If you study the history of computing, you discover a pendulum that swings from centralized, to distributed. The move to the cloud or some initial “as a service” has been going on for a while now and the arrogance (ignorance?) of the hype curve has hidden the truth about a lot of the security issues faced in delivering solutions.
The Cloud Security Alliance wrote a report earlier in the year on the nine top security threats to the cloud.
They are in order of importance . . .
- Data Breaches
- Data Loss
- Account Hijacking
- Insecure APIs
- Denial of Service
- Malicious Insiders
- Abuse of Cloud Services
- Insufficient Due Diligence
- Shared Technology Issues
If you contrast this report with the updated reports on admissions of breaches we have discovered, it’s a very different world. “The investigation revealed that the top three threats were “Insecure Interfaces & APIs” (51 incidents; 29 percent of all threats), “Data Loss & Leakage” (43 incidents; 25 percent), and “Hardware Failure” (18 incidents; 10 percent).” It also revealed that the nature of threats, were not always reported.
Just like the retailers who have been breached and slow to admit, many cloud companies have a tendency to fear the impact of these admissions to their business.
Now the reality test is not which is the truth, the reality test is how do you determine the truth for your own enterprise? In the cloud risk report, the CSA acknowledges that many of the services are being used independently of IT’s policy or approval. It would be foolish to suggest that IT having a stronger arm can solve the problem.
Fog Computing represents another aspect of security awareness that may give IT some leverage when dealing with the Bring Your Own Device [BYOD] mentality.
Things Are Not Always Devices.
When the iPhone came out, the end user revolt hit the IT department far harder than the migration to the desktop computer. Suddenly not only were people wanting to access the systems, but they wanted to do so from any device. That adoption however was about personal enablement and the devices had human factors involved. When it comes to the Internet of Things, the human factors are greatly reduced and the function is the primary driver.
That gives IT’s “Standards and Compliance” policy a chance to drive the deployments. In addition to selection of the “things,” internal monitoring and management ability reduces the risks of from hardware failure and data loss.
The bottom line is the Internet gave us the ability to have redundancy like never before, but it also gave us the threat of penetration like never before. You can put your trust elsewhere, but you can’t trust that others are equally trustworthy.
Edited by Stefania Viscusi