cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion

So Cloud is safe and secure - not so

Hi All

 

Any one seen the latest Reuters investigation?   Chinese and APT10 activities and Cloud Hopper, makes you think again about how safe cloud really is:   https://www.reuters.com/investigates/special-report/china-cyber-cloudhopper/

 

Regards

 

Caute_cautim

8 Replies
rslade
Influencer II

> Caute_cautim (Community Champion) posted a new topic in Industry News

 

> makes you think again about how safe cloud really
> is

 

I have said before, and I will say again:

 

Cloud is not new. Cloud is not even a thing. "Cloud" is just "someone else's computer," like it was when it was timesharing, or distributed computing, or thin client, or anything else we've called it over the years.

 

And it is only as "safe" as that someone makes their computer ...


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
dcontesti
Community Champion

I developed a Security Questionnaire for Cloud Services.  When my boss saw the questionnaire, his words were "No one will ever fill this in".....My words back  "then we probably should not trust them with our data".

 

The questionnaire asked questions around "who shares" the cloud facility with me.  His argument was that we could not ask those questions......strange how we see articles such as this one from Reuters and Sr. Management still want to be Ostriches and bury their heads in the sand.

 

Thanks for sharing

 

d

 

 

 

mgorman
Contributor II

As at least one other has pointed out, Cloud is only as secure as you make it.  Did any of these victims follow real best practices?  Was their data at rest encrypted?  Did they monitor the accessing of information and from where by whom?  Did they review accounts for level and necessity?  The one thing I will sa that is not good for cloud is that if the provider is compromised, the may have easier access to a list of targets.  However, it wouldn't take these hackers 15 minutes of work to get a good list together anyway, they've been doing that since wardialers.

 

In the end, I guess I agree with @Caute_cautim  in that if you think it is a panacea, think again, there is still a lot of work to do to get your security right.

JoePete
Advocate I

One of the consistent themes in these attacks is the use of simple phishing scams. It makes you wonder just how many of these incidents could be prevented if we nuked modern email services and HTML email and went back to plain text. Of course, no one wants to be "plain," and that remains our undoing.

 

But the CloudHopper attacks parallel the peril of consolidating resources, making a very attractive and vulnerable target. Which is easier: Attacking 50 different companies or attacking the one or two cloud service providers used by those 50 companies? Something to bear in mind amidst the continued cries for some monolithic national voting system.

JoePete
Advocate I


@rslade wrote:

Cloud is not new. Cloud is not even a thing. "Cloud" is just "someone else's computer,"


Exactly. Of course the terrifying part is so many of these companies take troves of data that used to reside on some LAN that was, for the most part, accessible to only a few people given its physical limitations. These resources now all move out to an accessible-from-anywhere cloud environment. Voila. The cloud is essentially a glass house, and before you move into it, you better make sure you have a good bathrobe and some blinds.

Shannon
Community Champion

 

 


@dcontesti wrote:

I developed a Security Questionnaire for Cloud Services.  When my boss saw the questionnaire, his words were "No one will ever fill this in".....My words back  "then we probably should not trust them with our data".

 

The questionnaire asked questions around "who shares" the cloud facility with me.  His argument was that we could not ask those questions......strange how we see articles such as this one from Reuters and Sr. Management still want to be Ostriches and bury their heads in the sand.


 

What many entities find appealing about cloud service providers is that they provide storage, services & infrastructure with high availability, all at a lower price --- which often leads to them overlooking security risks.

 

Here in KSA, the Communications and Information Technology Commission (CITC) regulates this, & provides compliance requirements that cloud service providers must meet to cater to private / public entities operating in the country. (This page provides info on it.) Subsequently, the management isn't entrusted with the security, which is probably a good thing.

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
Caute_cautim
Community Champion

@ShannonA great believer in not re-inventing the wheel.   New Zealand Government have a questionnaire as a form of risk assessment for every cloud engagement.   There are two parts the suppler perspective and the client perspective.   The link and information is here, you might find it useful - or to contribute to your own questionnaire with the rationale behind it.

 

https://snapshot.ict.govt.nz/guidance-and-resources/using-cloud-services/assess-the-risks-of-cloud-s...

 

See what you think of it.

 

Regards

 

Caute_cautim

Shannon
Community Champion

 

 


@Caute_cautim wrote:

New Zealand Government have a questionnaire as a form of risk assessment for every cloud engagement.   There are two parts the suppler perspective and the client perspective.   The link and information is here, you might find it useful - or to contribute to your own questionnaire with the rationale behind it.


Yes, I too prepared a questionnaire for provision to cloud service providers, though management prefers to consult the regularity authority to determine if the provider is okay, and leave it at that. I'll check the link you sent. Thanks.

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz