Are Cloud Services Safe? iCloud Breach Revives Debate

Are cloud services secure enough for corporate use? It's a question bankers have pondered for at least a decade, and the iCloud breach illustrates both the pro and con arguments.

On the one hand, storing any kind of sensitive material anywhere on the Internet makes it a target for hackers. On the other, the password gaming that appears to have been behind the iCloud theft could happen to any server, on or off the cloud.

The incident that came to light on Sunday, in which compromising photos of celebrities were pulled from Apple's backup service and posted all over the Web, has rekindled the long-running debate.

"The cloud is a mistake. No one's data is safe," banking attorney Timothy Naegele wrote in an online comment posted to American Banker's Tuesday story about the breach. "It is vulnerable to hackers, terrorists and others. Anyone who tells you differently is mistaken."

In addition to financially motivated cybercriminals, Naegele, a former counsel to the Senate Banking Committee, points to the threat of hackers from other countries.

"China has hacked us and a lot of phishing comes straight out of Russia," he said in a later interview. Russian hacking attempts are believed to be retaliation for U.S. economic sanctions against the country over its military presence in Ukraine.

Cloud services are the easiest target for all these adversaries, Naegele said. "My concern is they're going to infiltrate major systems in the U.S. and attempt to take them down."

Still, Naegele acknowledged that he blogs on the cloud and that his company's website is hosted by Yahoo. "You're never going to get away from the cloud," he said.

Indeed, defenders of the technology argue that the cloud is ubiquitous and almost impossible to avoid on a personal or business level. And any computing device that is linked to the Internet is subject to attack.

"How safe is a motor car?" said Rajiv Gupta, CEO of Skyhigh Networks, a company that assesses the security of cloud services. "The answer is 'it depends how you drive it.' Were we safer before there were motor cars? Probably. There were fewer accidents but we couldn't get to the hospital as fast."

Safer use of the cloud would involve using security mechanisms such as two-factor authentication, encryption, and activity monitoring (to find anomalous behavior that would indicate an impostor). On Wednesday, Skyhigh introduced a set of security controls for Box's cloud file-sharing service.

Gupta argues that cloud services aren't inherently less safe than a company's internal servers.

"Look at the iCloud breach: the problem isn't that iCloud is any less safe, the problem is that someone's account credentials were stolen," he said.

Apple has said its servers were not breached, and many have speculated that iCloud fell victim to a "brute force" attack in which software tries to guess users' passwords, trying thousands of possibilities until it stumbles on the right one. Many websites automatically block login attempts after three tries, which would thwart such an attack.

"The question should be, should we have sites that require passwords? Should people use ecommerce at all? Should we do mobile banking?" Gupta said. "We accept that it's a fallacy to even think that's a possibility, to not do mobile banking." Similarly, companies need the cloud; in this day and age it's impossible to create a hermetically sealed environment, he argues.

MIDDLE GROUND

James Gordon, the chief information officer at Needham Bank in Massachusetts, takes a middle-of-the-road attitude toward cloud computing.

"Anyone that says anything is 100% secure is telling a lie; look no further than the breach of security provider RSA or the issue with the NSA and Snowden," he said.

Financial institutions should conduct risk assessments of cloud services and make sure they adhere to their policies and procedures.

"Banks should determine the value of the data, then make sure appropriate controls are in place, both physical and virtual controls," Gordon said. These would include requiring users to create strong passwords and making sure an account locks out after several invalid login attempts.

"I believe the cloud can be safe, but users of the cloud must know their data and how it's protected and stored both at rest and in transit," Gordon said.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER