Blog / Keep Your Head Above The Cloud – Cyber Security is Really Foggy Out There…
A long time ago I did a Newsletter that explained what “The Cloud” meant and how it came to have that name. It was around the twentieth newsletter I wrote. Not including emergency/special ones (like EQUIFAX / Specter / Meltdown), this will be my # 63.
Once again, it’s time to talk about “The Cloud”:
Since it was long ago, I’ll do a quick recap and explain what “The Cloud” is all about.
First, consider your own corporate network. The only limitations you have when it comes to making changes within it, is to make sure it still works. You can rearrange it however you like/need, whenever you want, as long as you have the money and time.
Now consider how you document that network. Just like drawing maps of countries or continents, you can make maps of you network. The larger the network, the more important it is to do this, to make sure everyone understands how it all fits together (maps are also handy when there are problems to help identify possible causes.) Just like geographical maps (cartography), there’s a standard set of symbols that get used when you document an electronic network.
The symbol used any time you have a connection to a network that you don’t have control over, is the picture of a cloud. This symbol is used because that network can change its’ layout or shape at any time. You have no say or control over when or why this might happen.
So, the short answer to the “What is ‘The Cloud’?”, is simply “It’s a Marketing gimmick.” The Cloud is (and always has been) any network you don’t control. It’s the Internet. Any website, service or connection you make somewhere outside of your network, is in “The Cloud.”
Now that we have that out of the way, let’s talk a little bit about Security in The Cloud.
Any service that you rent/subscribe to or use on the Internet is in the Cloud and would be covered by the statement “Cloud Security.” Amazon rents time on virtual servers and calls the service Amazon Web Services (AWS.) Basically, it allows you to rent a virtual server that you can then configure as needed. This can be a real cost-saver, especially if the equipment is needed for a permanent project.
Then what’s all this talk about Cloud Security being so good, or for that matter, so bad? I think the problems begin when people don’t understand where their own responsibilities begin, and end. This applies not just to users of a service, but to the people behind the scenes responsible for designing and maintaining the service.
As a thought experiment, think about the Security that AWS is providing, when you rent a virtual server from them.
Amazon needs to:
Make sure the environment they provide matches what you ordered (Exchange server, Load Balancer, etc.)
Ensure the environment assigned to you is available as often as possible (99% up-time I believe, possibly more.)
Configure their service, so that you can’t get into a different customer’s environment via some type of AWS backdoor (and vice versa.)
Periodically back-up your environment.
Restore your environment to the most recent backup in a reasonable time-frame, in the event of a catastrophic data center failure (fire, flood, etc.)
Amazon DOES NOT need to:
Provide any kind of license or activation codes (I’m sure they will happily sell you those, for extra.)
Update/Patch the initial environment in any way (they may have some installed initially but once you start the rental, it’s totally up to you to keep it patched.)
Secure or harden default configuration in any way (hardening imposes operational requirements that not everyone needs, so doing that could cause problems.)
Provide any sort of access limitation/monitoring.
Set-up any kind of Intrusion or Attack Detection to protect your environment (like a firewall.)
Every couple of weeks I read an article about some breach involving data found on an AWS server. This is not Amazon’s fault in any way. It’s the fault of people who made use of their service. Maybe the customer didn’t realize how much of the Security was their own responsibility. Maybe they assumed that it was no different than having a server inside their own network.
The environment you rent from Amazon is open to the entire Internet, unlike a server inside your own organization.
Whatever the justification, in each of those cases the researchers who find the data do not make use of exploits or hacks. They use simple tools to find the machines, and then try to connect them with some standard/default methods.
Facebook, Twitter and other Social Media platforms are much the same. At some point, their responsibility to provide Security ends, and yours begins. It’s important to make sure you’re aware of what your responsibilities are, and that you take the steps appropriate to the situation and service you make use of. Find out what Security features they have, how they behave, and change them.
If you have any questions about Cloud Security, you can always reach out to your TRINUS Account Manager for some stress-free IT.
Your Friendly Neighbourhood Cyberman.