May 1, 2019

Security researchers have found yet another unprotected online database, this time exposing more than 80 million US households to identity theft and fraud.

Available for anyone in the internet to peruse, the 24GB database is hosted on a Microsoft cloud server and contains a trove of personal info that could be invaluable to fraudsters: full names, age, marital status, income, birthdate, street addresses, and the number of people living at a residence.

Amazingly, the researchers at Israeli tech ratings service vpnMentor haven’t been able to identify the owner and have made a public appeal to find them. They do think it’s likely a firm in insurance or healthcare, as each record includes a ‘member code’ and a ‘score’ beside each entry.

That doesn’t inspire much confidence in two industries already under the spotlight for holding sensitive personal data securely. But the real problem may not be sector-specific. Perhaps the issue is how securely data is stored ‘in the cloud’, e.g. in software hosted in factory-sized, 200-acre data centres that are accessed by end users via the internet.

How safe is the cloud?

On paper, a reliable cloud services provider should be as secure as an expensive on-premise corporate data centre with the latest cyber defences – and some say even more secure.

Concerns about hackability held back adoption of cloud services in the beginning, so vendors touting the hosted model for software had to get their collective act together to convince businesses to leave their dedicated data centres behind.

That’s resulted in significant investment to make cloud systems more bulletproof. According to Deloitte, cloud vendors devote as much as 75 percent of their collective R&D spend on improving security systems, with a parallel cloud security tech industry growing up as a result.

That new group of companies is taking full advantage of artificial intelligence to make cyber technology smarter. Intelligent automation has arguably given cloud the upper hand compared to IT systems hosted on-premise.

The security benefits of the cloud tend to break down three ways:

  • Encryption, AI, and strong passwords: Provided credentials are protected, only the account holder should be able access their files, which are stored on hard drives in remote, physically secure data centres. The internet connection used to access files is typically secured as well so that hackers can’t eavesdrop.
  • File sharing is safer: If you want to give other people access to a file, you send them a permission that is tracked and controlled. There is no need to make a second copy of a file, email it as an attachment, or handover a memory stick.
  • Even your backup has a backup: Cloud services often store at least three copies of each piece of data, and in different locations. All three copies would need to disappear simultaneously from three separate locations in order to lose the data.

So much safer now?

In cyber terms, Cloud may have become a victim of its own success. As adoption grows, so does concern about security. While larger companies migrate entire IT infrastructures over to cloud providers like Amazon Web Services and Microsoft Azure, organisations of all sizes have been increasing their use of services like Google Drive, Dropbox, and Microsoft OneDrive.

Data stored in the cloud has strong protections, but as the latest find demonstrates – someone has to actually flick the switch in order to turn those protections on. And there are other basic issues:

  • If your password is cracked, anyone holding it can access your files
  • Local copies of data held on your machine can still be infected with malware. If your machine is set to automatically upload files to Dropbox, it can overwrite the cloud version with the corrupted local version.

And cloud breaches are hardly new.

Along with this week’s discovery, earlier this year an email marketing firm left 809 million email addresses and passwords in another unprotected cloud database.

Marriott Starwood hotels suffered one of the biggest cloud breaches in history last year when hackers worked out an easily guessable password for Starwood’s ServiceNow cloud computing platform. It was possible to access guest financial records, IT security controls, and personal information including passport numbers.

Popular app Timehop revealed a security breach of its cloud database that exposed names and emails of 21 million users — basically its entire user base.

Along with straightforward access to user data, Hacking into a cloud service can also provide a vector for supply chain attacks, sneaking malware into the data uploaded to make cloud copies of local files.

And of course our most popular social media platforms are cloud services by their very nature. Facebook’s cascading series of breaches and un-monitored data shares alone should instill a healthy skepticism about the security claims of cloud providers.

Secure the cloud by empowering your people

What’s seems to be common in all these breaches isn’t bad security, but bad decisions. Weak passwords, encryption switched off, simple password/userid requirements, or a complete failure to protect user databases at all.

In the end, the cloud is likely as safe as the people who use it allow it to be. There is a human element in cyber that can either make an organisation’s security posture weaker – or stronger.

At home or at work, the strength of cybersecurity defences often depends on how empowered people are with security awareness. If employees can be trained to understand the weaknesses in cloud security, and sustain their level of awareness, the risk of cloud breach can be reduced.

Harvard Business Review has said that better training is the best cyber security investment a business can make. In the cloud or in the office, empowering your people is the best way to minimise cybersecurity risk.

Share this: