by Paul Toal
“Trust is like the air we breathe-when it’s present, nobody really notices; when it’s absent, everybody notices.”
This quote from Warren Buffett is particularly relevant in today’s world of the cloud. As I explained in my previous post, whenever you use a cloud provider you are entering into a shared responsibility model where the cloud provider will be responsible for the security of the cloud and you are responsible for the security in the cloud.
However, when you are considering a cloud provider you must think carefully about trust. For example, do you trust your cloud provider not to look at your data, do you trust the effectiveness of their security controls, not just externally but including their own operations staff, and are you confident they would inform you if they suffered a breach?
With the advent of cloud computing, the barrier of entry for budding, small software companies has never been lower. As a result, we are constantly seeing new start-ups, especially in the fast-paced world of security. However, security is hard to get right and designing your software in a secure manner requires experience and skills. Unfortunately, vendors don’t always get it right. Don’t worry, this post isn’t a witch hunt against small vendors who have got it wrong. Read on and i’ll explain.
We all know that data breaches happen on an almost daily basis as they are constantly in the news. Take the most recent story last week about Verizon and the loss of data from their cloud provider’s storage services. I could go on and list many more attacks but that’s not the purpose of this article.
When considering cloud providers you need to ask yourself whether you can trust that provider. Even if you do, I belief that you should still work on the assumption that your data will be breached. Yes, you heard me correctly. No matter what controls you or your cloud provider have in in place, if you make the assumption of a data breach, it will allow you to think about your security controls and your response to any breach in a different light. If we continue with that working assumption, then we should be asking ourselves two key questions.
1) Is my provider building secure software and platforms?
If security were easy then we wouldn’t see as many successful attacks in the news as we do. Unfortunately, even with the best intentions, cloud providers don’t always get it right. Take the recent example of the OneLogin attack last month, when, according to reports, an attacker was able to get access to some AWS keys and start exfiltrating sensitive data from the database. Should the keys with such powerful access have even been in an internet-facing location? If not, then was this a mistake or a design flaw? Is this the fault of the cloud provider or the software company? Whatever the answers to these questions, it was clearly an issue which led to a breach.
This comes back to security assurance and solid design and implementation throughout the software development lifecycle. As a security-focused company, security is something Oracle has always taken seriously. We have a well-established software security assurance framework, which, as the above link states its intention is:
“Encompassing every phase of the product development lifecycle, Oracle Software Security Assurance (OSSA) is Oracle’s methodology for building security into the design, build, testing, and maintenance of its products”
Anyone who has worked in security for any length of time knows that security isn’t a one-off event, but, is something which has to be built into your overall development lifecycle from start to finish.
This leads us to our second question.
2) How well does my provider respond to a data breach or security issue?
Even with the best will in the world and the best QA processes, mistakes do happen, either through bugs or poor design choices. Therefore, how a company responds to any issues is of paramount importance. Since I used a cloud-based SSO provider in my previous example, why not do the same again, this time LastPass. They have been plagued by a number of security issues recently as Tavis Ormandy from Google’s Project Zero has been digging into their service. However, as a responsible cloud provider, they have been extremely responsive in responding to, and fixing the issues quickly. This is what we need and have to expect from cloud providers in this world where our data is always online and typically accessible over the internet.
For all of your cloud providers, do trust that they would notify you in the event of a data breach? Within what timescales would they notify you? As for Oracle, we document our response to security breaches and our notification policy in our Data Processing Agreement. We want customers to have the confidence that we know what we are doing and that we have built an enterprise cloud platform, providing a secure set of services underpinned by a secure platform, with all the necessary governance, policies and procedure in place to ensure that we minimize any risk but also, identify, and respond to any incidents that may occur.