BYOLC: Bring Your Own Loss of Control

In a recent post, I highlighted my belief that one of the most worrying new threats of the cloud was the Bring Your Own Cloud.   A recent study from LogMeIn and Edge Strategies confirms this risk by focusing on the use of cloud-based services.  They coined it as Bring Your Own App (BYOA)

Following is their infographics that summarizes the major outcomes.

’The

In a nutshell, the problem is more worrying than expected.   Currently, a huge amount of applications (> 85%), and thus data, are under the radar of the IT team!    One of the answers that we proposed is that IT should provide company blessed solutions.   I am a strong proponent of this solution.   This study seems to show that it is not sufficient: 64% bring their own apps when a similar solution is already in place.  I must confess that during the era before cloud, I was doing the same, for instance, using Firefox when IE was blessed, or my preferred software editor…

Even if you ban BYOD, BYOA will be here.   This unavoidable BYOA means that we are losing more and more control on sensitive data.  What is the proper answer: DLP (dubito ergo sum), more control of what is executing on the user’s computer (not compatible with BYOD)…

BYOD + BYOC + BYOA = BRYLC 

Unfortunately, cloud is here and we cannot escape it.   THus ranting is useless.  We have to find new solutions and methods to protect our assets.  What answer do you suggest?

 

Thanks to Gomor for the pointer

Bring Your Own Cloud

In 2013, the cloud security alliance released “The Notorious Nine” threats for cloud. A few months later, I have the feeling that the most important threat is missing: “Bring Your Own Cloud (BYOC)”.

BYOC is when an employee uses a cloud based service without the blessing of his company for business purpose. The employee clearly puts the company at risk. The employee may bypass all the security policies of the company, as well as the fences the company put to protect its IP or infrastructure.

BYOC is so easy to do and unfortunately it is awfully convenient.

  • You just need to enroll on a free SaaS service to launch it immediately. It is sometimes faster than asking the same service from the IT team. How many of your employees have opened an account at DropBox, Box, GitHub, or whatever other cloud sharing service. How many of your sensitive information are already widely in the cloud? The employee will most probably not check whether the system is secure. The default settings are not necessarily the ones that you would use. Of course, the employee will not have read the SLA.
  • You just need to use the company credit card to open an account at IaaS or PaaS providers. This is clearly faster than asking the IT team to install a bunch of servers in the DMZ. But how secure will they be?

The fast and free/cheap enrollment of cloud services make it extremely attractive for employees. And they do not make it maliciously. They will always have strong rationales for their action.

But, it can become easily a nightmare for the company when the things are going wrong. Especially, if the employee used his/her personal mail to register rather than the company’s email. In that case, the company will have hard time to handle these accounts.

What can we do? Cloud is inevitable, thus we must anticipate the movement. A few actions:

  • Provide a company blessed solution in the cloud for the type of services will need. This solution can be fine tuned to have the security requirements you expect. The account will be in the name of the company, thus manageable. Premium services offer often better security services such as authentication using your Active Directory, logging, metering…
  • Update your security policy to make it mandatory to use only the company blessed solution
  • Educate your employees so that they are aware of the risks of BYOC
  • Listen to their needs and offer an attractive list of company blessed services
  • Make it convenient to enroll the company blessed services.

 

Do you share this concern? What would you recommend?

Top threats for cloud computing

The Cloud Security Alliance released a document listing the nine top threats of cloud computing: “The Notorious Nine”.  The top nine threats are:

  1. Data breaches; an attacker may access your data
  2. Data loss; the loss may result either from an attack, a technical problem or a catastrophe.   The document wisely highlights the issue raised by encryption (to protect against threat 1)
  3. Account hijacking
  4. Insecure APIs;  this one is extremely important, especially for system designers.  It is not necessarily unique to the cloud, but it is clearly exacerbated with a cloud infrastructure.
  5. Denial of service
  6. Malicious insiders
  7. Abuse of cloud services;  using the cloud for nefarious actions such as password cracking. Well, every coin has two sides.
  8. Insufficient due diligence; jumping in the cloud wagon without enough preparation may be an issue.  This is not proper to the cloud. It is true for any new paradigm.  BYOD (Bring your own device) is a perfect illustration of such problem.
  9. Shared technology vulnerability; As you share components, pieces of software with not necessarily enough isolation, a single vulnerability may impact many players.

Each threat is described and illustrated by a real world example of an attack.  A risk matrix allows to compare them.

This list has been established by conducting a survey of industry experts.  Unfortunately, the document does not give details about the number of surveyed experts, their locations, and their qualifications.

Good document to read.

Insuring clouds

Every body is running, very enthusiastically, towards cloud computing.  Sometimes, it reminds me lemmings.  I hope that I am wrong.  Let’s be positive.  Obviously, cloud computing will bring advantages.  Nevertheless, according to me, cloud security is only in its early infancy.

 

Thus, any cloud deployment should make a serious risk analysis (even if we have only a vague idea of the real threats).  When risks appear, insurance should also appear.

