Recent Breaches Spur New Thinking On Cloud Security

After hackers breached e-mail marketing provider Epsilon in late March, a steady stream of email apologies were sent out to customers. Unfortunately, that same channel of communication is what made Epsilon such an attractive target in the first place.

From an attacker's perspective, cloud services providers aggregate access to many victims' data into a single point of entry, experts say. And as their services become more popular, they will increasingly become the focus of attacks, according to Josh Corman, director of research for The 451 Group, an analyst firm.

"Putting more eggs into fewer baskets leads to massive breaches -- it is a force multiplier," Corman says. "Force multiplication for good and force multiplication for bad, and I think people miss the entire force multiplication concept."

In late March, Epsilon uncovered evidence of a breach. More than 100 companies were affected, including banks such as JP Morgan Chase and Citi, as well as major consumer companies such as Best Buy, Disney Destinations and Target.

The attackers only accessed client email addresses, according to Epsilon, but the marketing services firm gave few other details. Cloud providers and other third-party services firms need to be more forthright with information about breaches, Corman says.

Rather than focusing on contracts and limiting liability in cloud services deals, enterprises should focus on controls and auditability, Corman says.

"We have to let people with expertise in scale do things expertly with scale -- we are not going to stop doing these kinds of things," Corman says. "But we need to have more assurance than we have had to date because most people are very, very bad at IT security. Everyone is doing it wrong. Even the giants are doing it wrong."

While some experts believe that contracts could force providers to create more secure infrastructure, many cloud contracts are non-negotiable, leaving clients with little room for enforcing better security. Companies should not rely on provider contracts to keep them safe, says Ulf Mattsson, CTO at security services firm Protegrity.

"Some people think that liability can be outsourced, but, no, it cannot," Mattsson says. "A contract basically means nothing. You still have the liability. You will still be in the headlines."

Cloud providers need to be separated from the data they are holding, Mattsson argues. Tokenization or point-to-point encryption technologies, which protect data at rest and during communications, might be the best current solutions to protect enterprises from service provider breaches, he says.

The Epsilon breach could also spur enterprises to put more emphasis on security education and training, especially around social engineering. The breach at the email marketing services firm gives cybercriminals a treasure trove of specific marketing information. That puts companies in danger because workers are increasingly seen as a weak point in their networks: Compromise the worker, and you have compromised the company.

Other cloud providers and companies whose employees' email addresses were leaked via Epsilon should expect their employees will become the focus of attacks, experts say. Companies need to educate those employees and watch their Internet access for signs of attack and compromise, says Jay Chaudhry, CEO of Zscaler, a Web security company.

"[Attackers] are targeting the users of companies that provide these services," he says, "so they can compromise the companies' workers' machines. Once the workers' machines are compromised, now they can access the system going in as users -- and they can go from there."

Enterprises should create and maintain personal relationships with their cloud services providers, experts say. When a crisis hits, being able to pick up the phone and call someone at the cloud provider who can get something done is invaluable, they say.

Just ask Greg Hoglund: The CTO of HBGary scrambled to get Google to shut down access to the company's cloud-hosted email when hackers from the Anonymous group broke into the accounts of a subsidiary, HBGary Federal.

"Do you have a hotline in a crisis situation, so you are not going through standard support?" Corman says. "Breach clauses and crisis management clauses in the contract are key."

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.