Welcoming the clouds in our eyes

Bean counters want to minimize the number of cloud vendors a company uses. But multiple cloud service providers might actually be more secure!

cloud security

Cloud lock in – turning the tables

ReCode noted a slide in Mary Meeker annual Internet Trends report that companies are increasingly concerned about lock in and the unease in switching between cloud vendors, naming it one of their top three concerns.  The ability to leverage suppliers has long been a strategy in negotiating prices for goods and services, and cloud services should be no different.

While companies prefer to minimize the number of vendors they maintain due to the costs of due diligence, legal, contracting, quality assurance, and more, there is an argument to be made that multiple cloud service providers is good for security.

Last year Forbes published a piece noting the average U.S. corporation utilized six different cloud services vendors, in many cases, as a hedge against this very lock in problem.  Six might seem excessive in an era where IT department cost savings are paramount, but it might just be the optimal number.

In a previous post, I noted the use of MultiParty Computation, or MPC, to conduct mathematical calculations on encrypted data sets.  One can average the salaries of an entire department, say an engineering office, despite each person’s individual salary information being protected in a locked file that only they have the key for. 

MPC has been used for years in Europe for conducting a variety of purposes when sharing protected information is necessary for conducting routine business.  This ostensible paradox holds additional benefits when taken one step further. 

As I noted then, MPC can include the use of a digital lock where each participating party must provide their individual piece of a complex key.  Like a combination lock on your sports club locker, you must dial in the numbers in the correct order, to open the lock.  This is the digital equal - should any single participant choose to not provide their number in this digital progression, the analyzed data cannot be accessed by anyone, including (if desired) the other participating members.

We can secure our individual data in the same manner by following this same strategy.

Masters of the trade = specialists

One of the hardest parts of data security is the single point of failure aspect to key management.  We don’t need to break advanced encryption algorithms if we can simply steal the credentials necessary to open them.  Bank robbers don’t blow the vault door when they can instead muscle the branch manager for the combination.  Having encryption keys stored in one place makes that one place ground zero for cyber thieves.

So what if instead, we stored the key components in multiple places?

Take a single key and break it up into parts, then distribute those parts across multiple cloud service locations.  These would be behind company firewalls and using all the usual security protocols – but instead of being stored in one high risk location, they are now stored in numerous low risk ones. 

Rather than stealing the keys from a single server, a thief would need to break into several; the big guys like Amazon’s Web Services, Microsoft Azure, and Google Cloud.  Then there’s a host of smaller (in market share) vendors like Blackberry, VMWare, and HP.  Factor in specialty applications or data analytics providers and the list gets even longer. 

‘Target’ing the keys

Professional thieves generally specialize in one particular area - a vendor, or technology, or device type.  One person with the expertise necessary to break into numerous cloud services and analytics application providers undetected is rare indeed.  But perhaps more importantly, doing so would eat up an enormous amount of their time.  Thieves want to get in, grab credentials, and get out.  Having to gather a single key’s components from multiple locations would not be worth the risk when there are easier targets to hit.

Assuming they could steal all the pieces, the thief would have to reassemble them in the right way.  This too can be complicated by a variety of means to mask the correct order, how and when the combination will work, and controlling access even when the correct decryption key is presented.  Again, this creates a huge time commitment that may not be justified when there are easier targets available.

Yes, the CFO may need some convincing about the cost of ‘redundant’ cloud vendors. But remind them that the current ‘average’ cost of a data breach is $3,000,000.  And it’s not just the company’s internal security that need to be considered – there’s also the suppliers. 

Target’s infamous 2014 hack of 40,000,000 customer records began by stealing log-in credentials from their HVAC supplierCEO Gregg Steinhafel became the first chief executive to lose his job over a data breach. 

Steinhafel’s 35-year career with Target might have continued if the HVAC supplier had their passwords safely tucked away among several cloud storage providers.

Copyright © 2017 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.