Compromising cloud security is necessary risk, experts say [Computer News Middle East]

Compromises in security are necessary to make cloud services easy to use for non-technical consumers, experts have said.

The question of the impact of making cloud services consumer friendly arose this week, following the discovery of Apple and Amazon security flaws that enabled hackers togain access to tech journalist Mat Honans iCloud account. Once in, the mayhem they erased all data from his iPhone, iPad and MacBook.

In Honans case, the hackers didnt use sophisticated tools to break into his account. Instead, they got the information they needed by impersonating him in telephone calls to Apples and Amazons tech support.

While Honan fell victim to human error, other high profile hacks of consumer services over the last three months involved breaking into websites and stealing millions of customer passwords. The businesses that suffered the security breaches included Yahoo, LinkedIn, Dropbox and eHarmony.

So the question becomes, are these sites inherently unsecure because they need to be very user friendly? Would having better security, such as two-factor authentication or the enforcement of more hacker-proof passwords, be so inconvenient that it would drive people to competitors?

Many experts say there is a trade off betweensecurityand usability, and a cloud service often has to balance the two, depending on its purpose. If its customers are primarily consumers, than security mechanisms wont be as stringent as those used if the service provider caters only to businesses. Equal security between consumer- and business-focused services is possible, but not likely, Andrew Plato, president and chief technical architect of Anitian Enterprise Security, said.

Consumers and businesses have very different needs and tolerances to failure, he said in an email. There are not very many [cloud] apps that have made the jump from consumer to business or vice versa.

Matt Dean, chief operations officer for FireMon, agreed, saying that he often sees corporations make security compromises in Internet-enabled business applications. They are constantly balancing security with usability, the ability to access this data when and where people need to, Dean said.

J.J. Thompson, chief executive of Rook Consulting, disagreed. While the breach that caused Honan so much misery was very unfortunate, it clearly illustrates a control breakdown and a training issue, he said. The incident alone did not mean cloud services couldnt be adequately secured.

To be protected, a cloud service needs to educate its workforce about security, have processes in place to prevent information from being given out to the wrong person and have properly configured technology to ensure security and privacy. The symbiotic relationship between people, process and technology and the associated controls must be in harmony to maintain a secure and compliant state period, Thompson said.

If all three areas are covered, then a cloud environment is more secure than computers maintained by many individuals and businesses, he said.

Beyond the issue of security versus usability, said Colby Clark, director of incident management at FishNet Security, the biggest problem facing businesses in using cloud services in general is the lack of auditability following a breach.

The cloud computing environment is not conducive to performing after-the-fact forensic investigations to identify if your data has been compromised, how it was compromised, and by whom, Clark said by email. Moreover, cloud providers are often reluctant to allow forensic investigative tools, especially anything involving memory analysis to be conducted on their systems.

Despite missing important capabilities, cloud services are attracting businesses willing to trade risk for the convenience and lower cost of not having to maintain or manage the applications. In a recent survey of 4,000 businesses and IT managers,the Ponemon Institute foundthat half had transferred sensitive or confidential data to the cloud, and a third more were very likely to do so in the next two years.

At the same time, 39 percent in the study, commissioned by IT security company Thales, believed cloud adoption had decreased data security and nearly two thirds did not know what cloud providers were doing to protect data.