Comment: The cloud – As secure as a password

Hollister argues that businesses moving toward cloud-based computing must review their security procedures
Hollister argues that businesses moving toward cloud-based computing must review their security procedures
Neil Hollister, CRYPTOCard
Neil Hollister, CRYPTOCard

Cloud computing now touches our lives in many areas, with companies like Microsoft, Google, and Amazon all providing cloud-based applications. It’s no wonder many organisations utilise cloud solutions – they are infinitely easier to manage for businesses that may have otherwise struggled with the capital expenditure investment, implementation, ongoing management or scalability.

However, as Fortify Software’s recent poll suggests, there is a growing concern about the security of cloud-based services. It is now vital for businesses, organisations and individuals to review how they approach IT security.

Access control and ‘identity’ should be at the heart of the cloud computing debate and central to its adoption. Yet, it is clear that the true risk – that of reviewing the appropriate level and type of security protection – has not been adopted for cloud-based applications as well as it has been for “in-house” delivered solutions.

Many companies joining the cloud revolution are aware of the technology’s benefits and its dangers, but have not adequately adapted their approach to security in order to mitigate the risks. Indeed, CRYPTOCard’s own research shows that although a third (37%) of companies acknowledge cloud computing represents a greater risk to information security than in-house computing, nearly the same proportion (36%) have not reviewed and updated their security policies to account for the cloud.

The six steps to securing the cloud

As part of our recent research, we highlighted the six steps to securing the cloud that organisations should take to address the challenges posed by this rapidly expanding area of IT:

  • Teach all end-users safe internet skills – it is essential that all users are aware of what the dangers are
  • Ensure anti-virus protection is current and kept up-to-date on all devices
  • Use a firewall to protect every point in the organisation
  • Use VPN or SSL/VPN technology for secure connections and encryption for all information on portable devices
  • Deploy strong authentication, requiring a strong password, PIN and separate token
  • Perform a detailed vulnerability assessment, and review security policies immediately to ensure that they are adequately protective

The first four are self-explanatory, and most organisations will have already acted on them in one way or another. It is the latter two – the role of authentication and the need to perform a detailed review of security policies – that organisations should focus on.

Heads in a cloud

The password is still the most vulnerable and softest point for a security breach to occur. Even if companies have the most robust security software and controls in place, the outdated system of a traditional user name and password simply leaves the business prone to hackers.

As it stands, many organisations’ networks are only ever as secure as an employee’s password, and once a hacker has gained access to a person’s webmail, they have essentially crossed the gateway into a company’s data. Even big, tech-savvy organisations fall prey to cloud-based hacking. In July 2009, Twitter became a victim when a hacker accessed it via a staff member’s Gmail account, resulting in the publication of highly confidential documents.

Businesses of all sizes should recognise the threats posed by staff using cloud-based solutions for personal use. While social networking sites can be portals for malware delivery and be subjected to click-jacking, another threat comes from social engineering based on the information hackers glean from these sites. The chances are high that staff use the same passwords for personal cloud-based applications as they do for work ones. According to the Ponemon Institute’s Trends in Insider Compliance with Data Security Policies study, 40% of staff utilise the same password for multiple accounts, such as webmail, social networking and accessing their work network.

Policy matters

It is also fundamental that organisations review their security policies to ensure they protect them in the cloud. Businesses have a duty of care to ensure their own ‘borders’ are protected. The introduction of third-party relationships intrinsic to cloud computing dictates that in-house security policies should be reviewed to extend their relevance to cloud-based services. Furthermore, they need to confirm that their cloud service provider delivers a level of security that matches the policy – without compromise!

With IT being core to the success and efficiency of businesses across all industry segments, it is crucial that organisations understand the risks and act to minimise them. To this end, all companies should implement effective password policies as an essential part of developing a business strategy.

The impact of a truly effective password policy is more wide-ranging than just security; it has an impact on business effectiveness, cost/profitability, compliance, HR policy and cash flow. An effective password policy will help an organisation address the cornerstones of an overall security policy:

Confidentiality: Assurance that information is shared only among authorised persons or organisations. Breaches of confidentiality can occur when data is not handled in a manner adequate to safeguard the confidentiality of the information concerned.
Integrity: Assurance that the information is authentic and complete. Ensuring that information can be relied upon to be sufficiently accurate for its purpose. The integrity of data is not only whether the data is ‘correct’, but whether it can be trusted and relied upon.
Availability: Assurance that the systems responsible for delivering, storing and processing information are accessible when needed, by those who need them.
Auditability: Proof that a company has the ability to track who has access to the systems, from where, and their related access activities. The ability to show best practices are being used in defining and issuing passwords in order to support any regulatory compliance requirements.

Vital information

Information is the biggest single asset an organisation has, and losing it to malicious theft or fraud due to a poor security policy can cause irretrievable damage. Over the coming years, poor security for cloud-based information will be one of the major threats to businesses. With more and more records containing sensitive material being compromised, organisations – from government departments to small start-ups – must make security of their on-line applications a priority.

Neil Hollister is chairman and CEO of CRYPTOCard

What’s hot on Infosecurity Magazine?