Hey, You, Get Off Of My Cloud: Cybersecurity Considerations For Managed Service Providers

It should come as no surprise that cloud computing has taken the consumer and business world by storm over the past decade. From Platform-as-a-Service offerings for businesses (Office 365 anyone?) to the availability of Software-as-a-Service to the consumer (such as Dropbox and Evernote, to name a few), the leveraging of these capabilities on the internet is transforming the way we use the internet. That said, it is also transforming the way personal data must be protected against unauthorized access and use. Data (especially personal information) on the cloud is getting rained on by hackers, and protecting against such security breaches requires a strong digital umbrella.

Again, this comes with the digital territory. As microprocessor speeds have increased, so has memory density and speed. With the increase in performance, however, came a decrease in costs relative to performance, creating powerful new architectures leveraged by technology companies (such as cloud computing) to provide easily accessible and highly useful applications to the masses. This perfect storm of performance, access, and capability is helping fuel internet hacking as well. Many saw this coming — an MIT Technology review article from 2009 rightly predicted that as security migrated to the cloud (by necessity), so would the attacks follow (by design).   In essence, the same architectures that are fueling the expansion and acceptance of the cloud are also turbocharging technologies used by hackers. From distributed denial of service attacks to sophisticated ransomware, bad actors are definitely leveraging the cloud. In fact, malware once limited to sophisticated programmers is becoming more easily accessible to those less technically proficient but equally ill-intentioned — one can now, for example, rent “ransomware-in-a-box.” Go figure.

Needless to say, that is causing information security professionals to rethink their approach to cybersecurity, especially those companies that managed service providers (MSPs) and the companies providing data security services to them. That is no more evident than the recent CloudHopper attacks — a hacking “campaign” that was far more extensive than thought. That far-reaching cyberespionage campaign was launched by a hacking group referred to as APT10 (and reportedly tied to Chinese intelligence services). According to TrendMicro, the campaign has affected “organizations in North America, Europe, South America, and Asia — and most recently managed service providers (MSPs) in: United Kingdom (U.K.), United States (U.S.), Japan, Canada, Brazil, France, Switzerland, Norway, Finland, Sweden, South Africa, India, Thailand, South Korea, and Australia.”  How?  The hack inserted itself through phishing emails and then used various tools and techniques to “hop” across the MSP network infrastructure to access and steal valuable data across the entire network. Worse, this occurred over a span of years before being detected.

At a time when the move by more companies (and clients) to cloud platforms seems almost inevitable, your company (or clients) need to adapt their information security needs to this new level of threat. More importantly, your company (or clients) need to not only be aware of this attack vector but be prepared to adapt to this ever-evolving threat landscape. It’s more than just good technological practice — it is becoming essential to limiting legal liability. As I have written before here and here, implementation of a network architecture that does not reasonably address data security exposes a company to not only loss of its own valuable IP and other data assets, but may expose it to fines and third-party claims for data breach. It’s a daunting task, but not insurmountable. Here are a few considerations to think about to help mitigate the risk:

  • Balance Efficient Operation With Security Optimization. Provisioning a system for a client and configuring it to work efficiently may be good from a performance perspective, but terrible from a security one. This is even more important when third-party infrastructure is integrated in the platform. Unfortunately, there can be a tension between IT, corporate, and legal when it comes to implementation. When push comes to shove, it is essential for IT and legal/administrative to work together to achieve that balance so that acceptable performance  can be matched to acceptable business and legal risk.
  • Network Segmentation Is A Good Thing. The CloudHopper attacks are instructive here — proper segmentation of networks would have helped limit privileges and “stop the hop” along that attack vector in its tracks. By segmenting sensitive information into other virtual servers and further compartmentalizing it, you will make is far more difficult for hackers to get to that information in the first place. Limiting lateral access across the platform services also helps contain potential data security liability.
  • Data Encryption Is Your Friend … For Now. It should be self-evident that data encryption provides an extra level of protection that should always be considered when using cloud services. Where available, using it absolutely helps limit data risk exposure and legal liability. Unfortunately, encryption may not always be available for the application or viable from a use/performance perspective. Moreover, the inevitable dawn of quantum computing will limit the viability of current encryption mechanisms because the raw computing power makes brute force hacking of encryption keys within a reasonable time frame possible. If data encryption is available and possible, by all means use it!

I’ve said it before, so I will say it again — the fact that your company (or client) is going to be hit by a cyberattack is not a matter of if, but when. Any information security program is difficult enough for internal networks — cloud computing requires even more diligence and planning to help alleviate potential risk in this evolving threat landscape. So take the time to consider the foregoing carefully, otherwise the digital umbrella simply won’t cover as much as you think, and what’s worse, your company (or client) will pay for it.


Tom Kulik is an Intellectual Property & Information Technology Partner at the Dallas-based law firm of Scheef & Stone, LLP. In private practice for over 20 years, Tom is a sought-after technology lawyer who uses his industry experience as a former computer systems engineer to creatively counsel and help his clients navigate the complexities of law and technology in their business. News outlets reach out to Tom for his insight, and he has been quoted by national media organizations. Get in touch with Tom on Twitter (@LegalIntangibls) or Facebook (www.facebook.com/technologylawyer), or contact him directly at tom.kulik@solidcounsel.com.

Source link