Head in the Clouds: SaaS, PaaS, and Cloud Strategy

Aug 2 2017   12:37PM GMT

Is data security nothing more than wishful thinking?

Joel Shore Joel Shore Profile: Joel Shore

Tags:
Application security
cybersecurity

It’s not often that I read the showbiz bible Variety or the Hollywood Reporter when doing background research for a piece on cloud computing. Yet here we are — again — pondering the pervasive perniciousness of breaking into¬†entertainment-industry data assets.

This time around it’s HBO. A late July break-in by allegedly coordinated forces, targeted, according to the Hollywood Reporter, “specific content and data housed in different locations.” Should the attack actually amount to a possible 1.5 terabytes, that would be roughly equivalent to the infamous Sony Studios hack of 2014 — multiplied by a factor of nearly seven. According to multiple reports, episodes of Game of Thrones and significant other broadcast content assets were downloaded.

It’s not easy to steal 1.5 terabytes of data. Downloading that much, even to multiple destinations, takes time. Should alarm bells have gone off? Did they? For now, I’ll stay away from speculating about the woes of others.

Yahoo had a billion user accounts hacked in 2013. The Sony hack of 2014 stole not just broadcast and theatrical content, but e-mail messages that embarrassed many and led to the ouster of co-chairman Amy Pascal and others in her wake.

CNN reported in June 2017 that government websites in four states, New York, Maryland, Ohio, and, most recently, Washington, were hacked to the extent of having anti-American messages displayed.

Let’s face the reality: Security is little more than wishful thinking. If you believe an application, system, data store, or infrastructure to be secure, you are asking for a world of trouble.

Banks. Software companies, including Adobe. Government agencies. Media titans. Retail giants, including Target and TJX. Even security company RSA itself was breached in 2011. Windows XP, launched in October 2001 and retired in April 2014 is still the object of security patches from Microsoft. Hospitals have had their data held for ransom. So has a guest check-in system at a hotel in Europe.

The problem with security is that no matter how many onion-like layers we pile on, no matter how pervasive and sophisticated two-factor or even biometric authentication becomes, it can never be enough. All it takes is one click on an innocent-looking e-mail message by a well-meaning employee to circumvent years of efforts and millions of dollars invested. Perhaps we’re seeing the rise of a new mini-industry: HaaS, hacking as a service.

As application developers, there’s only so much we can do. Test APIs to ensure they are up to the latest standards and versions. Log activity into journal files. Working closely with business executives and various IT groups — QA, testing, operations — is essential. So is asking obnoxiously intrusive questions about planning for app security before a line of code is written. Breaches, after all, are themselves obnoxiously intrusive.

If there was an answer to these major security problems, it’s reasonable to think the combination of big brains and deep pockets would have figured it out by now. Alas, no one has. It’s possible no one ever will.

No one is closer to the bits and bytes, the very lifeblood that flows through the arteries of cloud-based IT systems than application developers. What is your organization doing to step up security? What plans are in place to deal with a breach after it occurs. What’s your role?¬†There’s lots to talk about. Share your thoughts, we’d like to hear from you.

3  Comments on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • a1r9i5
    WE SHOULD PERSISTENT ON DATA SECURITY LIKE GEOFENCING
    770 pointsBadges:
    report
  • Fred Churchville
    "All it takes is one click on an innocent-looking e-mail message by a well-meaning employee."

    What about employees with ill intent? All it takes is one employee who stands to make more from exploiting his company than he does from his paycheck. There's a reason the gov't makes people go through extensive clearance checks before they're put in charge of sensitive systems. I'd go so far to say that it's ridiculous to think an attack like this could have happened without inside help. Having the strongest security system means nothing if someone on the inside gives away the key to the back door.

    Maybe companies should think a little more about who's in charge of their security systems.
    1,325 pointsBadges:
    report
  • SNaidamast
    As I have written in the past in one paper I published, organizations attempting to build adequate security into their applications is like preparing to be laid siege to; and the besiegers ALWAYS win.

    This is because in combat, it is the besieger who has the flexibility, the resources, and the focus to overcome even the most persistent defenders.  Security is no different.

    Security implementations are at their best when they are put into practice with the idea of keeping out the most common forms of intrusion.  Doing this, most companies will ward off a good percentage of attempted incursions.  However, there is absolutely no way to prevent an attack by a highly, intelligent hacker or group of hackers intent at getting at any one company's data.  It is for the most part a mathematical impossibility since most highly capable hackers have the time to analyze and study the method of the attack they want to employ and the weaknesses in a defender's defenses they want to exploit.

    It all really comes down to the statistical realities of military science, which the majority of management in the technology professions have very little knowledge of...
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: