Repost - Icloud, youcloud, wecloud- thoughts on consumer cloud service security
he recent compromise of icloud backups of celebrities has piqued interest in the security of consumer cloud services. To paraphrase Del Harvey from twitter, when you have a million events a day, a one in a million event happens once a day.
Below are a few of my thoughts; securing a commodity cloud service requires a lot of disciplined thinking:
1. If you run a mass market cloud service you need to do some serious threat modelling, including:
Consider your users. Not all users are the same. For example, human rights activists and celebrities are at risk of targeted attacks. You will need to categorise your users in enough granularity to apply security controls matching the threats. For example, using birthdates to perform password resets may not be as effective for celebrities.
Consider their information assets.
Consider threat actors. For example cybercriminals, nation state actors, abusive ex-husbands, garden variety "script kiddies".
2. You should then select appropriate security controls for the threats identified, perhaps even using structured thinking like attack trees or "cyber kill chain" to pick the most effective.
3. You need to test the controls. This includes functional, user experience and penetration testing.
4. You need to have the process and people to be able to respond to security incidents including reports of vulnerabilities as well as breaches large and small.
5. Should consumers be able to opt in for increased security controls, the application of which is arbitrated by the cloud services provider? For example, twitter has a "verified" option for public figures to prevent hoax accounts.
6. Some organisations can and will opt out of commodity cloud services and instead put in bespoke solutions. Instead of Twitter, many companies use Yammer.
7. Large organisations can control the use of cloud services in many ways.
A mobile device management solution that uses the iOS API can disable the use of icloud.
For example a web proxy can be configured to block or monitor the use of commodity cloud services like Gmail and Dropbox.