Cloud security: We're asking the wrong questions

The outcry over celebrity nudes blames a new scapegoat -- the cloud -- for our security woes, but underlying causes run deeper

1 2 Page 2
Page 2 of 2

The original cloud: Credit data

Vast reservoirs of critical data have existed far outside your control for decades, long before the "cloud" nomenclature was invented.

Take credit card information. It goes without saying that you shouldn't worry about your credit card being stolen from the latest vendor -- like Home Depot -- because your credit card company (or other service provider with your financial information) is likely owned by multiple APT groups as well. Your credit card is probably already compromised.

What's stopping the bad guys from using your credit card/debit card if they already have it? For one, they have so many credit cards it's hard to use them all at once. That's why your stolen credit card gets replaced by the bank every two or three years rather than every year.

The groups that steal or buy credit cards aggregate them in large databases, then offer them for sale to other people. Your credit card is likely on multiple criminals' credit card selling lists, for offer to anyone willing to pay the fee (usually ranging from $2.50 to $50, depending on the likelihood of it netting revenue for the buyer). The credit card selling operations have auction boards, satisfaction ratings, shopping carts, customer support services, and money-back guarantees.

If you want to read about the complexities -- and openness -- of these criminal enterprises, peruse a few articles on Brian Krebs' website. It's stunning to behold the maturity and sophistication of these operations. Some even buy credit card information directly from the credit card rating agencies! This stuff is organized. It's not merely one bad seed with a direct link to one credit card rating agency.

State of insecurity

The state of computer security basically defaults to insecurity. I don't say this to scare anyone. It's been this way for a long, long time. For now, society accepts this state of insecurity as an inconvenience -- a cost of doing business.

I can guarantee you, however, that it's going to get worse. I've been asked the same question for 20 years: "Is computer security going to get better this year?" I've always replied no, and I've always been right. Sure, we are finally catching many of the big players, but for everyone we catch, more move in. It's a big game of Whack-a-Mole.

Yes, the cloud introduces new vulnerabilities, but that's balanced by better security practices on the part of cloud providers than most customers can muster on their own. The cloud isn't the problem. Next week, I'll talk about the real reasons behind the miserable state of security.

This story, "Cloud security: We're asking the wrong questions," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

Copyright © 2014 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Make your voice heard. Share your experience in CSO's Security Priorities Study.