Category Archives: Public Cloud

427 Million Myspace Passwords leaked in major Security Breach

Posted on June 10, 2016 | Leave a comment

My Space

MySpace has suffered a major data breach in which hundreds of Millions of users have had their account details compromised.

You may have forgotten Myspace and have not thought of it in years after Facebook acquired the market, but Myspace was once-popular social media website.

On Tuesday, Myspace confirmed that the company was hacked in 2013 and that the stolen Myspace username and password combinations have been made available for sale in an online hacker forum.

The hacker, nicknamed Peace, who is selling the database of about 360 Million Myspace accounts with 427 million passwords, is the same hacker who was recently in the news for leaking 164 Million LinkedIn and 65 Million Tumblr accounts.

“We believe the data breach is attributed to Russian Cyberhacker ‘Peace’,” Myspace wrote in a blog post. “Email addresses, Myspace usernames, and Myspace passwords for the affected Myspace accounts created prior to June 11, 2013 on the old Myspace platform are at risk.”

Like LinkedIn, the stolen Myspace passwords were also stored in SHA1 with no “salting.” Salting is a process that makes passwords much harder to crack.

Myspace said it has taken “significant steps” to strengthen its users’ account security since the data breach in 2013 and now the company uses double-salted hashes to store passwords.

I strongly advise users who tend to reuse the same passwords between sites to set new passwords on those websites immediately.

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Public Cloud

Tagged ,

Warning! 32 Million Twitter Passwords May Have Been Hacked and Leaked

Posted on June 10, 2016 | Leave a comment

Twitter copy

The world came to know about massive data breaches in some of the most popular social media websites including LinkedIn, MySpace, Tumblr, Fling, and VK.com when an unknown Russian hacker published the data dumps for sale on the underground black marketplace.

However, these are only data breaches that have been publicly disclosed by the hacker.

I wonder how much more stolen data sets this Russian, or other hackers are holding that have yet to be released.

The answer is still unknown, but the same hacker is now claiming another major data breach, this time, in Twitter.

Login credentials of more than 32 Million Twitter users are now being sold on the dark web marketplace for 10 Bitcoins (over $5,800).

LeakedSource, a search engine site that indexes leaked login credentials from data breaches, noted in a blog post that it received a copy of the Twitter database from Tessa88, the same alias used by the hacker who provided it hacked data from Russian social network VK.com last week.

The database includes usernames, email addresses, sometimes second email addresses, and plain-text passwords for more than 32 Million Twitter accounts.

Twitter strongly denied the claims by saying that “these usernames and credentials were not obtained by a Twitter data breach” – their “systems have not been breached,” but LeakedSource believed that the data leak was the result of malware.

“Tens of millions of people have become infected by malware, and the malware sent every saved username and password from browsers like Chrome and Firefox back to the hackers from all websites including Twitter,” LeakedSource wrote in its blog post.

But, do you remember how Facebook CEO Mark Zuckerberg Twitter account was compromised?

The hackers obtained Zuck’s account credentials from the recent LinkedIn data breach, then broke his SHA1-hashed password string, tried on his several social media accounts and successfully hacked Zuckerberg’s Twitter and Pinterest account.

So, one possibility could also be that the alleged Twitter database dump of over 32 Million users is made up of already available records from the previous LinkedIn, MySpace and Tumblr data breaches.

The hacker might just have published already leaked data from other sites and services as a new hack against Twitter that actually never happened.

Whatever the reason is, the fact remain that hackers may have had their hands on your personal data, including your online credentials.

So, it’s high time you changed your passwords for all social media sites as well as other online sites if you are using the same password.

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Public Cloud

Tagged ,

Attorney Confidentiality, Cybersecurity, and the Cloud

Posted on June 9, 2016 | Leave a comment

Legal

There is a significant degree of confusion and lack of awareness about attorney confidentiality and cybersecurity obligations.  This issue is especially acute when it comes to using the cloud to store privileged documents.  A common myth is that storing privileged documents in the cloud is a breach of attorney-client confidentiality.  In other instances, many attorneys and firms are not paying sufficient attention to their obligation to protect the confidentiality and security of the client data they maintain.

