I was sitting at LAX last weekend waiting to board my plane, and took a few minutes to read up on the latest news about the Office of Personnel Management’s (OPM) data breach. Over 21 million individuals’ Personally Identifiable Information (PII) stolen by hackers — reportedly the work of a foreign government.
And how did OPM discover the breach? They stumbled upon it while investigating a previous breach that had resulted in the theft of another 4 million individuals’ PII.
Not too long before the OPM’s disclosure, the Internal Revenue Service announced that 100,000 tax accounts had been hacked. And before that, Home Depot, Sony, Target — all victims of sophisticated, successful and massive attacks.
Troubling events, and part of an unmistakable trend that makes it clear much of the data we entrust to governments, companies and other organizations may not be as secure as hoped. If you’re a business or technology leader, these events also make it clear that if you’re not already focused on data security, it’s time to quickly and resolutely make it a priority.
From what I can tell, though, none of the aforementioned breeches were the result of exploiting cloud vulnerabilities. Instead, they were the result of social engineering attacks or software exploits that could have happened regardless of the hosting model (i.e., on-premise or in the cloud).
The vulnerabilities associated with Internet-connected systems hosted on-premise, and those hosted in the cloud, are generally the same. (And while I might make the case that cloud providers are likely to have better physical security, data center facilities aren’t typically a target for most hackers.)
Fortunately, the techniques needed to secure systems in either model are also the same. If you’ve developed your on-premise systems using secure coding practices, placed your systems behind a well-designed firewall infrastructure, implemented vulnerability management best practices, and leveraged intrusion detection capabilities, then you’ve developed the skills and instituted the practices that will help you proceed securely in the cloud.
If you haven’t, drop what you’re doing, and get started immediately! Security is a practice every IT department should be developing as a core competency, as unprotected systems hosted on-premise are equally as hackable as unprotected systems hosted in the cloud. Don’t have the resources needed? Done carefully, moving to the cloud can actually free resources to focus on security: less racking and stacking, more firewalling and detecting.
Interestingly (and not surprisingly), cloud providers and third-party security firms are beginning to make very credible progress towards helping customers leverage the cloud more securely. Before long, it may actually be easier to secure systems in the cloud than on-premise. I’ll dive a little deeper into this topic in a future blog.