With many aspects of IT moving from on-site systems to the cloud, companies have adjusted their cyber security strategies to better account for risks inherent in new platforms. However, ensuring that the cloud is secure is not a simple matter.
IT managers have to make sure that remotely stored data is handled in compliance with applicable regulations. At the same time, they must harden infrastructure against cyberattacks that seek to take advantage of the high concentration of sensitive data in the cloud. Lastly, they must perform these tasks in conjunction with cloud providers, many of which give only low priority to security issues.
The recent breach of Adobe Creative Cloud represents a worst-case scenario for what can happen when cloud security measures are not strong enough to withstand a serious threat environment. However, these types of incidents only tell part of the story in regard to the challenges that companies face when they rely on the cloud.
More specifically, a weakness in physical security can be just as dangerous as any vulnerability in cyberspace. An improperly protected or suboptimally located data center can put important information and operations at severe risk of disruption. In addition to thieves and natural disasters, enterprises face possible danger from unauthorized employees having access to loosely secured server rooms. Accordingly, it is imperative that organizations approach cloud security holistically and devote adequate attention to both protecting data and securing the physical locations in which it resides.
Adobe Creative Cloud breach demonstrates vulnerability of mass quantities of data
Why is the cloud a prime target for cyber criminals in the first place? A large part of its appeal is the sheer amount of data that it contains, a characteristic that drives malicious actors to pursue many physical and virtual attack vectors.
One of the best demonstrations of how the cloud’s scale inherently contributes to its vulnerability is the October 2013 attack on Adobe Creative Cloud, a cloud repository for industry-leading media production tools. According to Brian Krebs’s in-depth report on the event, the breach may have compromised credit card numbers, user account data and application source code, indicating the remarkable – and perhaps disconcerting – variety and concentration of assets in just this one cloud.
In this instance, the attackers’ methods were typical. Account IDs and passwords for approximately 38 million active users were moved along with other stolen assets to hacker-controlled servers. Some of the data was encrypted and may have survived decipherment attempts, but enough of it was compromised to force a massive number of password resets.
However, the unique and standard tools that protect data in cyberspace, such as encryption and password hashing, lack 1-to-1 equivalents in the physical word. Each business must protect its site according to its particular situation, and it must do so knowing that a break-in could compromise data just as quickly as hacking. If even strong, widely accepted data security mechanisms failed to protect Adobe’s users, what kinds of risks do businesses invite when they all follow different procedures for protecting physical assets?
University’s new data center shows what can be done to improve physical and data security
Some institutions have been very proactive about physical security. Writing for The Daily Pennsylvanian, Ryan Anderson documented The University of Pennsylvania’s construction of a new data center protected by state-of-the-art safeguards. The measures include:
- Surveillance cameras and an alarm system
- Three access points that require employees to swipe a key card
- Floor sensors and sticky doormats that protect the server room from water and dust
Like Adobe Creative Cloud, the university’s data centers are home to a tremendous amount of information. Anderson observed that the new installation may house several terabytes of data on students, faculty and staff.
The institution actually built the new facility to scale out its data retention and processing abilities, and it took the commendable step of ensuring that it did not trade security for scope. Realizing that mass quantities of data are liabilities almost by definition, the university appears to have taken the right tack, and its actions can serve as an example of how organizations must shore-up cloud data in both the physical and virtual worlds.
Holistic cybersecurity requires combination of physical and virtual protections
In a piece for SecurityInfoWatch, Ray Cavanagh emphasized the need for a holistic approach to cloud security, one that utilized protections across cyberspace and server rooms alike. Such a tack will be essential to IT departments staying ahead of both external actors and risky insiders. Additionally, paying adequate attention to all possible weaknesses will be necessary as more organizations rely on a mix of on-site private and remote public clouds, which between them create a wide range of physical and virtual security issues.
“Securing both public and private cloud environments, along with understanding both the risks and benefits of cloud computing for physical security, presents a sizeable challenge for security professions – but nothing the continuously evolving security industry cannot handle,” argued Cavanagh. “In short, physical and cyber security teams simply must work together now to better anticipate, thwart and reduce threats.”
Certainly, it will be challenging for some companies to coordinate security efforts across the different departments responsible for protecting data and site security. In some cases, it may be prudent for managers to get help from traditional security firms in addition to the guidance they receive from cyber security professionals.
Organizations will need assistance in dealing not only with cloud infrastructure, but also with mobility. Almost nothing better demonstrates the complex matrix of cloud-related risks that enterprises face than the consumerization of IT hardware, which has made it easy for employees to access cloud data even from outside company buildings.
“The proliferation of mobile devices and the increased adoption of cloud applications makes it difficult to manage and protect users as they travel outside the network perimeter,” said Zscaler CEO Jay Chaudhry, according to Forbes.
Fortunately, many institutions have already shown that data centers can be made physically secure as part of a wider initiative to protect data. As Cavanagh suggested, the flexibility of the security communities provides cause for optimism about their ability to address a full range of risks and make it safer to store data in the cloud.