What security do I need to worry about once I send data to a cloud provider? Every company asks this question, and there is no scenario where the cloud customer eliminates all information security responsibility. The customer is almost always responsible for securing their own usage from compromised accounts and insider threats, at the very least.

Enterprises with sensitive data have confidence in the security capabilities of their trusted cloud providers. Yet the threat still looms of a data breach on the cloud provider side. Revelations of Yahoo’s scanning of customer data at the behest of the U.S. National Security Agency may rekindle fears of technology backdoors and cloud provider disclosures to the government, as well. At the end of the day, many companies have data over which they want to retain final control. Whether for internal policies or industry regulations, encrypting data with enterprise-managed keys is a final line of defense for outsourcing data to the cloud.

The cloud market started out as a Wild West, without a certification system for secure providers. Now, the CloudTrust certification program points IT decision makers to enterprise-ready solutions. The Internet of Things (IoT) is still in its early days, and security is the last thing on developers’ minds. Connected devices pose a huge vector for hackers to target, especially in critical industries like healthcare and transportation. Experts are calling for a standard to hold manufacturers accountable and instill consumer confidence. Information security always comes after pioneering technology innovation, but the capabilities of IoT devices mean more may be at stake than just information.

 

 

Download a Breach Response Checklist

What will you do in the first 48 hours? Here’s a checklist for your response plan.

Download Now

Major concerns about IoT security surfaced with the high-profile remote hack of a moving vehicle. Many industry experts pushed back due to the specificity of the hack: a certain make of car with a set of pre-configured conditions. This month, hackers gave legitimacy to concerns over lackluster product security. A DDoS attack targeting the website of Brian Krebs, a cybersecurity journalist, relied on code exploiting IoT devices with manual security settings. The code, which the hacker released publicly, relies on 61 popular default passwords to take over IoT devices. As a result, the author created the most powerful DDoS attack in history. Fortunately, this first use of the technique proved relatively harmless. The burden now falls to manufacturers and device owners to secure critical devices so they do not become low hanging fruit.

In response to new or rising threats, governments are expanding cybersecurity regulation. Stricter requirements and higher fines will force companies to allocate more resources to information security. TalkTalk, the UK telecom provider, which suffered a data breach affecting 157,000 customers, received a record fine of 400,000GBP from the Information Commissioner’s Office.  After Yahoo’s privacy and cybersecurity woes, Verizon has reportedly requested a $1 billion discount from the acquisition price. A ten-figure price tag should make companies reevaluate whether their cyber defense budgets are sufficient.

One of the most dangerous trends in the past decade for cybercrime has been the increased sophistication and discipline of attackers. Despite the migration away from the stereotype of a rogue hacker in a hoodie, there are lighthearted anecdotes about the drama of the hacking profession. Investigators report Russian state-sponsored groups compete on projects, even to the extent of withholding intelligence from each other. Now a hacker notorious for compromising Myspace has targeted one of their hacking peers and even communicated with authorities to publicize the attack. All is fair in cyberwar, apparently.