Cloud applications are awash within businesses today – whether the organisation knows it or not. There are more than 4.2 million apps available across the Android and Apple stores alone, so it shouldn’t come as a surprise to anyone that employees are quick to download the latest app instead of going through the red tape of IT procurement, provisioning, testing and security. From Dropbox and Twitter to Facebook and Salesforce, apps have become the de facto method for sharing and storing data, allowing easy access and greater collaboration. In principle this is no bad thing, but in reality there’s risk involved and businesses are often innocent bystanders.
We’re all at the mercy of someone else’s security policies. I can have every single possible security tool, device and dashboard in place, but if a service I use is hacked? That’s out of my control. In the last couple of weeks Dropbox confirmed a hack in 2012 had resulted in 68 million user names and passwords appearing online. That’s around a third of Dropbox’s user base. A couple of days later OneLogin announced a bug had let a hacker view users’ secure notes, potentially exposing a Pandora’s box of information for anyone looking to move sideways in big businesses.
Most hackers are after a quick and easy payday. And any savvy hacker knows there’s loot to be had from cloud services. Given today’s consumer / corporate crossover world we live in, things like Dropbox are a prime target as they’re a vast cache of IP and corporate databases – and probably a fair amount of personal information that can exploited. At the same time, apps like OneLogin are designed to increase security and anyone looking to procure a few passwords would do well to try their luck here.
The cloud industry has been hard at work dragging people over the line in the security debate for some time. We have worked hard to tackle the issue head on and incidents like these don’t help assuage the doubts that many still have.
Enterprises are bombarded with advice about how to keep their data safe. We tell them about the importance of monitoring network activity, of knowing what their employees are doing, the need for layered solutions and access controls. But we need to practice what we preach.
It doesn’t matter if you’re a cloud app provider, a cloud security provider, an end user, or a service provider the same rules apply. If your password database is accessed and its contents downloaded or moved, big red, loud alarm bells should be ringing and, if they’re not, you’re not doing it right. Everyone needs an understanding of what normal looks like for their business, who is accessing what and from where, as well as the ability to control what can and can’t be done.
The cloud shouldn’t be feared; it should be embraced with open arms. But, as an industry, we need to take care of our own backyard first; otherwise we’re falling at the first hurdle.