Cloud security

Where Is Your Data Safer? In the Cloud Or On Premise?

Companies create data at an absolutely astonishing rate these days and there’s no reason to think that’s going to change. While some of this information is not especially interesting, there are other kinds that could destroy an organization if it ended up in the wrong hands.

This is why it’s so important to consider where you store your company’s data: on your premises or in the cloud. While both have their relative merits, the most important in this time of constant data breaches is security.

Learn Cloud Security

Get hands-on experience with cloud service provider security, cloud penetration testing, cloud security architecture and management, and more.

Start Learning

Below, we’re going to explore what both options entail, the ways a data breach could occur and whether or not there is a safer choice between the two we just mentioned.

Storing Data on Premise

Storing data on-premise refers to companies having their own exclusive data centers. Traditionally, this is how many organizations designed and maintained their networks. Amongst other things, it requires the physical hardware, space for said hardware, and backup and disaster-recovery services.

Despite the growing popularity of the cloud, many companies still prefer their on-premise application. The main reason behind this preference is security. Many simply don’t feel comfortable outsourcing their network or giving up control over its defenses.

Keeping Data on the Cloud

The cloud is a network of servers wherein each one serves a different function. Some store data. Others run applications. You’ve probably noticed that, more and more, you don’t buy your software in a box from a store; you pay a monthly fee to access the platform online; that’s one version of the cloud in action.

Another common example is uploading a photo to social media. If you take it on your phone, that photo is stored in the device’s internal memory drive. Once you upload it to a social media site, it is then stored on the company’s cloud servers.

Other common examples of using the cloud most will be familiar with include:

SkyDrive
Google Drive
Dropbox
Evernote
iCloud

On an enterprise level, the cloud can be used for storing an entire organization’s data. To put it simply, these companies no longer need their own on-premise data center for hosting. It also makes it easy for employees to access the company’s network from anywhere using a number of different devices.

As we touched on earlier, security is one of the main reasons there is a divide right now between companies that keep their network on the cloud and those that prefer an on-premise setup. To help decide where your data is safest, let’s begin by taking a look at where breaches have occurred in the past.

Where Are There More Breaches?

Doing an exact breakdown of where more attacks take place between the cloud and on-premise servers would be impossible. We’ll never know how many attacks have taken place, for one thing, but there is also no way to carry out an accurate survey even if we did.

Instead, all we can do is look at the ones we know about and try to make an educated guess.

Before we do so, it’s worth pointing out that there has been an increase in attacks on cloud-based servers in recent years. However, that’s hardly enough to declare a winner. As more and more companies begin adopting the cloud, it’s to be expected that hackers would follow suit.

Furthermore, we’re talking about enterprise-level concerns. In 2014, news broke that numerous celebrities had private photos stolen from their Apple devices because they had been stored on the cloud. All the hacker had to do was find the email address associated with a given account and they were halfway there.

While these attacks raised legitimate concerns, this is not the kind of storage we’re referring to when we talk about “the cloud.” Also, these attacks had nothing to do with breaching in the sense we mean here either.

For help with this topic, we turned to an expert in the field, Jeff Williams. Mr. Williams is the cofounder and CTO of Contrast Security. His knowledge of data breaches was recently on display during an interview in Forbes.

According to Mr. Williams, when it comes to the headline-making attacks we’re all familiar with, “Most breaches were not of data stored in the cloud. For example, Target was entirely internal and the attackers found their way onto the POS network.”

Let’s begin by looking at that one.

The 2014 Target Hack

As Mr. Williams pointed out, the attack was successful because the criminals were able to access the POS network. From there, they it was possible to steal information related to more than 40 million debit and credit card accounts. This included:

Full names
Addresses
Telephone Numbers
Email Addresses

It’s also worth pointing out that the year prior, 30 million customers fell victim to a similar hack. In fact, many customers suffered twice because Target still had their data.

Combined, these attacks are thought to have cost Target between $148 and $162 million. The CEO and CIO also lost their jobs over the fiasco.

These attacks placed Target on a long list of retail stores that have been victimized by these kinds of breaches. Others include:

There are a number of different types of POS malware, but once a criminal has targeted a certain type of machine and found the right software for the job, there is no end to the companies they can victimize.

The 2015 Anthem Hack

When the second-largest health insurer in the country suffered a hack in 2015, it sent a shockwave throughout the industry. All of a sudden, other health care companies quickly had to identify whether or not they were vulnerable in the same way (most were; many still are).

