Despite our frequent and recent reminders about how everything is moving to the cloud, Robert McMillan, a reporter with the Wall Street Journal recently pointed out an unexpected security problem in the cloud. As more companies unplug their own data centers and rent from the likes of Amazon and Microsoft, they are discovering that they’re accidentally leaving their corporate date exposed for all the world to see.
It seems that configuration errors made while using cloud-storage services are common, according to security experts, and often occur when users set access permissions so someone outside the company can see the data. As Vincent Liu, a partner at computer security consulting firm Bishop Fox notes, “More data has been lost due to poor configuration than anything else on the cloud.”
One nonprofit foundation has tracked nearly 175,000 examples of misconfigured software and services in the cloud this year. While Gartner projects that the market for cloud-computing services will grow 17% this year, with cloud infrastructure leading the way, these are the very basic computer storage and networking services that are particularly prone to configuration problems.
Cloud computing initially caught on as part of cost-saving effort by corporate IT strategists that provided an end-around for what Mr. McMillan refers to as “stodgy corporate information technology departments.” Often they found it quicker simply to purchase cloud resources directly from someone like Amazon or Microsoft almost instantly. Rather than waiting for their IT departments to deliver timely information, they could test out new programs in minutes, with time bought on, say, their Amazon accounts.
The issue is that most cloud users don’t have the expertise to keep things secure. Such projects have become unsanctioned “shadow IT” projects. There was a lack of plan or governance model. Recently, IT departments are said to have begun to understand better when a company’s assets are online, when they need to be patched, and how they interconnect.
To correct these potential pitfalls, Amazon has introduced a new service to help companies stay on top of their infrastructure. Microsoft, utilizing its popular Azure platform, says it has several services to help clients protect sensitive data. (One of the speakers at Microsoft’s recent “Directions” conference which we attended in Orlando last week told us that the company spends $2.2 billion dollars on cloud security alone.) As a company spokesman noted in the Journal, “we continue to invest heavily in new innovations that build on our strength in cloud security.”
Security experts say one thing that might help is for cloud providers to help companies better determine when an employee is using a corporate credit card to purchase a new Amazon or Microsoft service. As Mr. Liu notes, “Provisioning is now in the hands of someone sitting in a cubicle who has a credit card and a web browser.”
Scary thought indeed.
Leave a Reply