Andrea Danti - Fotolia
With the promise of scalability, agility and a pay-per-use model, cloud computing is a popular option among enterprises. But cloud security remains a constant concern for some businesses -- and the infamous security breaches over the last three years certainly haven't helped. Regardless of whether cloud technology was truly to blame for these high-profile hacks, many have stigmatized public clouds, in particular, because of their multi-tenant environments and shared infrastructure.
So what's creating all of this ruckus about potential cloud security breaches? While cloud received plenty of negative attention, the technology wasn't entirely -- if at all -- responsible for any of the following security breaches. Here's a closer look at the causes behind five recent security breaches, along with the role cloud did -- or didn't -- play.
1. iCloud hack
While every security breach garners attention, the iCloud hack cast the cloud in an especially negative light, as hackers publicized private photographs of major celebrities, including Kate Upton and Jennifer Lawrence. The iCloud hack drudged up many concerns regarding cloud security, but cloud wasn't fully to blame for the hacker attack. Due to a lack of two-factor authentication, which requires users to provide two forms of identification to access an account, hackers were able to continuously attempt to sign into the celebrities' iCloud accounts.
Apple has since addressed the issue with iCloud backup alerts and expanded its authentication to cover additional Apple services.
While the iCloud hack targeted celebrities, the Target security breach compromised up to 70 million customers' credit card information during the holiday season of 2013. Similar to the iCloud debacle, Target's network breach revealed many holes in the company's security strategy. To gain access to Target's systems, hackers stole credentials from a third-party HVAC company through phishing emails. Hackers had access to Target's network for approximately two weeks in 2013 -- from November 27 to December 15.
Target has since taken measures to plug any security holes, but the intrusion could have been avoided or, at least, minimized. An intrusion detection package warned of the attack on multiple occasions, but those warnings were overlooked. According to cloud expert Jim O'Reilly, cloud data encryption at the source could have prevented the attack all together, as it would have only provided the HVAC company with the necessary nodes and not complete access to Target's networks.
3. Home Depot
In the words of philosopher George Santayana, those who cannot learn from history are doomed to repeat it. While the Target attack provided a sobering lesson about security risks, Home Depot suffered a similar fate. With more than 56 million credit or debit cards and 53 million emails compromised, the damage from Home Depot's attack even surpassed Target's breach. And similar to the Target fiasco, custom malware accessed a POS system, which gave hackers access to Home Depot's systems over nearly a six month period in 2014 from April to September.
Retail organizations, such as Target and Home Depot, must be compliant with PCI DSS, which is in place to protect payment card data. However, to better protect customer information from hackers, additional precautions, such as cloud encryption, are necessary. End-to-end encryption secures data from one end point to another, which means that payment card information is encrypted from the time a purchase is made to the time the bank receives the transaction. To prevent future security breaches, Home Depot added EMV chip-and-pin technology.
Ironically, the Sony Pictures hack earlier this year seemed like something straight out of a movie. Hackers, who refer to themselves as the Guardians of Peace, accessed data ranging from employee information and financials to email and unreleased films. Additionally, hackers destroyed thousands of Sony's computers and hundreds of its servers following the attack.
Malware was yet again the culprit, wreaking havoc on Sony's network. And while malware protection is essential and could have certainly limited the destruction, it's crucial to have a better understanding of what is taking place on a network with more in-depth network security intelligence. Network monitoring can alert businesses in the event of an intrusion, but alerts are useless if businesses overlook potential threats. Cloud wasn't the issue for the Sony hack -- it was improper network security precautions that ultimately did the company in.
5. United States Internal Revenue Service
As if tax season wasn't already painful enough, in the most recent breach on the list, hackers attacked the United States Internal Revenue Service (IRS) and gained access to more than 100,000 accounts from February to May 2015. These accounts included victim social security numbers, birth dates and addresses. Hackers targeted unencrypted data with the "Get Transcript" service. Unlike the aforementioned breaches, hackers may have been able to access the IRS system with information obtained in previous breaches.
While the role of cloud varied in each of these attacks, cloud technology itself was never exclusively to blame. Experts say cloud computing is not more inherently insecure than on-premises environments. However, to help protect sensitive information in the cloud, organizations need to consider additional security services, including encryption and monitoring, as well as furthering employees' understanding of proper cloud security techniques.
Nicholas Rando is assistant site editor for SearchCloudComputing. You can reach him at [email protected].
Five crucial cloud security tips from 2014
Seven cloud security risks to avoid
Is IoT security a growing concern?