Consumer friendliness forces trade-offs in Cloud security

"There are not very many [Cloud] apps that have made the jump from consumer to business or vice versa"

Compromises in security are necessary to make Cloud services easy to use for the average non-technical person, experts say.

The question of the impact of making Cloud services consumer friendly arose this week, following the discovery of Apple and Amazon security flaws that enabled hackers to gain access to tech journalist Mat Honan's iCloud account. Once in, the mayhem they caused included remotely erasing all data from his iPhone, iPad and MacBook.

In Honan's case, the hackers didn't use sophisticated tools to break into his account. Instead, they got the information they needed by impersonating him in telephone calls to Apple's and Amazon's tech support.

While Honan fell victim to human error, other high profile hacks of consumer services over the last three months involved breaking into websites and stealing millions of customer passwords. The businesses that suffered the security breaches included Yahoo, LinkedIn, Dropbox and eHarmony.

[See also: Business lessons learned in iCloud hack | Mat Honan's cautionary tale, and instructions on how to protect yourself]

So the question becomes, are these sites inherently unsecure because they need to be very user friendly? Would having better security, such as two-factor authentication or the enforcement of more hacker-proof passwords, be so inconvenient that it would drive people to competitors?

Many experts say there is a trade off between security and usability, and a Cloud service often has to balance the two, depending on its purpose. If its customers are primarily consumers, than security mechanisms won't be as stringent as those used if the service provider caters only to businesses.

Equal security between consumer- and business-focused services is "possible, but not likely," Andrew Plato, president and chief technical architect of Anitian Enterprise Security, said on Friday.

"Consumers and businesses have very different needs and tolerances to failure," he said in an email. "There are not very many [Cloud] apps that have made the jump from consumer to business or vice versa."

Matt Dean, chief operations officer for FireMon, agreed, saying that he often sees corporations make security compromises in Internet-enabled business applications. "They are constantly balancing security with usability, the ability to access this data when and where people need to," Dean said.

J.J. Thompson, chief executive of Rook Consulting, disagreed. While the breach that caused Honan so much misery was "very unfortunate," it "clearly illustrates a control breakdown and a training issue," he said. The incident alone did not mean Cloud services couldn't be adequately secured.

To be protected, a Cloud service needs to educate its workforce about security, have processes in place to prevent information from being given out to the wrong person and have properly configured technology to ensure security and privacy. "The symbiotic relationship between people, process and technology and the associated controls must be in harmony to maintain a secure and compliant state -- period," Thompson said.

If all three areas are covered, then a Cloud environment is more secure than computers maintained by many individuals and businesses, he said.

Beyond the issue of security versus usability, said Colby Clark, director of incident management at FishNet Security, the biggest problem facing businesses in using Cloud services in general is the lack of auditability following a breach.

"The Cloud computing environment is not conducive to performing after-the-fact forensic investigations to identify if your data has been compromised, how it was compromised, and by whom," Clark said by email. "Moreover, Cloud providers are often reluctant to allow forensic investigative tools, especially anything involving memory analysis to be conducted on their systems."

Despite missing important capabilities, Cloud services are attracting businesses willing to trade risk for the convenience and lower cost of not having to maintain or manage the applications. In a recent survey of 4,000 businesses and IT managers, the Ponemon Institute found that half had transferred sensitive or confidential data to the Cloud, and a third more were very likely to do so in the next two years.

At the same time, 39 percent in the study, commissioned by IT security company Thales, believed Cloud adoption had decreased data security and nearly two thirds did not know what Cloud providers were doing to protect data.

Read more about Cloud security in CSOonline's Cloud Security section.

Join the CSO newsletter!

Error: Please check your email address.

More about Amazon Web ServicesAndrew Corporation (Australia)AppleDropboxThales AustraliaYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place