Attorney Ethical Rules in the Digital Age

The general rules of professional conduct are written broadly, without specifically addressing privacy and cybersecurity issues.  Under Rule 1.6 of the ABA Model Rules of Professional Conduct, “a lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent.” Lawyers must “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

The application of this rule to digital technologies has been dealt with by resolutions and commentary.  Fairly recently, the ABA published Resolution 109, calling for firms to “develop, implement, and maintain an appropriate cybersecurity program.” And few years ago, the ABA amended Comment 8 to Model Rule 1.1 (requiring “competent representation to a client”) to state that “a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” (added language italicized).

Attorney-Client Privilege in the Cloud

Is it ethical for attorneys and law firms to store privileged documents in the cloud?  After all, they are storing such documents on a third party’s computer.

White_Cloud

This question has been a widespread concern, enough so that several state bar associations have issued guidance.  Their consistent conclusion is that it is ethical to store privileged documents in the cloud.  For example, according to the Pennsylvania Bar Association Formal Opinion 2011-200: “An attorney may ethically allow client confidential material to be stored in ‘the cloud’ provided the attorney takes reasonable care to assure that (1) all such materials remain confidential, and (2) reasonable safeguards are employed to ensure that the data is protected from breaches, data loss and other risks.”

According to the Florida Bar Association Opinion 12-3, “Cloud computing is permissible as long as the lawyer adequately addresses the potential risks associated with it.” The Massachusetts Bar Association Opinion 12-03 provides that lawyers “may store and synchronize electronic work files containing confidential client information across different platforms and devices using an Internet based storage solution” if they undertake “reasonable efforts to ensure that the provider’s terms of use and data privacy policies, practices and procedures are compatible with the lawyer’s professional obligations, including the obligation to protect confidential client information.”

The New York Bar Association Ethics Opinion 842 concludes that “a lawyer may use an online ‘cloud’ computer data backup system to store client files provided that the lawyer takes reasonable care to ensure that the system is secure and that client confidentiality will be maintained.”

Other state bars have reached similar conclusions.  The ABA maintains a page that tracks what state bars are holding on this issue.  The states in blue have all issued opinions on the use of the cloud, and all state essentially the same thing: Using the cloud is ethical as long as reasonable care is taken.

US_Map

In many situations, data stored in the Cloud might have stronger security protections than when stored on the attorney or firm’s own network.  This is because some of the best cloud service providers have more sophisticated security practices and more robust technical and other resources to protect the data than a law office or firm.  For example, the Panama Papers breach at Mossack Fonseca occurred on the firm’s network, which had numerous security vulnerabilities.

Attorneys don’t have a blank check to store anything with any third party.  There still are cybersecurity obligations.  According to widespread standards in other industries, there are certain essential practices when selecting and contracting with a cloud service provider.  The Pennsylvania Bar Association guidance notes that “reasonable safeguards” must be used “to ensure that the data is protected from breaches, data loss and other risks.”  What are such reasonable safeguards?  I will discuss that in the part below.

Confidentiality and Cybersecurity Responsibilities

Attorneys and law firms have significant confidentiality and cybersecurity responsibilities.   These typically involve using “reasonable care,” which is a standard grounded in common best practices and norms.  These standards are mentioned in various state bar opinions and guidance, as well as in data security regulation of other industries.

For example, the FTC cases on data security are useful to study to learn about common best practices across a wide array of industries.  The FTC typically enforces standards that are commonly accepted as the norm for reasonable security practices.  I have written about the FTC extensively in my article, The FTC and the New Common Law of Privacy, 114 Columbia Law Review 584 (2014) (with Woodrow Hartzog), and this piece includes a listing of the data security deficiencies that the FTC has identified as problematic.

I have written an earlier post about the cybersecurity risks that law firms face and about how a number of firms and attorneys need to step up their efforts to protect data.

State bars have also provided many useful examples.  Some of these include (1) eliminating metadata when documents are transmitted to adverse parties; (2) taking precautions when using public wireless connections to communicate with clients, such as using firewalls and encryption; (3) backing up data; (3) implementing audit logging to monitor who is accessing data; (4) having a data breach response plan; and (5) having a firewall on the firm or office network.