The Anthem hack of 2015 remains the largest of its kind. As many as 80 million records may have been affected, but how much it actually cost the company may never be known. Nearly $100 million has already been spent in the wake of this historic breach.

Although many have blamed China for the attack, the culprit wasn’t caught. We do know what they got away with, though, which was the personal information of patients, which included things like:

Full names
Birth dates
Home addresses
Social security numbers
Income data

While the health care company took sufficient steps to protect data when sending sensitive data to third-parties, it appears they were overly confident about the security of their own network.

The 2014 JP Morgan Chase Hack

Another attack for the record books occurred in 2014. This time, JP Morgan Chase was the target, though it was later discovered that the criminals responsible had gone after more than a dozen companies and, since 2007, probably enjoyed rewards in the hundreds of millions of dollars.

The successful attack against this financial institution marks one of the biggest cybercrimes ever discovered. Some 80 million customers had their names, email addresses and other information stolen.

Instead of taking money, the hackers were after information they could use to trick customers into buying penny stocks they themselves had already purchased. Essentially, they were planning a “pump and dump” scam, just on a level the world had never seen before. They had already been successful with other efforts in the past and planned on starting their own financial services company using the data they had stolen.

The way they stole this data, it seemed, was by exploiting an encryption-software security vulnerability named Heartbleed. Once they had access, they even repaired it to cover their tracks.

These three incidents alone may have you believing that keeping your company’s data on the cloud is obviously the smart move. However, now let’s take a look at some infamous attacks where the company that suffered had taken the same advice.

The Dropbox Hack of 2012

Only recently, it was discovered that a hack of Dropbox which occurred four years ago has resulted in more than 68 million users having their email account information leaked.

Dropbox getting hacked is a great example of what many IT professionals fear when it comes to the cloud. Namely, if hackers are successful at breaking into a company, they can run wild with that one organization’s data. However, if hackers are successful at hacking a cloud service provider, dozens, hundreds of even thousands of companies could be compromised within the blink of an eye.

We’re going to get into this more a bit later, but the vulnerability hackers exposed to attack Dropbox and obtain sensitive information related to millions and millions of accounts was simply compromising a single employee.

Again, this is what sends chills down the spines of so many in IT. You can always do more to ensure your employees aren’t falling for these kinds of tricks, that their access is kept to a necessary minimum, etc. But once you trust a third party, well, you really, really need to trust them.

The Code Spaces Hack of 2014

Another example of hack-by-cloud happened in 2014 to the popular Code Spaces hosting company. For years, the business had no problem finding customers from around the world and enjoyed favorable reviews.

On June 17^th, the initial strike occurred via a DDoS attack and then entrance into the company’s Amazon EC2 control panel. The hackers demanded a ransom in exchange for returning control of their panel. When Code Spaces responded by trying to regain control through recovery attempts, the hackers used backup logins they had created and began deleting files.

By the time Code Spaces was able to wrestle control back from the hackers, the damage was done – and significant. Most of their data, backups, offsite backups and machine configurations had been partially or completely destroyed.

Officials provided an explanation and apology on their website that gave a brutal depiction of what’s possible for companies when their cloud provider is hacked:

“Code Spaces will not be able to operate beyond this point, the cost of resolving this issue to date and the expected cost of refunding customers who have been left without the service they paid for will put Code Spaces in an irreversible position both financially and in terms of ongoing credibility. As such at this point in time we have no alternative but to cease trading and concentrate on supporting our affected customers in exporting any remaining data they have left with us.”

Thousands of companies lost all or part of their data for good.

The Treasury Department Hack of 2010

While it wasn’t an earth-shattering incident, back in 2010, the Treasury Department was hacked just one year after switching to a cloud provider. As a result, the department’s website was down for four days. Before finally being taken offline, new visitors were attacked with malware.

While many people may think that the US government would be at the forefront of cyber security, this attack was leveraged via the Eleonore Exploit Pack, a malicious toolkit that cost only $700 at the time and took very little skill to operate.

This is hardly the worst cyber attack our government has sustained and, in light of recent events, it’s quite harmless by comparison. Nonetheless, it was one of the first times the public realized that our government was outsourcing to third-party cloud providers and that this sort of procedure could be a problem.

Sadly, we could go back and forth for months comparing cloud vs. on-premise hacks. The main point is that both have suffered their fair share. While this should give you some insight into your own network’s vulnerabilities, it still doesn’t give us an answer to our question.

Further information is necessary for this, like the nature of the very breaches you’re trying to protect against.

