Internet Forecast: Cloudy, With a High Probability of Getting Hacked
But cloud providers say security isn't their job
Regular listeners will notice a new name for this podcast--"Techwise Conversations." The show will soon have a phone and tablet app for iOS and Android, so we're taking the opportunity to rename it as well.
Steven Cherry: Hi, this is Steven Cherry for IEEE Spectrum’s “Techwise Conversations.”
That intro will sound unfamiliar to regular listeners of this show. To quote a gas station sign I once saw that I think was written with a straight face, “We are rebranding to serve you better.” We recently started a Twitter account for the show—@spectrumpodcast—and soon we’ll have an iPhone, iPad, and Android app for the show as well.
Cloud computing is much in the news these days, and none of it is good. The U.S. government sees cloud computing as a way of improving security [PDF], but just the opposite seems to be the case. And all of the problems are, with 20/20 hindsight, entirely predictable, because remarkably, as, a new study shows, cloud service providers don't see security as part of their jobs.
In the past month or so, we’ve seen, and I list these in no particular order:
· A massive data breach of the Sony PlayStation Network; in total, the number of compromised customer accounts may well be over 100 million, including some customer profiles and credit cards;
· A collapse of cloud services at Amazon that left its customers—and therefore the customers of its customers—high and dry for the better part of two weeks;
· The password service LastPass took its service offline because of what it called “a network traffic anomaly on a noncritical server”;
· And a data breach at Epsilon that compromised e-mail addresses for customers of banks (Barclays, Capital One, Citibank, JP Morgan Chase), retailers (Target, Walmart, Best Buy, Brookstone, L.L. Bean, Kroger, and Walgreens), Disney, the College Board, the Home Shopping Network, and the Ritz-Carlton, to name just some of the 50 or so companies involved.
Plus there were problems at an Australian bank, where a faulty air-conditioning system caused a shutdown of its online banking system and some of its ATMs; a class action suit in Texas where the Controller's Office seems to have exposed the personal information of many of the 3.5 million government employees there; Hyundai Capital, which specializes in auto loans and home mortgages, where almost half a million client records were taken by a hacker...the list goes on and on, and that’s just some of the incidents that Spectrum’s intrepid Risk Factor blogger, Robert Charette, has been able to keep on top of.
Charette is a management consultant with 20 years of experience in software analysis, risk management, and large-scale development. He’s a member of the IEEE, has a Ph.D. in computer systems engineering, and seems to sleep no more than a few hours a night, to judge from the absurdly early time stamps on some of his blog posts. He lives in Virginia, but we’re speaking to him from his hotel room in Toronto, Canada, where he’s slated to speak at a conference tomorrow.
Bob, we’ve had you on the podcast several times before, but welcome to the new Techwise Conversations.
Bob Charette: Oh, thank you, Steven.
Steven Cherry: Bob, let’s just quickly go through some of these collapses, breaches, and fiascos—I guess that’s the IT version of the scary forest of the Wizard of Oz. The PlayStation Network—this one just went on and on and the news just kept getting worse and worse.
Bob Charette: Yeah, this is one that started in mid-April, and Sony found out that it had been hacked. And one of the problems was that it took them a couple of days to figure out how big the breach was. And originally it was about 75 million to 77 million customers they thought had potentially compromised—the customer accounts. And then they announced that they had been hacked; they got beaten unmercifully in the press because they took a long time to tell anybody they got hacked. And then after they had announced that they’d been hacked, the next day they found out they’d been hacked even worse earlier, when they’d had another 25 or so million customer accounts that had been compromised. And then just—I think over the weekend, they found that another 2500 or so folks had been hacked; their accounts had been hacked, contest winners from all the way from 2001, I believe. Which raises the question: What were they doing keeping data that was over 10 years old? So the news hasn’t been good lately, but to be honest, this goes all the way back to last December, when McDonald’s announced that they had been hacked, or in fact their advertising company, Arclight, had been hacked. And Arclight soon said that it was Silverpop, which is another one of these large e-mail providers doing advertising. So this stretches all the way back to last December, when things started to heat up in this space.
Steven Cherry: And it’s not just hacking—the Amazon problem was a network. I guess they reconfigured their network, and traffic got shifted away from customers’ primary networks. And there was a secondary network for them, but the secondary network would fail because it couldn’t handle the load.
Bob Charette: Yeah, there’s a cascading problem. It’s also been something that has happened—which I’ve noticed, again, for the last six to nine months—a number of system upgrades which cause problems, which all of a sudden take networks down for quite a long time. We saw this last year and this year again, with the banks in Australia—National Australia Bank, Commonwealth Bank, Westpac—have all had problems there due to upgrades in the evening time or during the day, which take down their networks; one network was down for almost 10 days. So we’ve now reached this level where there’s this level of complexity when they’re doing system or software upgrades where it just cascades—a small problem cascades and runs out of control.
Steven Cherry: Let’s get to the study I referred to—it’s by the Ponemon Institute and it was done for CA Technologies; they studied over 100 cloud service providers in the U.S. and six European countries. What did they find?