 

A company Cloud Insure seems to explore this new opportunity.

CloudInsure is a Cloud Insurance platform designed to specifically address emerging liabilities within the Cloud environment. In partnership with global insurance and reinsurance carriers, we’ve engineered privacy & security liability coverage to meet the needs of the Cloud Computing space for enterprise customers. Through our innovative underwriting models and proprietary analytics, we bring insurance solutions that move at the pace of Cloud technology.

Are you aware of other such companies?

Linksys and the cloud snafu

A new trend in management of gateways and routers is to use the cloud. Currently, gateways and routers are locally managed by the user, and often remotely managed by the operator through protocols such as TR69.    The new trend delocalizes the device management to the cloud.   In other words, to modify the router/gateway, you have to use a remote service.  Most manufacturers, if not all, are following this path.

Last month, Cisco launched its Cisco cloud connect service that offers this capability.  For that purpose, Cisco has to install new firmware into deployed Linksys routers.  Cisco launched such update. Thus, many customers who had opt-in the automatic firmware upgrade (which, by the way, is usually a smart decision) where automatically upgraded loosing the local ability to manage their device.   This automatic upgrade started a huge rumpus on the forums; many people having the feeling that loosing the local management was equivalent to lose the ownership of their router.  This was the first issue.  Many people believed that this upgrade would be systematic for every Linksys router.

Unfortunately, inside the Terms Of Services (TOS) of Cisco Cloud Connect, it was mentioned that Cisco might keep track of a variety of information including Internet history and might share “aggregated and anonymous user experience information” with service providers and other third parties.  This second issue was even more devastating for Cisco.

Cisco quickly reacted and took a set of appropriate actions:

  • Explaining that the upgrade was done only if the customer requests it or if he opted-in of automatically upgrading.  Cisco provided a method to revert to local management,
  • Modifying the TOS to remove the section related to collection of data such as Internet history,
  • And highlighting that Cisco does not use the routers to collect information about Internet usage.

Lessons:

  • Full remote management of a user owned device may be adversely perceived.   Hardware ownership is strongly connoted of control.
  • Privacy is important for some people and not necessarily rationale.   Privacy’s perception is complex.  How many of the people who complained regularly use Google (or whatever search engine) and click on the proposed link leaving a trace of their Internet usage to Google?    An interesting sociological study to do;  Privacy is a touchy complex topic.
  • There are some people who carefully read TOS!!!

 

Thanks to RG for the initial pointer.

A cloud over ownership

This is the title of an excellent article of Simson Garfinkel in Technology Review.  He explores the consequences of the switch from physical cultural goods to digital cultural goods stored in the cloud.  It is nothing really new but it has the advantage to be clearly stated.

The first point is about privacy.  When you purchased a physical book or a CD, the merchant has no way to profile you.  Of course, if you purchase it on  a digital store such as Amazon, the merchant will be able to profile some of your preferences.  but with a digital good stored in the cloud, the merchant will be able also to analyze how you consume this digital good.  And this is even more interesting.  he will know what is you prefered book among the ones you purchased.  For the same result with a physical book, you need to look for the more worned book in my library.

The second point is really about persistence.  When I purchase a book, it is mine until I destroy it, or give it away.  With a e-book in the cloud, it is mine as long as the cloud operator accepts (or survives).  This si a massive difference.  I am not sure that the legislation has taken into account this shift.   I do not even tackle the issue of DRM that may shape the ways I can consume the digital good.

Thus, the notion of ownership of a digital cultural good is changing.  As the good itself, the ownership seems to become more ethereal.  Is it good or bad?  I don’t know.  It is most probably useless to look for the answer, I’m afraid it is an unavoidable shift.  We will have to adapt for the best and the worst.

 

 

Guidelines on Security and Privacy in Public Cloud Computing

NIST provides some recommendations when using a public cloud.  This excellent document gives very practical guidelines.  Every IT manager who plans to use a public cloud infrastructure, and who cares about reliability, security and liability, should read it before making any decisions and selecting the right service provider.

In front of the economic benefits of public cloud, it is extremely difficult to resist to the songs of the mermaids.  This document rises some serious issues and may help to keep the things under control.  For instance:

  • Even if you are using a public cloud, your company is accountable for the overall security of your service, i.e. even that of the outsourced part.
  • As the cloud computing infrastructure is highly uniform, it should be in theory easier to harden the platforms and manage its security (which is a positive point for IaaS).  Unfortunately, the use of hypervisors (virtual machines) increases the surface of attack (although many people believe that virtual machines are more secure)
  • Sharing an infrastructure with unknown parties is a potential issue.  A strong assurance should be provided for the mechanism enforcing the logical separation.
  • Be ready to audit your service provider if security matters to you.

A must read paper if you are about to board on the cloud boat.  The paper is about public cloud.  Nevertheless, some parts are also useful in the context of private cloud.

Reference

W. Jansen and T. Grance, Guidelines on Security and Privacy in Public Cloud Computing, NIST, 2011 available at http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf.