Cybersecurity and cloud service: Hackers break in to clouds
5 June, 2021, 9:13 pm
A GLOBAL cyberespionage campaign, discovered late last year impacted more than 100 large companies and US
federal agencies, including US Homeland Security departments.
A crucial part of the allegedly Russian hackers’ success was their ability to move through these organisations by compromising cloud systems to then access cloud accounts and exfiltrate emails and files!
In simple terms, the hackers stole security certificates to create their own identities, which allowed them to bypass safeguards such as multifactor authentication and gain access to Office 365 accounts, impacting thousands of users at the affected companies and government agencies!
It isn’t the first time cloud services were the focus of a cyberattack, and it certainly won’t be the last.
In 2019, an Amazon Web Services cloud vulnerability, compounded by financial conglomerate Capital One’s inability to properly configure a complex cloud service, led to the disclosure of tens of millions of customer records, including credit card applications, Social Security numbers, and bank account information.
This trend of attacks on cloud services by criminals, hackers, and nation states is growing as cloud computing, even hybrids (partial public/private), becomes the default model for information technologies due to cost effectiveness operationally, flexibility and its ease of use.
Leaked data is bad enough, but disruption to the cloud, even an outage at a single provider, could quickly cost the global economy billions of dollars a day.
Cloud computing is an important source of risk both because it has quickly supplanted traditional IT and because it concentrates ownership of design choices at a very small number of companies.
Firstly, the cloud is increasingly the default mode of computing for organisations, meaning ever more users and critical data from national intelligence and defence agencies ride on these technologies.
Secondly, cloud computing services, especially those supplied by the world’s four largest providers — Amazon, Microsoft, Alibaba, and Google — concentrate key security and technology design choices inside a small number of organisations.
The consequences of bad decisions or poorly made trade-offs can quickly scale to hundreds of millions of users.
The cloud is everywhere.
Some cloud companies provide software as a service, support your Netfl ix habit, or carry your Slack group chats.
Others provide computing infrastructure like business databases and storage space.
The largest cloud companies provide both.
The cloud can be deployed in several different ways, each of which shifts the balance of responsibility for the security of this technology.
But the cloud provider plays an important role in every case.
Choices the provide makes in how these technologies are designed, built, and deployed impact the user’s security — yet the user has very little say.
Then, if Google or Amazon has vulnerability in their servers — which you are unlikel to know about and have no control over — you suffer the consequences!
But that’s the point of deploying these cloud service – you may say, and rightly so, focusing on your core business and outsourcing the operational burden of the IT infrastructure and resources.
The problem is one of economics.
On the surface, it might seem that competition between cloud companies gives them an incentive to invest in their users’ security.
But several market failures get in the way of that ideal.
Firstly, security is largely an externality for these cloud companies, because the losses due to data breaches are largely borne by their users!
As long as a cloud provider isn’t losing customers by the droves — which generally doesn’t happen after a security
incident — it’s not incentivised to invest in security.
I mean how many of you stopped using Facebook or LinkedIn after they were hacked with millions of stolen
IDs and private data was made public news recently!
Secondly, public information about cloud security generally doesn’t share the design trade-offs involved in building these cloud services or provide much transparency about the resulting risks.
While cloud companies have to publicly disclose copious amounts of security design and operational information, it can be impossible for consumers to understand which threats the cloud services are taking into account, priorities and how it’s determined.
This lack of understanding makes it hard to assess a cloud service’s overall security – or assess its cybersecurity maturity matrix.
As a result, customers and users aren’t able to differentiate between secure and insecure services, so they don’t base their buying and use decisions on it.
Thirdly, cybersecurity is complex — and even more complex when the cloud is involved.
For a customer like a company or government agency, the security dependencies of various cloud and on-premises network systems and services can be subtle and hard to map out – it even changes!
This means that users can’t adequately assess the security of cloud services or how they will interact with their own networks and clients.
This is a classic “lemons market” in economics, and the result is that cloud providers provide variable levels of security and yet most consumers are none the wiser.
The result is a market failure where cloud service providers don’t compete to provide the best security for their customers and users at the lowest cost.
Instead, cloud companies take the chance that they won’t get hacked, and past experience tells them they can weather the storm if they do.
This kind of decision-making and priority-setting takes place at the Board level, of course, and doesn’t reflect the dedication and technical skill of product engineers and security specialists.
The effect of this cybersecurity underinvestment is pernicious, however, by piling on risk that’s largely hidden from users.
Widespread adoption of cloud computing carries that risk to an organisation’s network, to its customers and users, and, in turn, to the wider Internet.
This aggregation of cybersecurity risk then creates a National Security challenge.
Policymakers can help address the challenge by setting clear expectations for the security of cloud services — and for making decisions and design trade-offs about that security transparent.
The US administration, including newly nominated National Cyber director Chris Inglis, should logically lead the effort to work with cloud providers to review their threat models and evaluate the security architecture of their various offerings.
This effort to require greater transparency from cloud providers and exert more scrutiny of their security engineering efforts should be accompanied by a push to modernise cybersecurity regulations for the cloud era.
Cloud service providers have become important national almost critical infrastructure.
Not since the heights of the mainframe era between the 1960s and early 1980s has the world witnessed computing systems of such complexity used by so many but designed and created by so few.
The security of this infrastructure demands greater transparency and public accountability — if only to match the consequences of its failure!
The danger also is the evolution, insidiously over time, of a cartel-type industry – usually having a big four (or pick a singledigit number), which is taking place, for example in Big Tech (Amazon, Apple, Google, Facebook, AliBaba, etc).
This has already taken place in other private industries – big oil, big pharmacy, big airline manufacturers, you get the picture.
Before you know it, they are running countries in the background but enough of my conspiracy theories!
In Fiji, the wide use of cloud services by companies and Government is largely undocumented but from experience I can state that it is statistically fairly much in line with other countries.
It is an IT infrastructure service model that makes sense from an economics point of view but unfortunately has evolved to become a cybersecurity challenge which can capitulate – think dominoes effect!
As US Attorney and Presidential advisor Tim Wu aptly observed: “History shows a typical progression of information technologies: from somebody’s hobby to somebody’s industry; from jury-rigged contraption to slick production marvel; from a freely accessible channel to one strictly controlled by a single corporation or cartel – from open
to closed system”.
As always, God bless you all and stay safe and secure in both physical and digital worlds.
- ILAITIA B. TUISAWAU is a private cybersecurity consultant. The views expressed in this article are his and not necessarily shared by this newspaper. Mr Tuisawau can be contacted on firstname.lastname@example.org