Who Is Carrying The Can For Cloud Data Security?

Information Risk Management is being passed around like a game of pass the parcel using a time bomb. Where does the buck stop, asks Eric Doyle

Who carries the can when the worms are spilling out? Cloud will one day be a federated estate of interdependent services – as tangled as a hairball and as slippery as spaghetti. When something goes wrong, who takes the blame?

In the old days of disconnected computers, when Sneakernet (running round the office with a floppy disk) was for the masses and Ethernet for the privileged few, application failures were blamed on hardware by the originating software house and the hardware dealers blamed the software.

Customers are now being confused by cloud. Last week Play.com admitted that some of its customer email addresses had been stolen. This placed the company in a difficult position: how could it admit to the breach and not lose credibility as an online vendor of hardware, software and casual wear?

Federated cloud confusion

Play.com’s answer was to lay the blame at the door of its email-marketing partner. In a letter to customers, Play.com stated: “We take privacy and security very seriously and ensure all sensitive customer data is protected. Please be assured this issue has occurred outside of Play.com and no other personal customer information has been involved.”

In an official response to eWEEK Europe, the company went a step further and named its partner as Silverpop. The email read: “We believe this issue may be related to some irregular activity that was identified in December 2010 at our email service provider, Silverpop.  Investigations at the time showed no evidence that any of our customer email addresses had been downloaded.  We would like to assure all our customers that the only information communicated to our email service provider was email addresses.  Play.com has taken all the necessary steps with Silverpop to ensure a security breach of this nature does not happen again.”

Play.com became aware of the breach when customers, who had set up unique email addresses for their accounts, had been spammed. The knowledge that the emails had been stolen from Play.com opened up the affected customers to targeted phishing attacks which could fool many into downloading Trojans, giving away their credit card details or placing orders for too-good-to-be-true bargains.

The company responded quickly and responsibly to warn all of its contacts that such attacks could be coming their way.

A Change Of Focus

There have been several breaches such as this. The ACS:Law fiasco, TripAdvisor last week admitted to losing customer data, RSA Security’s crown jewels – the seed  numbers of its SecurID cards – were stolen, and another security company HBGary Federal lost a substantial amount of data.

Not all involved cloud services, but it shows that hackers are becoming more aware of the profits to be made from such exploits. When cloud services are linked in a chain, as often happens when companies farm out their customer account details to PCI-DSS specialists, who bears the blame for a breach?

The consortium of payment card companies implementing PCI have set down rigorous regulations to make life harder for hackers and perhaps this should be used as a model for companies indulging in cloud partnerships.

Colin Tankard, managing director of Digital Pathways, commented, “Companies can easily lose track of their data when they outsource some of their services to cloud services. Due diligence may show that data is held according to EC laws and regulations and, where data is stored outside Europe, comply with safe harbour agreements. But a service supplier may change its structure to take advantage of cheaper back-up services based in India, for example, or a back-up service may, in turn, back-up its stored data with another company elsewhere. By oversight, this may not be telegraphed to the owner of the data and leakages can result.”

Des Ward, president of the Cloud Security Alliance (CSA) UK & Ireland, added, “Organisations need to realise that you simply cannot outsource liability, and with an entire IT network being available in the cloud, now, for less than a typical monthly company credit card limit, this situation will only get worse.

“Companies often have so little understanding relating to the location and impact of their information, including associated legislation, that the ‘big fish’ – in terms of fines and/or reputational impact – are concentrated on,” he added.

Education And Legislation

CSA was founded to look at issues of Information risk management rather than just hardware-based security. Ward believes that there is a need for guidance and that is largely missing. Consumers of services and suppliers need to have a sharpened sense of what risks they are exposed to so that data can be better protected.

Security of data is a federated issue and Tankard believes that it is the company that is responsible for collecting the data to ensure that the information is suitably safeguarded at all stages of its travel through the cloud ecosystem.

“These data owners should encrypt the information at source and only hand the keys to those who need it. They should also ensure that these trusted partners ensure that the keys are only available to those people in their company that need to access the raw data. Should it be necessary for the data to be exposed to another company further along a chain, it should not be done without the originating data owners permission.”

In the rush to gain the financial and bragging rights of cloud involvement, security – which should be the first consideration – is often being left behind. The collector of the data should be held legally responsible for the safekeeping of that data.

If you asked a friend to look after a sum of money and they return to say they haven’t got it because they gave it to another friend who lost it, who would you hold responsible? Who would you expect to make recompense? It’s as simple as that.