There has been a lot of discussion recently on cloud security, and internet security in general. Much of this has been in response to several large security events, both with cloud resources and general issues where some of the fabric of the internet has been compromised.
The net of this is a massive amount of credentials have found their way into the hands of those with malign attempt and some companies have been put out of business by what is clearly some sort of organized crime.
Regardless of whether you run your service in your own data centers, or in the cloud several key best practices are mandatory should you wish to stay in business and protect your users.
Many will have seen in the press the attack on codespaces where by having their cloud credentials compromised, the company was held to ransom and at the point where they did not yield to the attackers demands, their assets were destroyed which put the company out of business. By failing to properly protect their infrastructure, Codespaces as a going concern ceased to exist.
In addition there have been stories in the press recently regarding Russian hackers compromising billions of passwords. Although ultimately only users can address these password issues, as the service provider there are several things that can be done which will mitigate the risk associated with these kind of breaches.
Both of these stories represent a clear and present danger to a business. One represents a direct attack on a company, and the other represents a vector for an indirect attack where malicious use could quickly consume the resources of a business and take them to a state where they cease to be effective.
The Codespaces incident highlighted the need to protect cloud infrastructure with the same rigor as you would with physical infrastructure. The company in question failed to protect this infrastructure with reasonable access controls so that once access was achieved by the attacker, they were up against it to close the door once the attack had been triggered.
They also failed to implement reasonable backup procedures. Their backups of their infrastructure were all stored with the cloud provider. A typical backup procedure will see backups be stored at a separate location so that if one location is destroyed, the data is protected. In this situation a single provider should be considered a single site and as such another separate backup of the data is essential.
Vendors who store a users identity data have a responsibility to protect data, that much is clear. They also have a responsibility to protect their customers when they may become victims of a data breach. In this situation its difficult to prevent the breach say it came from an undocumented exploit, but a patching mechanism must be in place that allows issues such as heart bleed to be addressed in a very timely manner to shut the door on additional data leakage.
A responsible vendor can implemented measures such as multi-factor authentication that will help protect themselves and customers when the risk of compromise is such that it will be damaging to them or their customer. Also in addition responsible provider can force password resets when data leakage is known to have occurred.
Stay tuned on this blog for more on what you can do to protect you and your customers in your journey to the cloud.