Nowadays, we discuss the ‘cloud’ with fondness. It’s ubiquitous, a reliable friend always there with your precious family photos when you’ve dropped your phone in the sea, or with that confidential presentation you spent hours on before leaving your laptop on the train. But what happens when the cloud, everywhere and nowhere as it is, is hacked? As we’ve recently seen with the phishing campaign which successfully attacked a SharePoint URL to bypass an email gateway, the security of enterprise storage systems should not be taken for granted – no matter how well-known they are.
Hacks against shared enterprise services such as SharePoint are increasing in number. With the rising popularity of cloud drives for storage, and its increasing versatility, it is no wonder that more organizations are turning to them as an option. The real problem is that it’s hard to understand the security risks and consequences of various cloud solutions. Without asking the right questions and fully understanding the answers, it’s difficult to tell how well cloud providers are protecting your data. Once your data is stored in the cloud, it’s no longer sitting on your computer or device, it’s sat on a server you don’t have physical access to. If the barriers to the cloud solution are broken with a cyber-attack, anyone could access your data. Furthermore, the attack might be against someone else and it is just happenstance that you have your critical information with the same provider and so become collateral damage.
No brand is immune
There is a sense of comfort with household names such as SharePoint, OneDrive and Google and we immediately jump to the conclusion that we can trust, because everyone uses them therefore ‘they must be secure’. However, recent revelations that the Google calendars of thousands of people were compromised to the extent that malicious content could be added in new events demonstrates something we must all remember: big named brands are not immune from attack, but actually, as they are giant repositories of information from millions of companies, they are big targets. Trust must no longer be taken for granted. Trusted domains, such as SharePoint, OneDrive and Google Drive, are all used by cyber-attackers because of the trust the name provides. People who receive documents using them believe that security is handled for them. Unfortunately, this is not the case and businesses still need an in-depth defense strategy around all information being shared and accessed. Cofense researchers have claimed that using enterprise services like SharePoint almost guarantees the phishing URL will be delivered to the intended target. Cyber-attacks continue to grow in sophistication, so we will continue to see a rise of cloud services being used as a route to mount cyber-attacks and evading corporate security controls.
But how do you hack something that you can’t see?
It has been reported that data breaches are three times more likely to occur for businesses which utilize the cloud than those that don’t. The fact that data is stored and transmitted over the internet is a major risk factor. In the case of the recent SharePoint hack, phishing emails were sent from a compromised account asking the recipient to review a document by clicking an embedded URL. The recipient clicks the embedded URL. SharePoint, the initial delivery mechanism, then delivers a secondary malicious URL, allowing the hacker to circumvent just about any email perimeter technology. Just like hacks we have seen so many times before, data was breached through the click of a link. The risk factor of this is huge, when it is considered that 70% of financial companies alone have experienced a cyber security incident in the past year.
Protecting means understanding
There is a golden rule when looking at cloud services – the security provided needs to be at least as good as that provided in-house. When looking at a new service, the IT department should carry out a security audit on the service or use a supplier to do this. Understand where your data is stored and who’s got access to it. Can the admins of the service read your files? Understand what happens if there is a ‘failure’ in the service, is data accessible – perhaps through another site which has a copy, or at least backed up. On this last point, high availability (multiple copies on different sites) is usually a cost option – it’s not ‘free’ or ‘standard’.
With this understanding, there can then be a strategy around the protection of the information. This could be limiting the information stored in the cloud by using an Adaptive DLP solution or additional encryption or enterprise digital rights management (EDRM) to create a further ring around the information.
We all know that assumptions are more than dangerous. Using a big brand name does not assure information security – there is more that needs to be done to ensure your information is safe. Big brands do offer security options for the information they store, it’s important to understand what they are and be prepared to pay for them. Using the cloud and the services it offers does create business agility, but cheap and fast doesn’t always mean good! With the right checks, organizational controls and standards, using the cloud will provide business value without increasing the risk.