Home » Story
You have been granted access to this page through First Click Free. Subsequent use of TabbFORUM will require logging in. If you don't have an account, registration is free.

Videos

  • Rail_thumb_kosta_peric-swift-sandbox_for_the_disruption

    Sandbox for Disruption

    When it comes to innovation, capital markets firms tend to be risk-averse, says Kosta Peric, Director of Communications and Innotribe at SWIFT. But innovation nonetheless is...
     
  • Rail_thumb_perseus

    Perseus Telecom's Jock Percy on Microwave Technology in the Trading World

    Dr. Jock Percy is CEO of Perseus Telecom, a global carrier of financial telecommunications specializing in ultra-low-latency market-to-market connectivity. Percy spoke with John...
     
  • Rail_thumb_julian_king-volta-londondatacenter

    A New Data Center Option in Old London

    Finding the appropriate real estate has been a huge hurdle to establishing a new data center in the City of London, explains Julian King, commercial director, Volta, which has just...
     
 

More Video | Podcasts

Advertisement
Spotlight-blackInnovations in Trading and Technology (more stories)

06 March 2013

Latest Breach Pokes Holes in the Cloud

The recent data breach of online note-taking service Evernote could signal the beginning of a data-theft wildfire scenario in the cloud. Cloud application adopters that have assumed that the cloud infrastructure or firewall is sufficient to protect data may need to rethink their data security strategy very quickly.

This past week, we saw many reports about the Evernote breach. This serves as a timely reminder about the risks to data -- in this case 50 million users’ credentials. The good news is that it seems Evernote took the right steps to protect that data – using salted hashes. If this was performed correctly, then users should not be concerned about their passwords being compromised. And for good measure, Evernote took the right steps to reset everyone’s password too. The attack took place on Feb 28, and the company notified users relatively quickly -- a couple of days later -- not bad, really. So best practices prevailed, despite the attack.

What’s intriguing about this attack is how it actually happened and what the downstream side effects may be. In the cloud, an attack can topple many systems like dominoes. But if Evernote was following best practices, as it seems, how did the attackers get in? Very likely there was a Java or zero day exploit leading to system penetration. Maybe an insider opened a malicious email from spear phishing. We may never know. But once again it shows that what was once considered an impenetrable barrier -- the enterprise perimeter – is really now just a semi-permeable membrane that is only as strong as the weakest link.

And amid frenzied patches for Java, Windows, and a myriad of enterprise tools, weak security links abound. So with attacks to data being relatively easy –a new attack vector can be purchased from a malware cloud provider -- the question then becomes: How do cloud services and applications protect your assets – your sensitive data – as they are sitting pretty behind that semi-permeable membrane we call the perimeter?

[Related:Why Crooks Trust the Cloud More Than CIOs Do”]

The only logical conclusion that has to be drawn is that something different needs to be done to protect sensitive data assets. These days, a breach has to be assumed to be an anticipated corporate event, and the fallout needs to be mitigated when it happens; a breach is practically unpreventable. The solution boils down to requiring a different approach to protection: data-centric security.

The Evernote breach also shows another side effect of breaches to cloud systems. Reportedly,  the programsaffected by the breach included Evernote, Skitch, Penultimate, Evernote Food, Evernote Hello, Evernote Web Clipper, Evernote Clearly, and Evernote Peek. That’s quite a lot of programs.

In this case, the convenience of single sign on to a range of applications to make it convenient for users also means an attacker can steal data from multiple systems in parallel -- very conveniently.

Consider this -- if this was an enterprise scenario where one cloud application compromise could lead to several others connected to it being accessed in this vein, then the attack would spread like wildfire. What was previously a potentially limited, yet possibly quite impactful enterprise breach, could now be a major system-wide compromise with far more consequential outcomes -- potentially huge and rapid theft of unprotected data. 

In 2013 we will see more breaches of this type -- the more sinister “wildfire,” cloud-specific breaches. Cloud application adopters that have assumed that the cloud infrastructure or firewall is sufficient to protect data are likely in for a few surprises and may need to rethink their data security strategy very quickly. The good news, however, is that the risks can be mitigated -- and easily. IaaS, PaaS and SaaS data can be protected using standards-based, provable secure data-centric security methods that can literally snap into a cloud and enterprise ecosystems without friction. The best part is that the same solutions can also protect enterprise assets, any structured and unstructured data, in mission critical on-premise systems too: the mainframe, enterprise applications, databases and data warehouses. So by enabling a data-centric security strategy that can address the full spectrum of where data can go,  including the cloud, organizations can take themselves off the radar of attackers looking for low-hanging fruit -- the weak links -- and enable their business to embrace the full utility that cloud promises without increasing risk.

Mark Bower is vice president of product management at Voltage.

Spotlight-white-trans For more stories in the Innovations in Trading and Technology Spotlight Series click here.

Comments | Post a Comment

1 Comment to "Latest Breach Pokes Holes in the Cloud":
  • Comment_adam_sussman_s
    asussman

    07 March 2013

    Codebreakers will always be one step ahead of code makers, right? So, to your point, the key is not focus on breach management as well as security itself. On another note, I heard that Intel is working on a new cloud-security technology.

    Comments (159)

You must log in to comment.