Consumer friendliness forces trade-offs in cloud security

Compromises in security are necessary to make cloud services easy to use for the average non-technical person, experts say.

The question of the impact of making cloud services consumer friendly arose this week, following the discovery of Apple and Amazon security flaws that enabled hackers to gain access to tech journalist Mat Honan’s iCloud account. Once in, the mayhem they caused included remotely erasing all data from his iPhone, iPad and MacBook.

In Honan’s case, the hackers didn’t use sophisticated tools to break into his account. Instead, they got the information they needed by impersonating him in telephone calls to Apple’s and Amazon’s tech support.

While Honan fell victim to human error, other high profile hacks of consumer services over the last three months involved breaking into websites and stealing millions of customer passwords. The businesses that suffered the security breaches included Yahoo, LinkedIn, Dropbox and eHarmony.

[See also: Business lessons learned in iCloud hack | Mat Honan’s cautionary tale, and instructions on how to protect yourself]

So the question becomes, are these sites inherently unsecure because they need to be very user friendly? Would having better security, such as two-factor authentication or the enforcement of more hacker-proof passwords, be so inconvenient that it would drive people to competitors?

Many experts say there is a trade off between security and usability, and a cloud service often has to balance the two, depending on its purpose. If its customers are primarily consumers, than security mechanisms won’t be as stringent as those used if the service provider caters only to businesses.

Equal security between consumer- and business-focused services is “possible, but not likely,” Andrew Plato, president and chief technical architect of Anitian Enterprise Security, said on Friday.

“Consumers and businesses have very different needs and tolerances to failure,” he said in an email. “There are not very many [cloud] apps that have made the jump from consumer to business or vice versa.”

Matt Dean, chief operations officer for FireMon, agreed, saying that he often sees corporations make security compromises in Internet-enabled business applications. “They are constantly balancing security with usability, the ability to access this data when and where people need to,” Dean said.

J.J. Thompson, chief executive of Rook Consulting, disagreed. While the breach that caused Honan so much misery was “very unfortunate,” it “clearly illustrates a control breakdown and a training issue,” he said. The incident alone did not mean cloud services couldn’t be adequately secured.

To be protected, a cloud service needs to educate its workforce about security, have processes in place to prevent information from being given out to the wrong person and have properly configured technology to ensure security and privacy. “The symbiotic relationship between people, process and technology and the associated controls must be in harmony to maintain a secure and compliant state — period,” Thompson said.

If all three areas are covered, then a cloud environment is more secure than computers maintained by many individuals and businesses, he said.

Beyond the issue of security versus usability, said Colby Clark, director of incident management at FishNet Security, the biggest problem facing businesses in using cloud services in general is the lack of auditability following a breach.

“The cloud computing environment is not conducive to performing after-the-fact forensic investigations to identify if your data has been compromised, how it was compromised, and by whom,” Clark said by email. “Moreover, cloud providers are often reluctant to allow forensic investigative tools, especially anything involving memory analysis to be conducted on their systems.”

Despite missing important capabilities, cloud services are attracting businesses willing to trade risk for the convenience and lower cost of not having to maintain or manage the applications. In a recent survey of 4,000 businesses and IT managers, the Ponemon Institute found that half had transferred sensitive or confidential data to the cloud, and a third more were very likely to do so in the next two years.

At the same time, 39 percent in the study, commissioned by IT security company Thales, believed cloud adoption had decreased data security and nearly two thirds did not know what cloud providers were doing to protect data.