Digital Edition

SYS-CON.TV
Are the Barbarians at the Gate? By @EFeatherston | @CloudExpo [#Cloud]
Cloud has become the ubiquitous term and so overused that whenever a breach happens, it’s assumed it is a cloud problem

The Cloud, Security and Breaches – Are the Barbarians at the Gate?

Target. Home Depot. Community Health Systems. Nieman Marcus. Their names have been all in the news over the past year, though probably not in a way they would like. All have had very public data breaches affecting anywhere from 350,000 (Nieman Marcus) to 4.5 million (Community Health Systems) customers. Add the recent high-profile celebrity nude photo hacking scandal and cloud security has become the trending topic in all the news and social media. Some of the discussions reminded me of a line from a short-lived TV show called ‘Almost Human' (yes I watched it, and since it was not renewed, apparently I was part of a small group). In the opening sequence of the show was the line ‘technology has forever altered the criminal landscape.' Is that where we are? Are the barbarians at the gate? Will this, or should this, impact decisions about migrating to the cloud?

Cloud: guilt by association
Cloud has become the ubiquitous term and so overused that whenever a breach happens, it's assumed it is a cloud problem. The reality is that out of all the breaches I mentioned earlier, only one of them - the celebrity nude photo scandal - had any connection to cloud technology.  In his recent article Celebrities get phished, cloud gets blamed, David Linthicum makes the point saying that "no matter if it's truly a cloud service or, in most cases, internal systems that are somehow compromised. Because no one in the general media really knows what a ‘cloud' is, it's all a cloud to them." The other breaches I listed were all internal system breaches, with various methods used to accomplish the breach. 11 Steps Attackers Took to Crack Target gives a great detailed description of the process the hackers used to breach Target's systems last year. While the first step sstarted with a simple email phishing campaign, it required a complex set of tasks executed over time to eventually compromise Target's Point of Sale (PoS) systems, which is where the actual breach occurred. None of that had anything to do with the cloud.

No technology negates the need for design and planning
While a majority of the highly public security breaches may not be related to the cloud, that does not mean going to the cloud has no security risks involved. Going to the cloud does not automatically give you the security you may need for your data. Like any other complex systems, the risks must be understood, analyzed and planned for. Mitigation strategies should be put in place, and test plans designed and developed to validate that the security you have put in place is working as expected. In addition, this should not be a ‘once and done' type of planning. Security risks are changing at breakneck speeds in the Social, Mobile, Analytic and Cloud (SMAC) disruptive technology landscape of today. These disruptions have altered the criminal landscape, and while the barbarians may not be literally at the gate, they will always be trying to storm the castle, testing your defenses, trying to find other ways in, and seeking the treasures behind those walls - your data.

No system is ever 100 percent safe
This is not meant to be a doom and gloom prediction, just a reality of networked systems. The only 100 percent secure system is one that has no network connects and that no one has physical access to - obviously that level of protection is not realistic or usable in any way. Going to the cloud can be just as secure (if not more so) than using internal-only systems. Whether in the cloud or not, putting security mechanisms in place is always a delicate balancing act between protection and usability of the system. Everything is a tradeoff. As technologists, it is our responsibility to identify the risks and options available with their inherent tradeoffs, and work with the business to determine the appropriate mechanisms to put in place. Ideally, the two primary goals when designing and testing your security measures should be:

  • Make it so difficult and time-consuming to break through,that those trying will just move on
  • Have mechanisms in place to detect attempts to get through those barriers so that countermeasures can be taken (up to and including taking the system offline if the protection of the data is critical enough)

These always need to be balanced and measured with the business to ensure everyone is making informed decisions based on the business benefits, usability and risk associated with those decisions.

Are the barbarians at the gate?
Yes, they always have been and they always will be. There will always be people out there trying to hack into systems, whether for criminal intent or just because. It doesn't mean we should avoid going to the cloud or avoid providing access to systems that have legitimate business value. It just means we should always do our due diligence, identify the risks, design and plan to deal with those risks, and work in concert with the business so that informed decisions get made and all stakeholders have the appropriate expectations. This process should be constantly in motion and evolving given how quickly technology is moving in the disruptive SMAC landscape we operate in today.

About Ed Featherston
Ed Featherston is VP, Principal Architect at Cloud Technology Partners. He brings 35 years of technology experience in designing, building, and implementing large complex solutions. He has significant expertise in systems integration, Internet/intranet, and cloud technologies. He has delivered projects in various industries, including financial services, pharmacy, government and retail.

In order to post a comment you need to be registered and logged in.

Register | Sign-in

Reader Feedback: Page 1 of 1



ADS BY GOOGLE
Subscribe to the World's Most Powerful Newsletters

ADS BY GOOGLE

The explosion of new web/cloud/IoT-based applications and the data they generate are transforming ou...
CI/CD is conceptually straightforward, yet often technically intricate to implement since it require...
Containers and Kubernetes allow for code portability across on-premise VMs, bare metal, or multiple ...
Enterprises are striving to become digital businesses for differentiated innovation and customer-cen...
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As au...
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't com...
DXWorldEXPO LLC announced today that All in Mobile, a mobile app development company from Poland, wi...
The now mainstream platform changes stemming from the first Internet boom brought many changes but d...
DXWorldEXPO LLC announced today that Ed Featherston has been named the "Tech Chair" of "FinTechEXPO ...
Chris Matthieu is the President & CEO of Computes, inc. He brings 30 years of experience in developm...
Bill Schmarzo, author of "Big Data: Understanding How Data Powers Big Business" and "Big Data MBA: D...
Andi Mann, Chief Technology Advocate at Splunk, is an accomplished digital business executive with e...
In this presentation, you will learn first hand what works and what doesn't while architecting and d...
The Internet of Things is clearly many things: data collection and analytics, wearables, Smart Grids...
To Really Work for Enterprises, MultiCloud Adoption Requires Far Better and Inclusive Cloud Monitori...
We are seeing a major migration of enterprises applications to the cloud. As cloud and business use ...
If your cloud deployment is on AWS with predictable workloads, Reserved Instances (RIs) can provide ...
Disruption, Innovation, Artificial Intelligence and Machine Learning, Leadership and Management hear...
We build IoT infrastructure products - when you have to integrate different devices, different syste...
Consumer-driven contracts are an essential part of a mature microservice testing portfolio enabling ...