Bob Charette: Well, what they found out was that much to their surprise the majority of the cloud service providers felt that security wasn’t really their domain and that was the domain of their customers. And the customers felt that it was the cloud service providers who were supposed to provide security. So we’re in kind of this standoff situation where neither the customers of the cloud service providers nor the service providers themselves believe that security is their issue, which leaves us, the consumer, at risk. And so it seems to be this misperception—again, the federal government and a lot of commercial companies have been looking at a lot of cloud service providers not only to save them money but to increase security. So there seems to be a perception issue here, at least in terms of who is responsible for what. It does point out, I think, this issue where security is bolted on at the end and is not thought of as a mainline issue during these system designs or when services are contracted out. Even when we go back to the McDonald’s issue that we talked about earlier—here you had McDonald’s hiring somebody—Arclight—who was hiring somebody else, and I’m not sure how much McDonald’s was really aware that Arclight, its contractor, had subcontracted out to someone else. And so who’s ultimately responsible for your data or my data? You know, to be honest, from a customer standpoint, I don’t really care who it is as long as somebody does it.
Steven Cherry: Well, let me ask you, is this a fair analogy? You know, I drive to a bad part of town—and when it comes to hacking, the entire Internet is the bad part of town—and I put my car in a garage. You know, I lock the car—you know, that part of security is my responsibility—but I expect the garage to provide some kind of security too.
Bob Charette: Yeah, I think that’s a good analogy. Again, we’re still talking about services and systems that are being offered out there without—we’re still in the early stages, so I think a lot of the—I’m not a lawyer, so I’m not sure what the legal responsibilities are and how much of it is just based on the contracts that are signed, but I think there is an expectation of security and privacy that may not be there—at least to the level that everybody expects it to be.
Steven Cherry: Let me just get to the LastPass, which I don’t think you blogged about, but it was kind of a classic cloud failure. Customers used this service to store their passwords offline, but—I mean, they could store their passwords offline, but most of them stored their passwords online so that there was this master password at LastPass that would make all your other passwords available to you. Because it was online, you could access it whether you were at home or at work or on your smartphone. So basically, customers were putting all of their keys in one basket, so to speak, and the basket was in the cloud, and while apparently the keys didn’t get stolen, they became unavailable, and people got locked out of websites that they normally, you know, needed.
Bob Charette: Yeah, and this is kind of the hidden risk or maybe not so hidden anymore, where it provides you with this great single point of control. But at the same time when that single point of control gets disrupted, then you have a single point of failure, so you don’t have everything. It’s this kind of paradoxical thing of you know, if you put things on the cloud, how much should you have locally to protect yourself in case the cloud goes down, which seems to be a self-defeating purpose.
Steven Cherry: Well, that’s exactly right. I mean, I don’t use LastPass, but I do use Dropbox, which personally I think is a godsend, it lets me store files in the cloud and access them on any computer, on my phone or whatever, and I think of it as making me more secure. I don’t do backups anymore because I’ve got, you know, Dropbox. But now I’m kind of terrified of relying on the cloud.
Bob Charette: I personally don’t use too many of the cloud services, because again, I’m kind of old school and would rather protect everything myself with my terabyte drives at home and in the office. But it seems to be this movement towards going there. And I think that, again, what’s interesting—when you take a look at the Amazon problem, there was a number of large companies, like Netflix, who were using the cloud services and didn’t get disrupted when there was a problem. But they also seem to have read the fine print in Amazon’s user’s manuals, which said, listen, the reliability is 99 point, I think, 96 percent—but there is a possibility that, you know, we might have a problem, and in that case you should make sure that you have replicated your data in different areas of the cloud, so if there is a problem you can get back up and your services won’t go down. A number of companies that had been affected admitted publicly that they should have read the fine print a little bit more, and so there are ways of getting around this. I think that the issue from an operational standpoint is not nearly as big in my mind as the current security issue, because I think that’s the thing that not only do you not get access but you just don’t know what’s been compromised or how much. You know, when you go back to the Silverpop or the Epsilon hack or even at the controller down in Texas—I’m not sure that they know, that the people themselves know who’ve been hacked, exactly what’s been hacked or how much data’s been taken. So there is that problem, and over in the Amazon one—even when you have an operational error, they did lose a small percentage of data files that were not recovered. So, it’s risky out there [laughs].
Steven Cherry: And that’s why we have a Risk Factor blog at Spectrum online to keep track of it all.
Bob Charette: Well, we try, and there’s more of these recently than one could possibly blog on, unfortunately.
Steven Cherry: Yeah, well, keep plugging away at it. Thanks a lot, Bob.
Bob Charette: Thank you, Steven.
Steven Cherry: We’ve been speaking with management consultant and Risk Factor blogger Bob Charette about the ever-widening security holes in the Internet cloud and the cloud providers’ apparent nonchalance about closing them. For IEEE Spectrum’s “Techwise Conversations,” I’m Steven Cherry.
This interview was recorded 10 May 2011.
Audio Engineer: Francesco Ferorelli
Follow us on Twitter @spectrumpodcast
NOTE: Transcripts are created for the convenience of our readers and listeners and may not perfectly match their associated interviews and narratives. The authoritative record of IEEE Spectrum's audio programming is the audio version.