With regard to using cloud service providers, relevant responsibilities of attorneys include (1) performing due diligence in selecting a cloud service provider; (2) having an appropriate contract in place with the cloud service provider; (3) exercising good security practices on their own network and when accessing data stored in the cloud; and (4) engaging in continued monitoring of the cloud service provider to ensure that the provider is living up to its obligations.

Due Diligence When Selecting a Cloud Service Provider

Cloud_Mag

Due diligence should involve examining whether a cloud service provider has:

  • adequate safeguards in place to maintain accessibility of data in the event of disasters
  • sufficient stability and resources
  • appropriate procedures to comply with a litigation hold
  • appropriate written policies and procedures to protect confidentiality and security
  • appropriate back up
  • appropriate security protections, including employee training, penetration testing, etc.

Appropriate Provisions in Contracts with Cloud Service Providers

Contract

Contracts with cloud service providers should require, among other things:

  • Ownership of the data remains with the attorney or firm, not the cloud service provider.
  • Attorneys must have adequate access to the data.
  • Data should be routinely backed up.
  • There should be an enforcement provision if the provider fails to meet its obligations.
  • The cloud service provider should provide reasonable and appropriate security protections.
  • The data is hosted in countries with sufficient legal protections of privacy and security and adequate rules regulating government access.
  • The data is returned in the event of termination of the contract.

Good Data Security Practices

Additionally, attorneys and support personnel have obligations for their own behavior when using cloud service providers such as being trained about data security best practices, use of strong passwords, safe practices when using public Wi-Fi, avoiding falling for phishing scams, and so on.

Ongoing Vigilance of Cloud Service Providers

Finally, attorneys or firms must continue to monitor any cloud service provider they use to ensure that the provider is complying with the agreement and to ensure that the provider is keeping up with new technological developments and protecting against emerging security threats.

The above are not exclusive lists, but are examples of some of the kinds of things that are encompassed by the duty to exercise “reasonable care.”

Conclusion

It is clear that attorneys and firms can use cloud services consistent with their obligations to maintain the confidentiality of client information.  Reasonable care must be exercised in the process, and that involves due diligence when selecting a cloud service provider, having the appropriate contractual provisions in the agreement with the cloud service provider, and continuing to be vigilant about how well the provider is living up to its obligations.

Daniel J. Solove is the John Marshall Harlan Research Professor of Law at George Washington University Law School and the founder of TeachPrivacy, a privacy awareness and security training company. He is the author of 10 books and more than 50 articles.  Thanks to Microsoft for its support of this piece.  All views in this piece are my own.

Leave a comment

Posted in Cyber Security, eDiscovery, Public Cloud, Security

Tagged , ,

Over 400 Million Affected in Latest Hacks

Posted on June 8, 2016 | Leave a comment

Popular-social-media-iconsMyspace and Tumblr have become the latest victims of a data breach, with over 400 million email addresses, usernames, and passwords stolen in the last month.

Myspace Breach

Chances are, you have forgotten all about that Myspace account and your friend Tom that you had back in the early 2000s. However, that account may come back to haunt you as Myspace has fallen victim to possibly the largest data breach to date. According to the hack-tracking site LeakedSource, over 360 million user records were stolen by a hacker that goes by the name of “Peace.”

“Email addresses, Myspace usernames, and Myspace passwords for the affected Myspace accounts created prior to June 11, 2013, on the old Myspace platform are at risk,” Myspace announced in a blog about the hack. For those of you who have created an account since June 2013, your account is currently unaffected. Myspace says it has increased its security significantly, specifically by using “double salted hashes,” which makes it much harder to crack passwords even if they have been breached.

Tumblr Breach

tumblr-social-media-icon.pngApparently, “Peace” was a very busy hacker in 2013. The anonymous cybercriminal is responsible for the data breaches of LinkedIn, Myspace and now Tumblr. LinkedIn and Myspace could go down as the largest data breaches in history with records surpassing 100 million and 360 million respectively.

What is Tumblr? Tumblr lets you effortlessly share anything. Post texts, photos, quotes, links, music and videos from your browser, phone, desktop, email or wherever you happen to be. It is a cross between a social networking site and a blog. Often described as a ‘microblog’, Tumblr currently hosts over 217 million separate blogs with 420 million users and was purchased in 2013 by Yahoo for $1.1 billion.

