| CIO Blogs
IT Blog Awards |
Subscribe
RSS news feed
Add to Technorati FavoritesRecent Posts
- Voicemail
- What Happens Next? EU and Obama ask the same question
- Tech Predictions 2009: Slow IT
- The Incognito Banking Corporation and the Fairy Godmother 2.0
- What happens to my product portfolio if …
- Technology that Matters
- Apple/O2 versus Blackberry/Vodafone versus Google/T-Mobile
- Tech Predictions 2009: Bricolage IT
- Why Business Models need Cloud Computing
- Now, who's the President?!
Navigate
Search the blog
« Real Convergence; industry bodies merge to show the way! - Guest post by Sundar Ramanathan | Main | Android or iPhone? Forget the Specification look at …. »
Sarah Palin hack damages the cloud?
On the face of it, the apparent hacking of Sarah Palin’s Yahoo mail account may have hurt the cloud’s onward march into enterprise credibility. With thanks to the head of enterprise architecture of one of the organisations I’m collaborating with for sharing the link, here’s a well written perspective on the hack itself. I’ve also had a couple of colleagues mention, quite rightly, that this high profile event serves as a timely reminder for us to think very carefully about the cloud’s enterprise viability.
By using services in the cloud to hold corporate data, as opposed to within our corporate walls, the concern is we are automatically exposing the corporate to additional risk. And it is a concern we must take seriously.
But this is far from the full story. Computer hacking is as old as computers, and social engineering as old as, well, people.
The argument often goes that by definition a service in the cloud has ubiquitous potential access for both the authorised and the hackers alike, whereas the corporate network has restricted access (to employees) and so hacking is intrinsically harder.
The reality is somewhat different.
In fact, when you assume any real level of connectivity (and which business can afford not to be connected), the security model of the Web is intrinsically more secure than the security model pre-Web most corporates have in place today – ask your trusted security expert about application centric and moat security compared with document centric and de-perimeterisation security.
Many years ago, the best and brightest security experts figured out that, while there are many levels of security (as they went on to describe in the Orange Book), if you want the best level of security over your data, you have to put your computer in a bunker with cameras recording who uses it and whatever you do you never ever, under any circumstances, connect it to a network.
Back in the mainstream world, the technical aspects aren’t perhaps the most important factors here. The real issue is not with the cloud, it is of course with us, the ‘wetware’.
Let’s flip this around and imagine for a moment you’ve responsibility for information security for your organisation. (Go on, really try it…!)
Imagine it’s your first day in the job and you’re sat in front of a big, horizontal slider control.
It’s the security control for the corporation and it can be set to ‘default deny’ – which means no-one can do anything unless they have explicit permission signed in triplicate and approved by a corporate bureaucracy prized for its ‘beware of the leopard’ signs, or default allow which means anyone can access and share absolutely anything, and everyone is given 24 hour access to a good corporate lawyer.
The slider is set bang in the middle. On the left the label says ‘default deny’, and on the right label says ‘default allow’.
Which way do you move the slider and how far?
This is perhaps one of the toughest decisions faced by corporate and government information security policy makers - just where does security policy start on this security continuum?
What we do know is that too much technical security is as risky as too little – perhaps even more so. When corporate IT takes too much of a default deny stance, people getting on with their jobs tend to find workarounds which unwittingly weaken security.
If you’ve been following events in the UK recently, memory sticks come very much front of mind.
In the end, people tend to behave more responsibly when given more responsibility. And not connecting to the world for a business or government is a non-option. So for me, if I had my hands on the lever, we'd embrace the cloud while sliding the slider to the right. This might sound like information security suicide, but I think it’s the way go.
But wherever you’re at personally in the debate, connectivity is here to stay and I hope the Sarah Palin hack helps us think about the human elements before we get too lost in the technical mist of the cloud.
Posted by Carl Bate on October 2, 2008 | 
Digg this | 
Seed Newsvine
TrackBacks
TrackBack URL for this entry: http://www.capgemini.com/cgi-bin/blog/mt-tb.cgi/616
Comments
# on October 2, 2008 3:59 PM, Gopal Padinjaruveetil said:
Carl,
Sorry I beg to differ with you, I feel that the hacking of the email has no relation to the 'cloud' march towards the enterprise.
