When I was at Veritas, we did a security audit of a newly-built data centre product. A bunch of hackers were called in and they found some critical security holes, including two within my own code. My code was close to the kernel and I assumed that it was shielded by the layers of other code on top.
As a new young engineer, full of self confidence and ego, I walked to one of the security experts and defended my work by claiming that the software using my work should already be secure and I shouldn’t be repeating the same security code in my work.
I think the hacker nailed it with a simple answer – “The best security architecture assumes that the layer on the top is already compromised”.
The past 12 months has seen the highest level of data breaches that the UK has ever seen. In August last year, the Information Commissioner’s Office (ISO) revealed that data breaches had jumped by 1,014% over the last five years and look set to continue to rise.
This increase could be attributed to the increasing prevalence of consumer-grade collaboration tools, such as Dropbox, in the workplace. In 2011, a bug in the Dropbox code allowed anyone in the world to access any of the 25 million accounts registered with the site at that time by entering a random string as the password. Although the incident was resolved after four hours, there’s no telling how many unauthorised log-ins took place.
In August last year, Dropbox came into the firing line again after it was revealed that a file containing private customer details was stolen from an employee’s account. The stolen information was then subsequently used to send reams of spam to Dropbox customers.
Around the same time last year, Amazon and Apple were severely scrutinised over their customer identification systems when a hacker managed to trick their way past customer service personnel into technology journalist, Mat Honan’s iCloud account. The hacker then went on to remotely erase the data from Honan’s laptop, iPhone and iPad.
Dropbox and Apple were probably victims of their own popularity and at scale everything breaks. But there is lot to learn from these incidents.
A ‘one size fits all’ approach to encryption, also known as Full Disk Encryption (FDE), is unlikely to provide an organisation with the appropriate level of security or the desired flexibility, particularly when handling especially sensitive data, such as financial data or healthcare records.
A company solely relying on FDE is likely to face a number of issues:
- An inability to differentiate access between users – FDE means that users on the same system can see all data on that system. For example: the Sales Team could view documents from the Accounts Department if they wanted to
- FDE systems require administrators to have full decryption access to carry out administrative tasks, potentially revealing sensitive information
- FDE can also impact end-users by requiring them to learn a new pre-boot authentication process. This can hamper and delay the implementation of widespread encryption.
With the advent of the cloud, new technologies have been developed with the aim of adding extra, as well as segregated, layers of encryption to a company’s IT security protocols. To name a handful:
- Network and at-rest encryption means data is not only encrypted when sitting in the cloud but is also given a separate encryption when travelling from the datacentre to an endpoint
- Two-factor authentication of critical users and admins is a simple feature that asks for more than just your password. It requires both something you know and something you have. After you enter your password, for example you’ll get a second code sent to your phone, and only after you enter it will you get into your account
- Two-factor encryption is modelled on a bank locker, in which both parties hold part of the key. The encryption authentication keys are mutually shared between the organisation and the cloud – giving neither party full, unencrypted access to any data on the cloud independently
- Sandbox data for every customer, isolating data by individual customer/user so a compromised account shouldn’t be threat to all
- Clearly separate cloud access control, it is possible to apply separate encryptions to different users and departments, ensuring that employees only have access to the data that is relevant.
- Data/byte scrambling to avoid any direct access to data.
As cloud becomes more affordable, its widespread adoption will be inevitable. But the long term adoption from enterprises will depend upon how it gains the CSO’s trust. Simply encrypting data and getting an audit will not help.
As a majority of the cloud service providers use other infrastructure services like AWS, the foundation for secure cloud will depend upon each layer within the cloud to establish security and even redundancy with the underlying layer.