On May 12th, Tumblr revealed that it had just discovered a 2013 breach of user email addresses and passwords. Troy Hunt, a security researcher at Have I Been Pwned, recently obtained a copy of the stolen data set which includes over 65 million unique email addresses and passwords.

The breaches of LinkedIn, Myspace and Tumblr are being tabbed as ‘mega breaches’ and coincidently have been released in the last couple of weeks. Could this be a trend and how many more ‘mega breaches’ could we see in the near future?

“If this is indeed a trend, where does it end? What more is in store that we haven’t already seen?” Hunt wrote. “…how many more are there in the ‘mega breach’ category that are simply sitting there in the clutches of various unknown parties?”

How Serious Is This?

While it’s extremely unlikely that anyone is going to want to hack into your zombie Myspace page or Tumblr account, cybercriminals who get access to your email addresses, usernames or passwords are going to attempt to use them to gain access to other accounts; such as your bank accounts. It’s as important as ever to have different and very sophisticated passwords for each online account you use. While this may be a huge pain, it’s worth doing and might save you a lot of hassle in the long run.

Leave a comment

Posted in Cyber Security, Hacking, Public Cloud

Tagged

What is the cloud and how does it work, “Unlock the Cloud”. Part 2

Posted on May 27, 2016 | Leave a comment

Unlock_the_Cloud

We  kicked off a  cloud series called, “Unlock the Cloud” yesterday. In this blog, we talk about established and emerging cloud services that are contributing to the dramatic 19.4% compound annual growth rate in public cloud services spending, from $70 billion in 2015 to $141 billion by 2019.

Many enterprises are juggling three primary “as-a-service” categories to best scale their business and IT service delivery via the cloud: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS). These services enable organizations to build, deploy and buy virtualized computing resources using more cost-effective, pay-as-you-use pricing models that have changed the way companies everywhere are consuming IT. Here’s a look at all three and some of their data-driven, cloud storage offshoots.

IaaS (Infrastructure as a Service)

Imagine an IT service delivery infrastructure that you don’t have to purchase, house, manage or update. IaaS makes all of your physical and virtual computing resources (compute, storage, operating systems and to some extent networking, etc.) accessible as you need them. The main benefit is you can still design and control the IT infrastructure you want without investing heavily in CAPEX and OPEX.

PaaS (Platform as a Service)

PaaS falls somewhere in between SaaS and IaaS. What makes it distinct is that it enables you to develop and deploy applications using the programming languages, libraries, services, and tools supported by the PaaS provider to bring products and services to market faster. So application developers don’t have to worry about available computing resources because they can leverage the PaaS provider’s IaaS environment, as well as its SaaS-like application development tools and hosting services.

SaaS (Software as a Service)

Don’t want the expense or hassle of deploying and revving applications? Then SaaS is the way to go. Companies don’t need to own or maintain software applications, and updates can be delivered in real time versus waiting for them to be pushed out by IT. Just run a thin-client or Web browser on your device of choice to access a wealth of applications over the Internet as needed (Yes, there’s an app for that!).

Much of the confusion around these services is rooted in the fact that many cloud providers now offer all three. That makes it almost impossible to differentiate each type of service by provider. The real work for your business will be to decide which services and providers best match the workloads you are trying to support.

Cloud Storage Offshoots

Cloud Storage services could possibly mash-up into one of the fastest growing niche cloud service markets based on their growing prevalence along-side SaaS, IaaS and PaaS offerings. Here are some notable cloud storage services:

STaaS (Storage-as-a-Service) – You’re using SaaS if you are storing photos from your smartphone or sharing documents with other users. As the amount of data increases and storage costs rise exponentially, parking portions of your personal and business storage in the cloud is inevitable.

DBaaS (Database-as-a-Service) – The complexity of database management often requires a team of database administrators to select and maintain single or multiple database platforms, and continuously optimize them. DBaaS eliminates the need for costly management resources and storage infrastructure by placing the burden on the DBaaS provider.

DRaaS (Disaster-Recovery-as-a-Service) – DRaaS eliminates the muss, fuss and cost of physically creating and maintaining a geographically separate data center for disaster recovery. It replicates your data center resources in the cloud and makes them available when you most need them. If you don’t need to completely replicate your IT infrastructure, but want to still protect your data, then consider BaaS (Backup-as-a-Service).