Sarah Palin's e-mail hacking is striking and underscores the importance of improving privacy questions for password recovery
Please see the link on the story behind the hack.
http://michellemalkin.com/2008/09/17/the-story-behind-the-palin-e-mail-hacking/
Believe me it is easy to hack any public email or most of the websites.
I had written a blog on Security vulnerability 2 weeks ago called
"Beware of the CookieMonster!! He is coming to Town Soon"
Web browsing on SSL sites may not be as secure as you think. Talk of HTTPS cookie hijacking is pushing its way toward the front of the line of security concerns with the release of details regarding an automated tool dubbed the CookieMonster, a Python-based tool developed by Security researcher Mike Perry which can be used to steal private data via HTTPS cookies, Though Perry has put off making the tool available to the general public.
You may ask why, Mike says many sites are vulnerable, and don't seem to care and his response: Release a tool showing how bad this is.
The Vulnerability revolves around the fact that cookies have two modes: secure and insecure. If a cookie is insecure, a browser will transmit it for plain old http connections, and an active attacker can then inject a set of http images for sites that they want cookies for, and the browser will happily transmit cookies for these sites unencrypted, allowing their capture. This attack can even be automated for the majority of sites without the need for a list of targets
For details please see
http://fscked.org/blog/fully-automated-active-https-cookie-hijacking
He also has an Incomplete List of Alleged Vulnerable Sites (be ready to get surprised and don’t panic if your Bank is listed here!!)
http://fscked.org/blog/incomplete-list-alleged-vulnerable-sites
For a given site, inspect the individual cookies for the top-level name of the site, and any sub domain names, and if any have 'Send For: Encrypted connections only,' delete them," Perry explained on his blog. "Then try to visit your site again. If it still allows you in, the site is insecure and your session can be stolen. You should report this to the site maintainer."
Regards
Gopal Padinjaruveetil
# on October 2, 2008 10:13 PM, Mark Nankman said:
Dead-on, Carl! I couldn't agree more. Trust and responsibility are important values that most people respect and expect when the interact with the cloud.
By the way, did you read about Richard Stallman's opinions about Cloud Computing? You are opposing them. Read: http://www.guardian.co.uk/technology/2008/sep/29/cloud.computing.richard.stallman
# on October 3, 2008 10:48 AM, Carl Bate said:
Hi Gopal
To me, the hack is deeply relevant to the cloud as people with IT strategy responsibility are citing it as an example of the risks of using services outside the corporate network – compare a corporate Outlook infrastructure vs Yahoo or Google mail.
I agree with you there are serious technical considerations that need to be addressed and it is my view the technical aspects will be evolved. But just because it’s possible for a crime to be committed doesn’t make it inevitable, and we are really into full-on socio-technical territory here. I believe addressing the issues require both socio and techncial, starting with the socio.
Best wishes
Carl
# on October 3, 2008 11:06 AM, Carl Bate said:
Hi Mark - many thx for the feedback, and also the link.
I hadn't seen the post before and yes, you're right, I have a different perspective! For me, the important aspect is to think about service first before software, and then start to consider opportunities and threats with service characteristics, location and ownership.
I’ll give this some futher consideration and see if a post emerges…
Best
Carl
# on October 3, 2008 1:43 PM, Mark Nankman said:
Glad to see you agree. The strong contrast between your post and that interview with Stallman inspired me to write this blog item:
http://www.capgemini.com/technology-blog/2008/10/clouded_opinions_on_the_cloud.php
# on October 7, 2008 12:13 AM, Vernie said:
The Palin hack was a very good reminder of the analog portion (people) of the digital security equation. On a personal user's level, not much has changed since the cloud has always been a dangerous place for the individual. Ultimately, I think these are questions that simply have to be addressed before any type of web services are viable for corporate use. I know that's already an old viewpoint, but I think it's still valid... Even moreso after this and other high-profile hacking.