In the past year, it seems that just about every daily news cycle contains a scary story about corporations, governments or news organizations being 'hacked." With all of the advantages inherent with using the cloud, there are underlying questions of data security. For example, here is a partial list of American companies hit by shadowy groups or individuals who penetrated private databases via email, social networks, or by accessing cloud data storage centers within the first few weeks of 2013:
- The New York Times
- Apple
- Lockheed Martin
For business leaders who depend heavily on websites, internal IT systems and third-party remote data storage services -- the cloud -- such reports can be a source of anxiety. Much of the concern is warranted, say some cyber experts. At the same time, there is a growing array of safeguards that businesses can take to mitigate the risk of potential attacks.
Yet businesses must also stay aware of the fact that hackers and international groups that profit from stealing proprietary data are constantly updating their methods of gaining access.
James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies, a Washington D.C. think tank, told The Washington Post in an interview in February, “The dark secret is there is no such thing as a secure unclassified network. Law firms, think tanks, newspapers — if there’s something of interest, you should assume you’ve been penetrated,” Lewis said.
Surveys of tech experts in the US and abroad regularly show that those who work in IT are acutely aware of how widespread unexpected security breaches have become -- and that the growing reliance on cloud technology (remote servers) has exacerbated the issue.
Consider that on February 6, 2013, for instance, U.S. Federal Marshals raided data centers in New Jersey and in Virginia, seizing servers that had allgedly been hijacked by cyber-criminals: the so-called "Barnital Botnet" that the crime syndicate operated through the server network sent viruses to an estimated 600,000 unsuspecting PC-owners, comandeering their browsers and controlling their search capabilities.
Authorities didn't comment on the possibility that private companies that also stored data at those two service centers might have seen their information compromised. Similar episodes in recent years have not ended well for big corporations ranging from AmericanExpress to retail clothing chains.
The leaders of international governments, including the U.S., are growing increasingly concerned about the longterm impact -- financially and in regard to terrorism threats -- of widespread Internet security breaches, too: The New York Times reported that in mid-February, "President Obama signed an executive order that encouraged increased information-sharing about online threats between the government and private companies."
In analyzing vulnerabilities of cloud computing and storage systems, a national technology advocacy group, Cloud Security Alliance (CSA), recently published a white paper outlining the 'top nine cloud security threats of 2013." Here are the threats outlined by CSA in its report, "The Notorious Nine:"
- Data breaches
- Data loss
- Account hijacking
- Insecure APIs
- Denial of Service
- Malicious insiders
- Abuse of cloud services
- Insufficient due diligence
- Shared technolgy issues
The CSA is among several groups that provide guidance and services to businesses and governments designed to help them prevent security threats to their cloud computing and Internet structures. Information at CSA's "Security as a Service" website recommends that IT decision-makers consider key steps in the process of securing systems, including:
- Encryption implementation
- Security assessments
- Data loss prevention
- Intrusion management implementation
- Web security implementation
And at SAP, a Germany-based software solutions company, a new document-sharing product was recently introduced that may provide a measure of genuine security for some companies: The SAP Mobile Documents is cloud-based but uses a proprietary anti-threat system to "keep corporate data behind a virtual, locked door," according to Diarmud Mallon, SAP's head of Global Mobile Marketing Programs.
Other options exist, too, for how corporations can protect their sensitive customer data and business intelligence. Private cybersecurity companies including Barracuda Networks, GFI (which offers a 'cloud anti-virus' suite of products), and Mandiant are adept at adjusting services based on the fast-changing tactics of hackers and other nefarious cyber-thieves. These companies offer a wide range of high-level cybersecurity products and services, and are typically retained by mulit-national corporations.
Indeed, Mandiant, a Virginia-based leading cybersecurity firm, is the company that helped the venerable New York Times unravel the story of it's own run-in with hackers.
Thanks for reading!
Amy Alexander
Senior Writer and Content Manager