In this new “there’s a service for that,” world, choosing the best cloud services will depend on your workloads, and connecting to that service will depend on your cloud interconnection strategy. Stay tuned for upcoming “Unlock the Cloud” articles to learn more.

Leave a comment

Posted in Cyber Security, Network, Public Cloud

Tagged

What is the cloud and how does it work, “Unlock the Cloud”. Part 1

Posted on May 26, 2016 | Leave a comment

Unlock_the_Cloud

By 2018, at least according to a Gartner report half of the IT spending will be cloud based.  So I thought I would write a series of articles on  “Unlock the Cloud”.  We will tackle cloud terms widely used, but often misunderstood: public, private, hybrid and multi-cloud.  We will look at Cloud Services, and Cloud interconnection strategies.

The word “cloud” defines shared, automated hardware or software services that offer customers a high degree of resource scalability, elasticity and self-service. Using the cloud is a lot like using a utility like electricity. Rather than spending a lot of time, capital and resources purchasing, configuring and managing their own hardware and software, customers provision, orchestrate and scale IT resources in the cloud, paying for only what they use, when they use it.

Public Cloud: Do you need a quick, cost-efficient way to ramp up and down software test beds, offload applications such as e-mail or customer relationship management, or cover seasonal spikes in customer usage? Consider using a public cloud service.

A public cloud describes a third-party provider of infrastructure, platform, storage or application cloud services  ̶ such as Amazon Web Services (AWS), Microsoft Azure, Dropbox or Salesforce. These services rent shared hardware and/or software resources to organizations and individuals as a pay-as-you-play service. Public cloud services also come in a variety of types, which we will discuss in another post.

Private Cloud: Do your in-house customers need the agility and elasticity advantages of the public cloud, but with more stringent control, customization, security and compliance capabilities? Consider a private cloud, which may be managed by your organization or an outside service via a private network connection, with hardware and software specifically assigned to your organization only.

Private clouds allow more customization than public clouds. However, private clouds may require a lot of organizational investment up front and internal IT resources to run. As with public clouds, private cloud resources are shared among internal departments and users, allowing users to self-provision and scale hardware or software resources as needed. Private clouds that are shared among different organizations in a closed environment, such as agencies in a state government, are sometimes called a community cloud.

Hybrid Clouds: Are you looking for the best of both clouds? Hybrid clouds combine at least one public and private cloud to deliver a particular IT service(s). Organizations may want to run an application entirely or partially in the public cloud but keep its sensitive data in a more secure private cloud. Or they may run an application internally, but “burst” it out automatically to a public cloud during peak demand periods. The latter is very cost-efficient, making it unnecessary to purchase and manage all the necessary hardware and software real estate for those occasional peak loads.

Multi-cloud describes a number of public and/or private cloud services used to deliver a single enterprise service, such as big data analysis or applications with multiple components. Hybrid clouds are a subcategory of multi-cloud, which has become a popular choice with enterprises. Nearly half of the respondents that were surveyed are currently pursuing a multi-cloud strategy. By 2020, 86% of those companies will have deployed multiple clouds across multiple locations.

“The Cloud” can be confusing but we will continue to offer clarity in this series on “Unlock the Cloud” 

Leave a comment

Posted in Cyber Security, Network, Public Cloud

Tagged , ,

Microsoft sues U.S. government over data requests

Posted on April 15, 2016 | Leave a comment

Microsoft

An important case to pay attention to:

SAN FRANCISCO (Reuters) – Microsoft Corp (MSFT.O) has sued the U.S. government for the right to tell its customers when a federal agency is looking at their emails, the latest in a series of clashes over privacy between the technology industry and Washington.

The lawsuit, filed on Thursday in federal court in Seattle, argues that the government is violating the U.S. Constitution by preventing Microsoft from notifying thousands of customers about government requests for their emails and other documents.

The government’s actions contravene the Fourth Amendment, which establishes the right for people and businesses to know if the government searches or seizes their property, the suit argues, and Microsoft’s First Amendment right to free speech.

The Department of Justice is reviewing the filing, spokeswoman Emily Pierce said.

Microsoft’s suit focuses on the storage of data on remote servers, rather than locally on people’s computers, which Microsoft says has provided a new opening for the government to access electronic data.

