The “Cloud”, considerations for security.

Addressing Cloud Computing Security Issues and Challenges

Addressing cloud computing security issues and challenges is a complex subject.  It all stems from the fact that when you store your files in the cloud, you are storing them on a computer that is owned by someone else.  We will take a look at the security considerations, breaches and outages.

 Security Considerations

People use the cloud to store documents, pictures and videos. In business, employees store spreadsheets, word documents and presentations, many of which contain company confidential or client confidential information.  According to a study from Skyhigh of 18 million users, 21% of files uploaded to cloud providers contain confidential information such as personally identifiable information (PII), protected health information (PHI), payment card data, or intellectual properly and 34% of users have uploaded sensitive data to the cloud. One of the least recognized cloud computing security issues and challenges is that cloud storage holds a treasure trove of information from many users and organizations and is thus a honey pot and high value target for both hackers and national security agencies.

 Breaches

Probably the most publicized cloud computing security issues and challenges is that of the data breach. Google Drive, iCloud and Dropbox have all suffered different forms of data breach.

For example, iCloud was recently breached using a social engineering (or phishing) attack.  This is a vulnerability not from hacking Apple’s defences, but from tricking users into giving up their user name and password credentials through a fake email and/or website.  Once an attacker tricks you into giving up your username and password, they simply take on your identity to access your account.  This is how hackers obtained explicit photos of Jennifer Lawrence from her iCloud account.  It is hard for even the largest of cloud providers to defend against users giving up their credentials.  To mitigate, you can either use a two-factor authentication process or encrypt the data you store in the cloud.  Two factor authentication ranges from answering an additional security question to inputting a randomized PIN from an RSA token, but most people don’t want the inconvenience of an additional security step and think they are safe behind the sophisticated defences of a Tier 1 provider.  Encryption of data requires some degree of technical sophistication that average users lack.

In another example, in 2012, customer email addresses were stolen from a Dropbox employee’s account using credentials breached from hacking another site.  Most people use the same password at multiple sites.  Hackers know this and will go after soft, relatively unprotected targets to get passwords then use those passwords to get information from sophisticated sites that employ the best security.  Likewise, hackers stole the credentials of almost 5 million accounts and published them online forcing Google to ask users to change their passwords.  Most people believe they are safe storing their files with these large companies, but if a hacker tricks you into giving him your credentials or if they steal your credentials from a soft unprotected site, there is not much the cloud provider can do other than offer two-factor authentication.

Here are some headlines I found about big company cloud provider breaches.  You can read them for yourself.

  • “Hackers hold 7 million Dropbox passwords ransom” – CNET
  • ” Dropbox and Box leak files in security through obscurity nightmare” – TechRepublic
  • “Google Drive Found Leaking Private Data” – Collaborista Blog
  • “Google warns Gmail users to change passwords after hacker’s post millions of account details online” – Mirror
  • “Dropbox Password Breach Leads To Mass Security Alert” – Huffington Post
  • “Dropbox confirms security breach” – Information Age
  • ” Jennifer Lawrence, Victoria Justice, Other Celebs Victims of More Leaks, Apple Denies Breach” – BuzzFeed
  • “iCloud leaks of celebrity photos” – Wikipedia
  • “Attackers use Google Drive, Dropbox to breach companies” – Help Net Security
  • “Attackers can access Dropbox, Google Drive, OneDrive files without a user’s password” – ZDNet
  • “Google Drive phishing is back — with obfuscation” – CSO Online
  • “Major cloud services such as Google Drive and Dropbox at risk from ‘man-in-the-cloud’ attack” – V3
  • “How Box.com allowed a complete stranger to delete all my files” – IT World
  • “Dropbox passwords leak: Hundreds of accounts hacked after third-party security breach” – The Independent
 Outages – The Cloud Will Go Down

One of the cloud computing security issues and challenges that affects almost all users are the outages.  True that as the cloud matures, cloud providers become more sophisticated and overall up-time improves, but there will be outages even from the biggest cloud players.  Here are some notable outages over the past 3 years.

Google’s Infrastructure-as-a-Service was down in March 2015 for 45 minutes and February 2015 for 1 hour. In both May and March 2015, Apple’s iCloud was down for 7 hours affecting 200 million users.  That followed an outage in June 2014 of several hours and August 2013 of 11 hours. In January 2015 Verizon took its cloud offline for 40 hours for maintenance.

Dropbox was down for 1 hour in March 2014, 2 days in January 2014, 90 minutes in May 2013 and 16 hours in January 2013.  Google Drive was down 5.5 hours in March 2014, 25 minutes in January 2014, 5 minutes in August 2013, 40 minutes in July 2013 and 17 hours in March 2013.

Microsoft Azure cloud services was down twice in March 2015 for more than 2 hours.  Amazon Web Services was down in for 7 hours in September 2015, as well as 49 minutes in June 2013, 1 hour in August 2013, and 2 hours in September 2013.

Even though adoption of cloud services continues to increase, outages like these are among the factors that hinder their full embrace. These outages are only a small example of what is going on.  A host of other cloud services have also gone down such as Yahoo Mail, VMware, Jive, Microsoft BPOS, Microsoft Exchange, T-Mobile, Adobe Creative Cloud, Joyent, and Microsoft Lync.  Smaller services have outages as well, but because they don’t affect as many people, aren’t tracked the same way.