The fourth of May brought us World Password Day as well as Star Wars appreciation day. Those that were not geeking out to a Star Wars movie marathon on TV, were focusing on promoting the importance of security awareness and how changing your password can help improve your personal security. Unfortunately, despite our best efforts, no one is safe from identity theft and the concern is on the rise (iii.org 2017). According to national statistics, $16 billion was stolen from 15.4 million U.S. consumers in 2016 due to identity theft. With the threat continuing to rise, people are taking steps to raise awareness and take as many precautions as they can to preserve their digital identity. While World Password Day was well underway, The United States Computer Emergency Readiness Team released a notification of the most recent phishing campaign that targeted Google Docs users (us-cert.gov 2017). This campaign was created to lure users to click a document that was shared with them to Google Docs. This scam was aimed at getting people to enter their Google account details and then the program would change the user’s passwords, allowing access to all of the users Google applications.
Google Docs is part of Google’s cloud G Suite platform. The suite of products includes communication tools such as Gmail and Hangouts, and collaboration tools such as Docs, Sheets, and Forms. Google designed this platform for students, corporate users, and for individual use. Google, like many other providers out there such as Microsoft with their Office 365 platform, is taking the business world by storm. Without the need to adopt on-premise IT infrastructure to run basic business productivity tools such as Google, the business can free up funds to invest in other initiatives. Suites of services offered by one provider are especially attractive due to the ease of use and integration across several platforms from email to file sharing without the need for all of that infrastructure humming away in a data center somewhere costing you a small fortune in power, cooling, maintenance, management, and monitoring. However, moving to these cloud platforms are not without their challenges.
Security is one of the largest problems that is plaguing cloud adoption. As companies begin to adopt cloud services, they are exposing themselves to risks such as the latest Google phishing scam. If someone was able to gain access to your Google business account, they have access to potentially a gold mine of data that they can use to exploit you or others. So, now the best we have to thwart these attacks is to raise awareness with gimmicks such as World Password Day. The root of the issue is awareness and education. Adopting cloud services is just like building out the IT infrastructure in your corporate data center. You need to take steps to protect your boundaries, wall off the important stuff, and enforce the compliance of basic security controls such as strong password management, updates and patches, etcetera. In fact, most new Amazon AWS adopters are not aware that you are responsible for network security, access control, inventory and configuration management, and your own data security. As a consumer, we want to assume that the basics will be covered such as AWS protecting its customers against security threats or Google protecting its business users against intelligent phishing scams. Unfortunately, it is not that easy and we need to be more informed as a consumer and as practitioners.
Hope is not lost. Just like The Force Awakens Star Wars title says, there is hope for us. Industry leaders are taking steps to address this need for security programs to be aware of artificial stupidity (Hackett 2017). There is this notion that Artificial Stupidity is the dumbing down of programs to introduce their errors in their responses. E-Mail filtering tools are now being designed to think more like an end-user and find these seemingly legitimate e-mails and carrying out its own tasks to check link validity and based on the behavior of the data exchange, then make a conscious decision to block the email from being delivered to the recipient. In AWS, there are security partners that are centralizing and integrating security management. These services offer awareness through monitoring and escalation without the complications of managing the tools or hiring the staff to deal with it. In fact, these services are becoming so smart that they are learning. By combining human expertise and an enormous amount of security data available, algorithms now can be trained to learn by example. This supervised machine learning can detect advanced attacks against a company’s IT assets. So hold out hope cloud adopters. There is protection for us to be able to take full advantage of the potential the cloud presents us and we can rest a little easier knowing that manufacturers are working night and day to create complex solutions that require little management or intervention to provide our businesses the protection they require in order to operate in our digital world and take full advantage of the benefits the cloud service providers are offering.
For more information on recommendations for managing cyber security in today’s hybrid infrastructure as your organization adopts the cloud, hear from experts at Aqueduct Technologies and Alert Logic in a webinar: Optimizing Security for Hybrid IT.