Using the Electronic Communications Privacy Act (ECPA), the government is increasingly directing investigations at the parties that store data in the so-called cloud, Microsoft says in the lawsuit. The 30-year-old law has long drawn scrutiny from technology companies and privacy advocates who say it was written before the rise of the commercial Internet and is therefore outdated.

“People do not give up their rights when they move their private information from physical storage to the cloud,” Microsoft says in the lawsuit. It adds that the government “has exploited the transition to cloud computing as a means of expanding its power to conduct secret investigations.”

SURVEILLANCE BATTLE

The lawsuit represents the newest front in the battle between technology companies and the U.S. government over how much private businesses should assist government surveillance.

By filing the suit, Microsoft is taking a more prominent role in that battle, dominated by Apple Inc (AAPL.O) in recent months due to the government’s efforts to get the company to write software to unlock an iPhone used by one of the shooters in a December massacre in San Bernardino, California.

Apple, backed by big technology companies including Microsoft, had complained that cooperating would turn businesses into arms of the state.

“Just as Apple was the company in the last case and we stood with Apple, we expect other tech companies to stand with us,” Microsoft’s Chief Legal Officer Brad Smith said in a phone interview after the suit was filed.

One security expert questioned Microsoft’s motivation and timing. Its lawsuit was “one hundred percent motivated by business interests” and timed to capitalize on new interest in customer privacy issues spurred in part by Apple’s dispute, said D.J. Rosenthal, a former White House cyber security official in the Obama administration.

As Microsoft’s Windows and other legacy software products are losing some traction in an increasingly mobile and Internet-centric computing environment, the company’s cloud-based business is taking on more importance. Chief Executive Satya Nadella’s describes Microsoft’s efforts as “mobile first, cloud first.”

Its customers have been asking the company about government surveillance, Smith said, suggesting that the issue could hurt Microsoft’s ability to win or keep cloud customers.

In its complaint, Microsoft says over the past 18 months it has received 5,624 legal orders under the ECPA, of which 2,576 prevented Microsoft from disclosing that the government is seeking customer data through warrants, subpoenas and other requests. Most of the ECPA requests apply to individuals, not companies, and provide no fixed end date to the secrecy provision, Microsoft said.

Microsoft and other companies won the right two years ago to disclose the number of government demands for data they receive. This case goes farther, requesting that it be allowed to notify individual businesses and people that the government is seeking information about them.

Increasingly, U.S. companies are under pressure to prove they are helping protect consumer privacy. The campaign gained momentum in the wake of revelations by former government contractor Edward Snowden in 2013 that the government routinely conducted extensive phone and Internet surveillance to a much greater degree than believed.

Late last year, after Reuters reported that Microsoft had not alerted customers, including leaders of China’s Tibetan and Uigher minorities, that their email was compromised by hackers operating from China, Microsoft said publicly it would adopt a policy of telling email customers when it believed their email had been hacked by a government.

The company’s lawsuit on Thursday comes a day after a U.S. congressional panel voted unanimously to advance a package of reforms to the ECPA.

Last-minute changes to the legislation removed an obligation for the government to notify a targeted user whose communications are being sought. Instead, the bill would require disclosure of a warrant only to a service provider, which retains the right to voluntarily notify users, unless a court grants a gag order.

It is unclear if the bill will advance through the Senate and become law this year.

Separately, Microsoft is fighting a U.S. government warrant to turn over data held in a server in Ireland, which the government argues is lawful under another part of the ECPA. Microsoft argues the government needs to go through a procedure outlined in a legal-assistance treaty between the U.S. and Ireland.

Twitter Inc (TWTR.N) is fighting a separate battle in federal court in Northern California over public disclosure of government requests for information on users.

The case is Microsoft Corp v United States Department of Justice et al in the United States District Court, Western District of Washington, No. 2:16-cv-00537.

Leave a comment

Posted in Big Data, Cyber Security, eDiscovery, Forensic, Law Enforcement, Public Cloud, Security

Tagged , ,

Who is responsible for your cloud application breach?

