway

As an IT professional, I don’t believe in security through obscurity. However, I also must concede that some cloud providers are extremely attractive to attackers due to the sheer volume of data contained. While I can entertain the thought of navigating this quandary by selecting a less well-known service provider to store my data, at that point am I simply compromising on the advantages of scale and resources that made cloud so compelling to begin with?

Companies that offer cloud services of all types from SaaS to IaaS want to sell you on those services. If “reducing the size of your IT workforce by 70% by switching to cloud” sounds too good to be true, that’s because it is. Similarly, it sounds like a great idea to transfer risk to a third party—until it becomes evident that the scope of risk being transferred is only a small portion of your organization’s true risk expectancy.

Copyright © 2017 ParadoxPrime IA, All rights reserved

Ransomware (& the importance of backups)

By Chris Williams

“A backup is worth a thousand bitcoin.”
While not a literal exchange rate, the above quip does contain some truth in regards to ransomware attacks: if you still have access to your (unencrypted) data, then you don’t have to pay the ransom.

Backups methods (and pitfalls)

Many IT professionals advise scheduling a nightly backup as well as a periodic offsite backup utilizing multiple drives in a rotation, regularly scheduled cloud backup service, or both. The goal is to maintain multiple versions of the backup so that a “clean” backup isn’t mistakenly overwritten by an infected backup; versioning is easy in concept but poor management of physical media can result in errors that undermine the protection backups are supposed to offer.

Example: the Acme Company uses a tape drive for its weekly full backups; there are six tapes that are rotated sequentially meaning six versions of the backup data should exist at all times. One week, an administrator is supposed to rotate from tape #2 to tape #3, but by mistake he replaces tape #2 with tape #1 and the backup on that tape is subsequently over-written. If a problem emerges that requires restoring from backup tape #1, the company is now in serious trouble because that data is gone—instead they’ll be forced to use the backup from tape #6 and lose an additional week of data unnecessarily. (Full disclosure, both tape drives and weekly backups are considered archaic, but this scenario illustrates the point well.)

Many cloud backup solutions automate versioning so that there is no margin for error. Once the solution is configured, each subsequent backup sent to the cloud will be tracked separately so that administrators can restore from virtually any point in time (provided the backups go back that far). As far as commercially available products go, Carbonite seems to be reasonably popular for SOHO users and some medium-sized businesses as well.

Test restore procedures

Test backup and restore procedures periodically. Even if your scheduled backups execute as planned with no errors, there’s plenty of storage left on the media (or cloud), and all looks well, do yourself a favor and test the integrity of the data as frequently as is reasonable. Few things are worse than a false sense of security, and corrupted or unusable backup data is exactly that.

Scenario: Acme Company is infected with ransomware first thing Monday morning. Management decides to restore from Friday’s “known-good” offsite backup—however, due to physical damage to the backup media, the data is corrupt and incomplete (or worse, can’t be restored at all). Once again, the company is forced to rewind an additional week by using the previous backup. This could have been prevented by regular testing, which would have detected the physical media issues.

The takeaway

Ransomware is one of the most pervasive threats facing individuals and organizations today. The best medicine is, of course, prevention. However, the next best defense is to take away the hacker’s leverage—being able to recover your data without paying bitcoin for the decryption key saves money, reduces downtime, and perhaps mostly importantly doesn’t reward criminals for their behavior. If every user and every business maintained backup data properly, ransomware simply wouldn’t be profitable enough to continue.