he recent compromise of icloud backups of celebrities has piqued interest in the security of consumer cloud services. To paraphrase Del Harvey from twitter, when you have a million events a day, a one in a million event happens once a day.
Below are a few of my thoughts; securing a commodity cloud service requires a lot of disciplined thinking:
1. If you run a mass market cloud service you need to do some serious threat modelling, including:
- Consider your users. Not all users are the same. For example, human rights activists and celebrities are at risk of targeted attacks. You will need to categorise your users in enough granularity to apply security controls matching the threats. For example, using birthdates to perform password resets may not be as effective for celebrities.
- Consider their information assets.
- Consider threat actors. For example cybercriminals, nation state actors, abusive ex-husbands, garden variety "script kiddies".
2. You should then select appropriate security controls for the threats identified, perhaps even using structured thinking like attack trees or "cyber kill chain" to pick the most effective.
3. You need to test the controls. This includes functional, user experience and penetration testing.
4. You need to have the process and people to be able to respond to security incidents including reports of vulnerabilities as well as breaches large and small.
5. Should consumers be able to opt in for increased security controls, the application of which is arbitrated by the cloud services provider? For example, twitter has a "verified" option for public figures to prevent hoax accounts.
6. Some organisations can and will opt out of commodity cloud services and instead put in bespoke solutions. Instead of Twitter, many companies use Yammer.
7. Large organisations can control the use of cloud services in many ways.
- A mobile device management solution that uses the iOS API can disable the use of icloud.
- For example a web proxy can be configured to block or monitor the use of commodity cloud services like Gmail and Dropbox.
Hope these thoughts get you thinking too!
I read your post and got it quite informative. I couldn't find any knowledge on this matter prior to. I would like to thanks for sharing this article here. Houston Managed it Services
ReplyDeletehi was just seeing if you minded a comment. i like your website and the thme you picked is super. I will be back. theconsumer.guide
ReplyDeleteThe information in the post you posted here is useful because it contains some of the best information available. Thanks for sharing it. Keep up the good work managed it services houston tx.
ReplyDelete