Posted on April 15, 2016 | Leave a comment

Cloud_Security

Cloud application security has been a big concern of lately due to several data breaches occurring in the cloud services such as the icloud hack, Target, Home Depot, United States internal Revenue system. Therefore the security of application poses a question as where does the responsibility of the application security lie?
Is it with the vendor or the company or person availing the services? The answer goes both sides, as the security aspect of the server side is only covered by the vendor of the cloud application services the client side still needs the security which is mostly overlooked by the people or the companies.
The client side application security is of utmost importance as only the server side security is not enough to protect the application from security breaches.
The different kind of security threats which pose a great danger to the cloud application security are as follows:

Data breaches

  • Account Hijacking
  • Compromised credentials
  • Permanent Data loss
  • Shared Technologies
  • Cloud service abuse
  • Hacked Interface and API

Data Breaches

This is one of the biggest threat to the cloud services because of the vast amount of data stored on the cloud servers. The sensitivity of the data can be imagined easily, as the cloud is storing the financial details as well as personal details of millions of people. And if this vast amount of data is breached in any case it will cause a downfall of the company and also a threat to the lives of people who have been exposed due to the breach.

 Account Hijacking

This attack has been there for a quite long time, it includes Fraud, Phishing, Software Exploits etc. Using these kind of attacks, the cloud services can be compromised and can lead to launching of other attacks, changing the settings of account, manipulate transactions, uploading malwares and illegal contents.

 Compromised Credentials

The credentials are compromised generally due to weak passwords, casual authentication, poor key or certificate management. Also the identity access management becomes a problem as the user access are sometimes not changed with the job role and responsibilities or when the user leaves the organization.
Embedding credentials and cryptographic keys in source code and leaving them in the online repositories such as GitHub also makes a big vulnerability which can be exploited easily. Aligning the identity with the cloud provider needs an understanding of the security measures taken in account.

 Permanent Data Loss

Malicious hackers have gained access to the cloud services and deleted data permanently in the past affecting the business. Also the cloud data centers are vulnerable to natural disasters which can swipe away the data which has been stored on the cloud.
If the user encrypts the data before uploading to the cloud and loses the key then data is lost. Thus the client side protection of data should be managed and well kept. Permanent data loss can lead to financial crisis and disruption of the working system.

 Shared Technologies

As the cloud service providers share infrastructure, platforms and applications from different sources therefore any reconfiguration or vulnerability in these layers affects the users and can also lead to compromise of the users system as well as the cloud depending upon the potential of the vulnerability.
Thus the security alone at the cloud server side is not only the real issue, Security has to be maintained at a vast level consisting of all the aspects of the cloud environment. The client side also needs to be secured as the attacks also possible from the client side due to low or no security measures.

 Cloud Service Abuse

Cloud applications are breached to gain access to the commanding position in the cloud where the resources can be used for different malicious purposes such as launching a DDOS attacks or sending bulk spams and phishing emails, breaking an encryption key or hosting Malicious content.
This abuse may lead to unavailability of the services or can also lead to loss of data of the users stored on the cloud, therefore it is very much necessary to secure the applications from abuse.

 Hacked Interface and API

To build an application now the developers are using ready to use interfaces and API to make their work simple, but these API’s and Interfaces tend to be the most exposed part of the system as they are available freely on the internet.
Almost every cloud service and application now offer API, IT reams are using these interfaces to interact with the cloud services such as management, provisioning, monitoring etc. Thus the level of threat to the cloud services increases manifold. This requires rigorous code reviews and penetrating testing to secure the application and services.

 Conclusion

As we see that there are a lot of possibilities of breaching your data stored in the cloud due to the importance of data. Therefore your data cannot be secured alone just by the cloud service provider, there is a shear work required from the client side to protect the application and data from the outer security threats. Therefore security audits should be done in order to secure your precious data from threats.

Leave a comment

Posted in Cyber Security, Data Breach, Encryption, Hacking, Public Cloud, Security

Tagged , ,

Security Concerns That Entrepreneurs Should Address

Posted on March 8, 2016 | Leave a comment

db6056bb-94d8-44e3-8369-de8ce117d89f-mediumWhen it comes to running your own business, there is no end to the number of obstacles and obligations that today’s busy entrepreneurs need to take care of. However, one of the most important things that every entrepreneur needs to remember has to do with security. In today’s market, security has become a major challenge for all types of entrepreneurs, in all different industries and from all different walks of life. Understanding what these security threats are and why they are important is essential information for every entrepreneur to know. After all, the more you understand, the better equipped you will be to ward off these security threats moving forward.