Types of Breaches

There are seemingly countless ways a cyber criminal can breach their target and steal their data. Each year, we learn about new methods too. For the most part, though, these efforts can be broken down into five different categories. As we’ll talk about more a bit later, it’s important to understand what these attacks look like – even if you don’t work in IT – so you can do your part to keep your organization safe.

Hacking

Likelihood: Extremely high – All but inevitable
Severity of Attack: Potentially devastating

This is perhaps the most well-known type of breach to the general public. It involves an external party accessing a company’s network usually to obtain access to sensitive data. Other times, their intent may be little more than mischief.

In either case, these crimes often take little technical knowhow on the part of the malicious party. Spear-phishing attacks are aimed at a single individual or small group and are designed with a significant amount of detail – enough to ensure the recipient never imagines the sender isn’t who they say they are.

Unlike phishing scams, spear-phishing attacks usually take a long time to design, as the hacker must use sites like LinkedIn and Facebook as well as social engineering tactics to figure out who the best possible target will be and then how to trick them.

The email itself is much like your standard phishing attack. It involves a link that, once clicked on, will take the recipient to a malicious site or launch malware.

Again, the recipient is well-researched beforehand so that the attack will give the hacker their best chance at their end goal. For example, if they want medical records, they’ll make sure the email makes it to someone with login credentials.

There are two reasons that this type of data breach is particularly scary. For one, the ramifications can be devastating. Imagine a complete stranger having access to any portion of your network. Then imagine what they could do with that.

Consider the current trend of W2 phishing attacks. Since January of this year, at least 55 organizations have suffered from this scheme. Once successful, the responsible hacker is able to compromise the W-2 records of every employee in the company. These records contain a treasure trove of personal information the hackers can use for all sorts of fraudulent purposes.

Another example is when RSA, a subsidiary of EMC, was hit with an attack back in 2011. Despite the fact that it was a security company, the hack was accomplished with just two emails sent to four employees. While RSA originally claimed the damage was minimal, three months later, Lockheed Martin announced they were being targeted by hackers who were using duplicates of the SecurID keys they had been issued by RSA.

The other truly disturbing aspect about this kind of attack is that they’re rarely overly-sophisticated. In the case of the RSA attack, the message in the email literally said nothing more than, “I forward this file to you for review. Please open and view it.”

Its malware didn’t need to target a high-level executive because it left a backdoor on the compromised computer that the hackers could then work from later.

This lack of sophistication means that practically anyone with enough of a motive could potentially deploy this kind of attack. Depending on whom you ask, your chances of being hacked are:

Like so many things with data breaches, these numbers are hard to pin down exactly. Your company could already be the victim of an attack and may not know for months.

Advantage: Cloud

Loss of Physical Devices

Likelihood: High
Severity of Attack: Moderate

Sometimes, malicious parties gain access to a company’s network without needing a single line of code. Instead, a negligent employee does all the heavy lifting for them.

Most companies place a significant amount of trust in at least some of their employees by letting them do work from their laptops, phones and tablets. They may carry USB drives that contain sensitive data or even transport entire hard drives at times.

All of these physical devices provide doorways to a cyber criminal. Best of all (for them), they often don’t have to do a lot of work to break into them. It’s like finding the keys to a home they want to burgle.

Perhaps, it sounds like this kind of threat would be fairly rare. After all, most of us cling to our mobile devices or at least check them often enough that they might as well be attached at the hip.

Yet, in the financial sector, this makes up a fourth of all successful breaches. That’s more than any other in that industry and an attack that doubled in quantity from the year before.

The fallout from one compromised device can be large or miniscule. When a physician formerly employed by the University of Oklahoma had his laptop stolen, the records of 9,300 patients were potentially at risk. That’s still a good amount of people affected, but it’s a fraction of the 100,000 people who had their information stolen after a thief made off with a laptop belonging to an employee of SterlingBackcheck.

Granted, neither of these numbers is very large compared to the millions who have been impacted by larger data breaches, but these attacks are also far simpler. They literally involve the criminal taking hold of a device and walking off.

This past July, Kensington – a company that supplies accessories for laptops and other mobile devices – surveyed 300 IT workers about IT theft. Here’s where it’s most likely to happen:

Cars and Transportation (25%)
The Office (23%)
Airports and Hotels (15%)
Restaurants (12%)

That’s right. Your own office is the second most-likely place your employees will become a victim of their physical devices being stolen.

Advantage: On-Premise

Employee Misconduct

Likelihood: Moderate
Severity of Attack: High

Your organization most likely has rules that make clear which employees have authorization to view/work with certain types of data. It goes without saying that you make sure this data is password-protected as well. Perhaps you take a number of other steps to ensure that only those with prior approval are able to access sensitive information.

