Every Cloud Has a Silver Lining

hacker-1872304_1280.jpg

Cyber Attack
(Image: Pixabay)

Back in 1634 the optimist's favorite saying was born out of a quote in John Milton's Comus. His eloquent phrasing has become known to most of us as "every cloud has a silver lining."

The proverbial optimism expressed in this idiom is one is almost ironic in today's digital world when considering the role cloud plays today with respect to data privacy and integrity.

Consider how easy cloud has made it to collect, process, and store large amounts of data. Capacity and processing power alone have made cloud the de facto choice for applications targeting consumer interactions. This has been great for business, but terrible for privacy because "the business" extends from management to developers and then stops.

Unfortunately, cloud deployments have been absent traditional network, system and security operations that would have fought for architectures and controls that would have prevented every cloud breach our team of researchers at F5 Labs examined. How you wonder?  Because systems deployed in the cloud are being breached through the most basic failures. My favorite is the absence of operational security controls otherwise known as "open access". No credentials are required to access an operational console; anyone can play if they know where the system lives.

Another favorite is the deliberate elimination of security controls on cloud-native storage systems. Typically, these controls are removed early on to facilitate faster development and testing. Sadly, the controls are never returned to a secure state, leaving buckets of data wide open for anyone with the ability to find them.

So, where's the 'silver lining' in all this? On the consumer side, we are being given great visibility into the massive amounts of data about each of us being collected, who it’s used by, and for what purpose it's used. If it wasn’t for cloud and the often-poor security practices that go along with them, we might never have known about middlemen like validators.

If you haven't received a notification about the verifications.io breach, you might be new to the Internet. Over 750 million (and they think there's more) unique email addresses were exposed in February 2019 by the email address validation service. You probably didn't realize they had access to your data, because they operate behind the scenes on behalf of other businesses. But every time you get an email to 'verify your email address' upon signing up for a service, it's likely verifications.io sent it. And apparently, they collected it - and data used to verify it - on their own systems. 

As consumers, we can shout and write letters and demand this situation be addressed. Aside from living off-grid, there isn't much more we can do about it.

But business can and should do more about it. Not just to protect our privacy, but to ensure data integrity.

See, if the data is accessible by anyone that doesn't just imply read access. It implies potential write access. Most folks are out there scooping our data to turn a quick buck, but eventually someone is going to turn that around and dirty up your data - or just delete it. That risk is real and because of the growing dependence of business on data to make decisions, the risk has increasingly damaging repercussions.

In the near future the majority of businesses will be data-driven. Their business and operational decisions will increasingly be made automatically by machines based on the zettabytes of data they hoard like dragons. Imagine losing it all in one simple command, executed by an unknown actor who had access because security practices were ignored or forgotten in the rush to release to market.

Operational and security 'gates' (checkpoints) exist to protect data from infiltration, infection, and exfiltration. Skipping them to gain speed is dangerous not only to your customers but to the business. At a minimum, you need to enforce two simple steps:

Lock the door: This is real-life translated to the digital world. Leaving a door unlocked in some neighborhoods is an invitation to come inside. In the cloud, that's just as true. Make sure that every web, app, database, middleware, container orchestration, and storage system or service requires credentials to access administrative consoles.

Hide the key: You might hide a spare key somewhere outside just in case you lose your own keys. But you don't leave it on top of the doormat or hanging in plain slight next to the door. So don't hardcode credentials and other secrets (like keys and certs) and store them publicly. If you use a repository remember it's not a key management store. Put into place best practices with respect to managing credentials and keys lest you end up on a list with Uber. 

Every cloud does have a silver lining. In the case of cloud-deployed systems that have exposed our data, that silver lining is that we know more about where and how these breaches occur. It's an opportunity for the business to stand back and re-evaluate not just its own security practices, but that of its partners and suppliers of digital services.

But above all, make sure your cloud security practices exist and put them into place if they don't.