Cyber Security
There is perhaps no more dangerous type of security threat present in our market today than cyber security. There are so many entrepreneurs who simply don’t have enough of a tech background to really understand cyber security, what it is, what it entails and why it is so risky. Hackers from anywhere in the world can easily hack into your computer system and steal important information from you and from your clients and customers, without you ever knowing. This is why it is so important to hire a cyber security professional to make sure your networks and your systems are safe.

Security Personnel
You can never put too much emphasis on security within your business. If you want to make sure that your customers and your employees are always safe, particularly if you live in a busy area, then you need to have security guards on staff. You would be surprised by how many threats and issues that can be resolved by simply having security personnel on the grounds. Many business owners underestimate their need for security personnel at their place of business; however, Dave Ngo of AlertSecurityandPatrol.com says, “People have a sense of security when a security officer is present.  They are an extra set of eyes for personal, property, and asset protection.  Customer’s would feel more comfortable with security present which will enhance their work, entertainment, or shopping experience.”

Surveillance Systems
Surveillance systems are some of the most important features to have in your business. Whether you are looking to find out who broke into your business or if an employee is jeopardizing your company or your money, there is no better way to do it than with live video footage. Installing a surveillance system in a building is actually easier and more cost effective than many people think. Make sure to have a sign somewhere in your business letting people know that you have cameras on the premises, many times, the sign alone can do a great deal of good in preventing incidents from happening.

Implement Mobile Security Systems
Today, it seems as though people use their mobile phones more than they use virtually any other piece of technology. Yet, very few entrepreneurs take the time to make sure that their mobile devices, and the mobile devices of their entire staff are safe from mobile apps. A recent study found that most organizations allow their employees to download apps to their work devices without vetting them first, this means that there could be a number of viruses coming through to your work devices. Mobile security is about more than just devices though. Mobile content, apps and sharing data through mobile devices can all put your company at risk.

While most entrepreneurs likely feel that they already have more than enough on their plates with running their own business, it is important that they also take the time to take additional security measures to keep their business, their money and their employees as safe as possible.

Leave a comment

Posted in Cyber Security, Encryption, Public Cloud, Security, Technology

Tagged , ,

Rackspace Shifts 90 Employees Away from Public Cloud Department

Posted on March 3, 2016 | 1 comment

This is a strategic move to get out of “Public” cloud offering and move to a Hybrid model.

GettyImages-492377798-e1450715277250Rackspace is in the process of re-assigning 90 of its employees who work in its public cloud department to faster growing areas of the company, like private and hybrid cloud.

According to a report by the San Antonio Business Journal on Tuesday, it is undetermined whether these employees will be laid off, but Rackspace said that the company regularly shuffles employees, which it calls Rackers, to “fast-growing areas” of its business “and may from time to time eliminate some roles in areas” it chooses to reduce investment. The company has more than 6,000 employees.

Rackspace said it is placing employees in public cloud marketing and engineering into private and hybrid cloud computing departments in preparation for a slow-down of new signups for its OpenStack public cloud service as more new public cloud workloads head towards AWS and Azure.

In an email to The WHIR, a Rackspace spokesperson said: “At Rackspace, we regularly align Rackers to fast-growing areas of our business and may from time to time eliminate some roles in areas where we choose to reduce our investment. We help Rackers, whose roles are eliminated, try and find new roles within the company and many do so. We anticipate that our 6,000-plus Racker workforce will continue to grow this year.”

The public cloud market has been unkind to companies that challenge AWS and Azure, with Verizon being the latest firm to duck out of the running by shuttering its public cloud service. In the last year, Rackspace has shifted its focus to partnerships, such as its recent partnership with Red Hat, which help it offer clients a hybrid cloud solution. In October, Rackspace began offering support for AWS, noting increased customer demand for such a service.

Rackspace CEO Taylor Rhodes told investors on a recent earnings call that its OpenStack private cloud is growing in the “high double digits.”

Despite the restructuring, Rackspace told investors that it expects its workforce to grow this year.

1 Comment

Posted in Big Data, Public Cloud, Security

Tagged ,