Yet, one of these authorized employees could easily send the data to someone else. We’re not referring to malicious behavior here. Rather, it would be an employee who mistakenly thinks a coworker has their same level of access or simply isn’t thinking when they transmit classified data to the wrong pair of eyes.

Another example would be a well-intentioned employee sending the information to someone who does have access, but does so using an unencrypted email. At that point, the respective levels of access of the two parties don’t matter; an unencrypted email is easy pickings for a hacker.

It’s tough to rank the types of risks this problem poses. An innocuous email from one employee to another about when to grab lunch probably won’t do a cyber criminal much good.

Then again, most of you probably remember what happened when Sony was hacked. While that attack wasn’t successful because of an unencrypted email, the fallout should make it clear that you don’t want cyber criminals having access to internal messages that were never meant for the public.

Uber is another company that suffered a PR disaster when thousands of emails were leaked to the public. Again, the nature of the attack wasn’t intercepting emails, but it’s another chilling reminder of what this type of scheme could do to your company. In the case of Uber, its head of global customer support resigned.

The good news is that this type of attack can almost be completely eliminated if your company encrypts all its emails. Gmail is doing its part by flagging unencrypted emails, a move that is already showing results.

Still, you always need to worry about how the recipient of your emails is handling them. Forwarding them without encryption leaves you exposed.

Advantage: Cloud

Third-Party Misconduct

Likelihood: Moderate
Severity of Attack: High

This is similar to the type of risk we just discussed, except in this case, it’s a third-party business you’re working with that is the victim of a successful breach. When this happens, your company can also become a victim simply by proxy.

The problem is especially prevalent in the healthcare industry. For one thing, PHI (Protected Health Information) is extremely valuable. Secondly, the industry is a spider web of relationships between health care providers and business associates, giving hackers ample opportunity to strike.

HIPAA even has specific guidelines regarding business associates that demand they use appropriate safeguards to keep PHI safe.

Advantage: On-Premise

Malicious Insiders

Likelihood: Rare
Severity of Attack: Moderate

We’ve covered how your own employees can give criminals the opening they need to strike. Now we’re going to talk about those times when employees are the actual criminals or at least working with them.

Ibrahimshah Shahulhameed provides a perfect example of what we’re talking about. The former technology contractor for Toyota was fired from his job at a factory in Kentucky. Disgruntled, the man went home, logged into the company’s network and began attacking it with commands that would take months to undo (it’s worth noting that Mr. Shahulhameed is appealing the verdict).

This is far from an isolated incident. In 2013, malicious employees cost their companies $40 billion. Incredibly, this number is probably shy of the true amount. Most companies will go out of their way to make sure the public doesn’t know about these kinds of incidents.

Nonetheless, it’s easy to imagine the type of damage that can be done by one rogue employee with a bone to pick. Hackers may spend months developing an attack have pinpoint precision (as with the spear-phishing schemes we mentioned earlier) just to have a chance at their desired target. Your employees already have this kind of access.

This is why, back in August of 2014, 73% of security managers surveyed by AlgoSec cited insider threats as their greatest concern, up from 62% the year before.

There are two approaches to this type of breach that should at least decrease the chances of your company falling victim to it. The first is simply to make sure that each employee has the appropriate amount of authorization they need to do their job and nothing more. This should be audited regularly and reviewed every time an employee takes on a new role.

Secondly, make sure that access is completely removed the moment an employee is terminated. Obviously, this could have saved Toyota a lot of trouble. A government contractor in Virginia learned the same lesson the hard way when Robert Steele left it over a dispute regarding his compensation.

He swore to Company A (as it’s identified in court records) that he wouldn’t be accessing any of their records as a former employee, even going so far as to insist they delete his access on the day he quit. Unfortunately for Company A, Steele knew about an administrator account no one else did. With this account, he was able to access his old employer’s emails and other sensitive documents while working for a competitor.

In total, Steele would use this account for illegal access more than 79,000 times before finally being caught.

As you can see, though the digital age has definitely made it much easier for companies to do business, there’s also no doubt it has presented a number of unique challenges too. Being cognoscente of what these threats entail should at least help you take proper steps toward safeguarding against them. However, clearly, appropriate measures are something your entire company will need to get behind (which includes investing in technology).

Advantage: Cloud

The Safest Option for Your Data

So, is there a safest option between the two?

