TOO LATE: In this day and age it's impossible to hermetically seal off an IT environment from the cloud, argues Rajiv Gupta, CEO of Skyhigh Networks.
Partner Insights

Are Cloud Services Safe? iCloud Breach Revives Debate

Print
Email
Reprints
Comment (1)
Twitter
LinkedIn
Facebook
Google+

Are cloud services secure enough for corporate use? It's a question bankers have pondered for at least a decade, and the iCloud breach illustrates both the pro and con arguments.

On the one hand, storing any kind of sensitive material anywhere on the Internet makes it a target for hackers. On the other, the password gaming that appears to have been behind the iCloud theft could happen to any server, on or off the cloud.

The incident that came to light on Sunday, in which compromising photos of celebrities were pulled from Apple's backup service and posted all over the Web, has rekindled the long-running debate.

"The cloud is a mistake. No one's data is safe," banking attorney Timothy Naegele wrote in an online comment posted to American Banker's Tuesday story about the breach. "It is vulnerable to hackers, terrorists and others. Anyone who tells you differently is mistaken."

In addition to financially motivated cybercriminals, Naegele, a former counsel to the Senate Banking Committee, points to the threat of hackers from other countries.

"China has hacked us and a lot of phishing comes straight out of Russia," he said in a later interview. Russian hacking attempts are believed to be retaliation for U.S. economic sanctions against the country over its military presence in Ukraine.

Cloud services are the easiest target for all these adversaries, Naegele said. "My concern is they're going to infiltrate major systems in the U.S. and attempt to take them down."

Still, Naegele acknowledged that he blogs on the cloud and that his company's website is hosted by Yahoo. "You're never going to get away from the cloud," he said.

Indeed, defenders of the technology argue that the cloud is ubiquitous and almost impossible to avoid on a personal or business level. And any computing device that is linked to the Internet is subject to attack.

"How safe is a motor car?" said Rajiv Gupta, CEO of Skyhigh Networks, a company that assesses the security of cloud services. "The answer is 'it depends how you drive it.' Were we safer before there were motor cars? Probably. There were fewer accidents but we couldn't get to the hospital as fast."

Safer use of the cloud would involve using security mechanisms such as two-factor authentication, encryption, and activity monitoring (to find anomalous behavior that would indicate an impostor). On Wednesday, Skyhigh introduced a set of security controls for Box's cloud file-sharing service.

Gupta argues that cloud services aren't inherently less safe than a company's internal servers.

"Look at the iCloud breach: the problem isn't that iCloud is any less safe, the problem is that someone's account credentials were stolen," he said.

Apple has said its servers were not breached, and many have speculated that iCloud fell victim to a "brute force" attack in which software tries to guess users' passwords, trying thousands of possibilities until it stumbles on the right one. Many websites automatically block login attempts after three tries, which would thwart such an attack.

"The question should be, should we have sites that require passwords? Should people use ecommerce at all? Should we do mobile banking?" Gupta said. "We accept that it's a fallacy to even think that's a possibility, to not do mobile banking." Similarly, companies need the cloud; in this day and age it's impossible to create a hermetically sealed environment, he argues.

MIDDLE GROUND

James Gordon, the chief information officer at Needham Bank in Massachusetts, takes a middle-of-the-road attitude toward cloud computing.

"Anyone that says anything is 100% secure is telling a lie; look no further than the breach of security provider RSA or the issue with the NSA and Snowden," he said.

Financial institutions should conduct risk assessments of cloud services and make sure they adhere to their policies and procedures.

"Banks should determine the value of the data, then make sure appropriate controls are in place, both physical and virtual controls," Gordon said. These would include requiring users to create strong passwords and making sure an account locks out after several invalid login attempts.

"I believe the cloud can be safe, but users of the cloud must know their data and how it's protected and stored both at rest and in transit," Gordon said.

JOIN THE DISCUSSION

(1) Comment

SEE MORE IN

RELATED TAGS

'Dodd-Frank Is Like the TSA': Comments of the Week
American Banker readers share their views on the most pressing banking topics of the week. Comments are excerpted from reader response sections of AmericanBanker.com articles and from our social media platforms.

(Image: iStock)

Comments (1)
None of us can ignore consumer-oriented cloud services - especially in today's business world. Banks, hospitals, even our government utilize them every day - entrusting their most critical data to cloud-service providers. Yet, wouldn't you agree all are susceptible to a level of risk with any technology, albeit to varying degrees, such as the instance with iCloud? The truth is, banks CAN have control over security protocols such as authentication controls, data access and audit logs for monitoring malicious activity and internal risk. But to operate effectively in the cloud, banks must first understand the level of safeguard, control procedures and infrastructure these providers offer to ensure that the appropriate protocols are in place to protect their customers, employees and corporate integrity.
Posted by nCino | Thursday, September 04 2014 at 9:17AM ET
Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.
Already a subscriber? Log in here
Please note you must now log in with your email address and password.