I’ve been ranting about “the cloud” (what a tired term) for a couple of years now. As if we haven’t seen enough examples lately of why we cannot put all our eggs in the cloud basket, here’s one more with the “code bug” that impacted Dropbox’s authentication mechanism over the weekend.
Sure, Dropbox isn’t an enterprise cloud app per se but I’ll guarantee you it’s impacting your enterprise this very moment. Think data backups, intellectual property, PII, password safes and whatever else your users are syncing across their multiple systems.
How do you explain such exposures to management or to your board when something like this happens. Do you say “Well, our cloud provider said their system was secure because they use SSL and, furthermore, have a SAS 70 Type II audit report to prove it.” or “Our legal team approved of the contract and the SLA and gave us the go-ahead.”??
I don’t know that management will ever get on board the way they need to but cloud insecurities will certainly work themselves out in the marketplace – and in the courts – and eventually get on the radar of the people that matter.
This Dropbox dilemma is a relatively small and insignificant example of what happens when you completely rely on others for information security. I’m not saying don’t use the cloud. I’m saying get your arms around the cloud before it impacts your business in a negative way. Odds are it’s going to somehow and everyone will be looking at you for a well thought out response.
“A business associate referred our company to Principle Logic when we were seeking a resource to perform vulnerability /penetration testing for our external and internal networks. We found Kevin Beaver to be professional, well informed, and easy to work with. His testing did not disrupt our networks, and his progress updates were timely.
His final report was very thorough and included security recommendations for our network environment. The executive leadership was so impressed with Kevin’s security expertise, they have extended their agreement to continue to perform periodic testing. We highly recommend Kevin Beaver and Principle Logic as a resource for network security testing.”