Last Sunday Dropbox, a cloud storage site serving approximately 25 million customers, allowed access to anyone’s account for four hours with only a username using any password. This happened because of a software update over the weekend.
See the article in CNNMoney: Dropbox’s password nightmare highlights cloud risks
Because of its many benefits, cloud computing has huge momentum in the industry. Yet for any major organization planning on using the cloud or software-as-a-service, it is caveat emptor as far as security is concerned.
One of the big blessings of the cloud is that: “You don’t have to worry any more about software updates. We will take care of that behind the scenes. You will always be running the very latest version.”
However, this “blessing” is also one of the big curses of the cloud. You don’t have any control over software updates….
In my recent book, The Tech Advisor, this issue is discussed in a section entitled, Poor Understanding of Security and Change Control Issues. The book does not offer the solution to these complex issues, but rather helps the business leader understand what the issues are and to ask the right questions. An excerpt:
An emerging concern is the security of SaaS (software-as-a-service) and cloud software – a sector exhibiting brisk growth. Some industry watchers are worried that these systems may be susceptible and attractive to hackers, and that many of the security questions have yet to be answered.
Change control (management of software updates) is another concern about SaaS that has been put forward by auditing groups. With SaaS, the vendor maintains only one current version. The advantage is that all customers are always using the latest version of the software. However, with traditional enterprise software systems developed and maintained in-house, there are often very rigorous standards and deployment procedures applied to new software versions. Auditors are now concerned that this process in SaaS is opaque to them, and may leave organizations vulnerable in ways they were not before. Continuous software updates without the customary checks and balances of change control feel like quicksand to the auditors, and they are concerned about unwanted side-effects.
Recently I attended a conference on cloud computing in San Diego sponsored by the Association of IT Professionals. The many positives of cloud computing were emphasized, and major companies like Microsoft were confirming their commitments to further these technologies. The presenters mostly argued that as a data store the cloud was quite secure and improving every day. However, there were voices of concern centering on change control, which one presenter characterized as “a lot of hand waving” in its current state.
While the Dropbox incident points out some of the major seismic risks we face with the cloud, lesser incidents are really quite common and familiar to us. How? Common websites are really “in the cloud,” even if they are funded by advertising rather than by our subscriptions. My wife does weather research and has several favorite weather sites. The people running these sites seem to want to give them regular facelifts, and then to tout all their new features and capabilities. However, she often finds that these updates break a lot of things – even front page features you use within a few clicks of entering the site. Invariably these bugs are fixed within a couple of weeks, but they cause frustration in the meantime. Also, sometimes her favorite, easy-to-use features are either removed entirely or made more difficult to access by these facelifts.
These issues with the cloud have precedents in earlier technology transitions. During the mid-1990s, I did a three-week executive briefing for Chevy Chase Bank of Maryland on the new client-server technologies that were coming in. They were a “true blue” IBM shop at the time, and were very reluctant to embrace the new technologies because of change control issues. IBM provided a rigorous develop-test-release protocol for software updates that the bank scrupulously followed. In some of the new client-server software, there could be snippets of code tucked into nooks and crannies, behind graphical elements and so on. From the perspective of a conservative bank maintaining rigorous financial standards, this was virtually unacceptable.
Is there an answer to cloud security and change control issues? While the industry has been working hard on pure data security, and making good progress, it would appear that change control has not had the same degree of attention or progress. Private clouds and hybrid clouds are perhaps beginning to address these issues effectively. Today, many institutions – financial, government, and defense – simply cannot use the cloud for their core activities because of these risks. However, they are also putting pressure on the computing community to come up with answers, because they too want to take full advantage of the cloud’s benefits.
However, there is another area of concern with security hacks. As large conglomerates move more of their activities into the cloud, unprincipled competitors might make use information gathered by teams of hackers in countries where the laws don’t offer strong safeguards. They might pay highly for the information without incurring legal liability. Access to confidential information could give them an undeserved advantage. Thus the stakes have gotten higher.
While there are no easy answers and no simple fixes, our advice to companies considering cloud solutions is to do the best due diligence they can. We will cover more issues with the cloud and have additional recommendations in future blog entries.