Total Pageviews

Tuesday, 9 June 2015

Cloud computing and hacking

I think that I have seen most developments within IT during my career in auditing and business: mainframe with terminals, internet connectivity, standalone PC's, network PC's with servers, outsourcing, hacking, and now cloud computing. Essential differences in those stages are: User Access (office, home, remote, cloud), User Connectivity (offline, company firewall, 3rd party, cloud), and User Identity (from physical to virtual presence).

IT used to be a low risk, core business process as companies had their own IT department with a mainframe, user terminals and firewalls to control internet connectivity. Nowadays, IT has become a high risk, non core business process as companies outsource their IT department, applications and data storage with limited ways to verify user access and possibly no way to verify user identity.

IT had to become more simple, more effective and - most of all - more cost efficient. In my view, the pricing of 3rd party IT services still largely underestimates the inherent risks with respect to user access management and - especially - user identity management.

Hacking used to involve breaking and entering into the physical premises of a company before you could access company data. Nowadays, it mainly requires a login ID and a password. Allegedly, these data are even for sale in the black market. This probably also explains the hacking of large databases which seem to have a remote value at first glance.

Cloud computing must sound like heaven to hackers, especially as user access management is still mostly based upon a single verification method (i.e., ID and password). Dual step verification (ID, password, phone #) is emerging at some companies (e.g., Gmail, iCloud) but is mostly optional. No more physical restrictions (e.g., cameras, gates, locks, security). No user identity restrictions (e.g., thumb scan, iris scan). Just the use of a stolen ID and password.

Another interesting feature is the jurisdiction of cloud computing suppliers. Several countries would allow for a government breach of company data - or legalised hacking.

In my view, the above situation is largely due to the fact that IT has never really been able to communicate to key decision makers (e.g., CEO, CFO). Even the arrival of CIO's has not been able to counter this trend. IT is mostly approached from a technical and a cost angle. Rarely you meet an IT responsible who can combine company strategy and IT operations and everything in between.

If company data (e.g., customer, financial, production, research & development) would be considered as not essential then indeed IT should also be considered as non core. If IT risks would be considered as low then the efficiency and effectivity of cloud computing would indeed prevail over enterprise risk management. Usually efficiency and effectivity don't go well with management of risks.

Cloud computing to hackers is like breaking and entering into a house with a stolen key of the front door including a label telling you the name and address.

Even for IT the saying applies: If you pay peanuts then you get monkeys.