When I spoke to Eric Basu, the President/CEO of Sentek Global and a regular contributor to Forbes, he put it this way:

“In general, adhering to good security policies and processes and from those implementing the proper security configurations and controls are the most important thing. If those are not done, it doesn't matter whether your data is in the cloud or not, since there are very few instances left where data is not accessible from the Internet.”

This seems to echo the big take away from that last section. It doesn’t matter if you leverage the digital equivalent of Fort Knox. Hackers will always be successful where human error is present and proper security measures aren’t being deployed.

That being said, the cloud is becoming increasingly popular for a reason. As Jeff Williams explained to me, “I’m actually of the opinion that many organizations would be better off to store their data in the cloud. It’s difficult to run a data center, and it’s not the primary business for most organizations. Nobody can replicate what Amazon has done.”

He added, “I believe most organizations are probably better off using services run by companies that specialize in running those services securely, like Office365. They can get back to doing whatever their business is about.”

While many have associated the cloud with convenience, it’s clear that it’s also becoming better known for the security it can provide.

But again, that doesn’t mean the cloud is an option you can just set and forget. As Williams explained, no matter which option you choose, security is something you must invest in as a company – both in terms of money and understanding potential threats:

“What do I expect from companies? Nothing less than a full threat model, a security architecture with a strong set of security defenses, continuous monitoring to ensure those defenses are in place and working properly, and the ability to detect and respond to attacks. This is the same whether they use cloud providers or not. They are responsible for the security of the providers they use.”

Is It Time to Move to the Cloud?

Again, we’re not able to definitively say that the cloud is absolutely going to be the best choice for safeguarding every company’s data; there are too many details to consider on a case-by-case basis.

However, to help clarify whether or not it’s time for your company to make the switch, I turned again to Eric Basu, who provided these five factors you’ll want to think about:

Existing infrastructure, i.e. "sunk costs." If a company has just invested a few million into servers, it may not make sense to suddenly move all their systems to the cloud.
Cloud capability - A company will likely have to retain outside consultants to move to the cloud, and either train internal staff on how to administer their systems in the cloud and/or use outside consultants for that.
A company has to know how to secure their systems in the cloud, just as they would internally. As an example, using Google Apps for business systems and email, if properly configured, can be far more secure than keeping a local MS Exchange server if that server is not monitored and patched with security updates regularly (i.e. no less than monthly). In this case, the cloud provider would be patching and updating security patches automatically.
Cost - The cloud is not always cheaper. It depends upon many factors, bandwidth being one of them. If a company has one HQ and there will be a huge amount of bandwidth used to move data back and forth to the cloud, the additional expense of that bandwidth may be far more than the cost of retaining those systems in house.
I don't have a caveat emptor list of cloud providers, but I would say stay with the biggest companies that will be around, e.g. AWS, Azure, etc. If your cloud provider goes under, you will have all kinds of issues, including getting your data back.

The cloud is winning over more fans by the day. If you’re one of them, Basu’s advice about making the switch is critical to the future security of your company.

In the end, though, the safety of your data should be more a question of protecting it from human error than hackers. This doesn’t just mean properly training your people to avoid phishing scams or keep their laptops secure. It also means instituting encryption, ensuring that your contracts with business partners and associates demand they take necessary security measures, updating software immediately, etc.

Data breaches will always be one mistake away from occurring. By constantly auditing your company for where these kinds of mistakes could happen, you’ll be able to store your data where you please with less fear of suffering a breach.

Sources:

http://www.computerworld.com/article/2509366/security0/90--of-companies-say-they-ve-been-hacked--survey.html

https://www.bestvpn.com/blog/43225/get-hacked-one-in-three/

http://www.forbes.com/sites/riskmap/2014/06/04/your-company-is-going-to-get-hacked-will-it-be-ready/#636a4a331b01

http://arstechnica.com/security/2011/04/spearphishing-0-day-rsa-hack-not-extremely-sophisticated/

https://archives.fbi.gov/archives/louisville/press-releases/2014/former-information-technology-worker-at-georgetown-toyota-plant-convicted-by-jury-for-damaging-computer-system

http://www.cnet.com/news/the-biggest-cyber-threat-to-companies-could-come-from-the-inside/

https://www.wired.com/2011/08/how-rsa-got-hacked/

http://www.thewindowsclub.com/spear-phishing

https://blog.cloudmark.com/2016/03/31/55-companies-and-counting-w-2-spear-phishing-attacks-continue-to-increase/

https://zvelo.com/spear-phishing-attacks-a-real-example/

http://www.computerweekly.com/news/450303123/A-quarter-of-financial-sector-data-breaches-linked-to-lost-or-stolen-devices