Do you remember these recent stories? On July 31, 2012 Dropbox admitted it had been hacked. (Information Week, 8/1/2012). Hackers had gained access to an employee’s account and from there were able to access LIVE usernames and passwords which could allow them to gain access to huge amounts of personal and corporate data. Just four days later, Wired® writer Mat Honan’s Twitter account was hacked via his Apple and Amazon accounts (story in Wired and also reported by CBS, CNN, NPR and others).
Did you notice the common theme behind these reports? Hackers didn’t get through the defenses of the Cloud by brute force. Instead, they searched out weak points and exploited other vulnerabilities led to by those entry points. In these examples – as in countless others – the weak points were processes and people.
The Dropbox hack was made possible by an employee using the same password to access multiple corporate resources, one of which happened to be a project site which contained a “test” file of real unencrypted usernames and passwords. Either one could be considered a lapse in judgment – I mean, who thinks it is a good idea to store unencrypted user access information on a project site??? – but added together, these lapses made a result much more dangerous than the sum of their parts.
Mat Honan’s hack was made possible in part by process flaws at large and popular companies. Again, each chink taken individually would likely not have been as damaging as the series of flaws building on each other. Apple or Amazon individually didn’t provide enough information for hackers to take over Mr. Honan’s account, but taken together their processes and individual snippets of data provided the opportunity.
My purpose in writing this isn’t to scare anyone away from the Cloud or its legitimate providers. The Cloud is cost-effective, portable, scalable, stable, and here to stay. And it is as secure as technology will allow. But as these stories illustrate, technology isn’t the risk. Information wasn’t compromised by brute-force hacking or breaking encryption algorithms. Data was put at risk by people and processes.
Have you ever worked with someone who messed up something royally by not following a documented process? Or do you know someone who clicked a link in a bogus email and infected their laptop – or even the whole company – with a virus? They might be working for your Cloud provider now. Don’t rely on those folks to protect your data in the Cloud. Instead, protect it yourself with Backups, Password Safety and Data Encryption before entrusting your precious data to the Cloud. If a hacker gets into your Cloud, at least you won’t be the easiest target.