Icloud, youcloud, wecloud- thoughts on consumer cloud service security

Matthew Hackling

Matthew has over ten years experience operating solely in the area of information security, holds a Bachelors degree in security management from ECU and is also a CISSP. He is a former Account Director in Deloitte’s Security & Privacy Services practice. Matthew has led security testing teams on assessments of large core systems replacement projects for banking institutions. He operates more in the area of information security governance these days, despite his urges still stay a bit technical. Hence he plays with backtrack linux, metasploit and new web application security assessment tools in his rare free time. Currently he runs his own consultancy called Ronin Security Consulting and holds the title of General Manager of Security Testing at Enex TestLab. He is an active member of the Australian Information Security Association, and held the office of Melbourne Branch Executive for a number of years. Matt’s security blog is called Infamous Agenda and he is an active twitter user with the handle @mhackling

The recent compromise of icloud backups of celebrities has piqued interest in the security of consumer cloud services. To paraphrase Del Harvey from twitter, when you have a million events a day, a one in a million event happens once a day.

Below are a few of my thoughts; securing a commodity cloud service requires a lot of disciplined thinking:

1. If you run a mass market cloud service you need to do some serious threat modelling, including:

  • Consider your users. Not all users are the same. For example, human rights activists and celebrities are at risk of targeted attacks. You will need to categorise your users in enough granularity to apply security controls matching the threats. For example, using birthdates to perform password resets may not be as effective for celebrities.
  • Consider their information assets.
  • Consider threat actors. For example cybercriminals, nation state actors, abusive ex-husbands, garden variety "script kiddies".

2. You should then select appropriate security controls for the threats identified, perhaps even using structured thinking like attack trees or "cyber kill chain" to pick the most effective.

3. You need to test the controls. This includes functional, user experience and penetration testing.

4. You need to have the process and people to be able to respond to security incidents including reports of vulnerabilities as well as breaches large and small.

5. Should consumers be able to opt in for increased security controls, the application of which is arbitrated by the cloud services provider? For example, twitter has a "verified" option for public figures to prevent hoax accounts.

6. Some organisations can and will opt out of commodity cloud services and instead put in bespoke solutions. Instead of Twitter, many companies use Yammer.

7. Large organisations can control the use of cloud services in many ways.

  • A mobile device management solution that uses the iOS API can disable the use of icloud.
  • For example a web proxy can be configured to block or monitor the use of commodity cloud services like Gmail and Dropbox.

Hope these thoughts get you thinking too! 

This article is brought to you by Enex TestLab, content directors for CSO Australia 


Tags: twitter, cyber-criminals, Del Harvey, icloud backups, Jennifer Lawrence

Show Comments