Data Security in the Cloud
A WhitePaper by Nicholls Legal
I Introduction
Inadequate data security leaves businesses open to significant damage and embarrassment. Whilst data security is a key concern for any business when it considers the use of its IT resources, businesses that operate within, or are seeking to operate within, the cloud need to be particularly attuned to the increased risks and dilemmas that cloud computing poses for their data security.
One of the most obvious risks in switching from in-house IT services to the cloud lies in determining whether a cloud provider can ensure adequate protection of important and sensitive data and a business’s interests in that data. In a study of 110 cloud implementations by IBM, security concerns were cited by clients as one of the biggest inhibitors for cloud computing.[1] The report cited ‘secure and efficient data exchange across the enterprise and clouds, as well as secure application connectivity’ as the major data security concerns for businesses looking to implement cloud solutions, especially those looking to enter the public cloud.[2]
A key area of concern for any customer seeking to enter the cloud is the fact that large cloud providers become an obvious and prominent target for hackers. Prominent recent examples include hacks of the networks of Sony, Citigroup, NAB and the Commonwealth Bank, and the ‘AntiSec’ campaign carried out against a number of high profile targets by the hacking groups Anonymous and Lulzsec.
This whitepaper analyses some key issues regarding data security in the specific context of cloud computing services – analysing security risks through a case-study of a devastating data security breach at Melbourne web-hosting service Distribute.IT; and then examining current and potential future government and industry responses to some of these issues.
II Case study – Distribute.It
A Introduction
In June of 2011 Melbourne based hosting provider Distribute.IT was subject of a targeted attack by an unknown instigator rendering data from four of its servers completely unrecoverable. The result is that the stored data of 4,800 websites was lost permanently, with Distribute.IT forced to concede that:
This leaves us little choice but to assist you in any way possible to transfer your hosting and email needs to other hosting providers.[3]
Customers of Distribute.IT, some of whom permanently lost data, predictably responded with both shock and vitriol directed at the company both in statements to the media and on online forums such as Whirlpool.[4] Particularly concerning for Distribute.IT in this case is that the hack appeared to be a “deliberate attempt to take down the business by destroying drive header files and not an act aimed at stealing client data.”[5] The implication is that the hack was either in the Anonymous and Lulzsec mould, aimed purely at disruption and destruction of businesses that have exploitable data security weaknesses; or perhaps the work of a disgruntled employee or ex-employee. Distribute.IT was subsequently acquired by the Netregistry group in late June 2011 and investigations into the source of the hack ensued.
There are a number of points that can be taken away by both cloud providers and cloud customers from the Distribute.IT debacle. The first is an obvious one: cloud providers need to ensure that the data security measures they put in place are sufficient to protect from sophisticated, targeted hacking operations such as this. Rob Forsyth, director of the Internet Society of Australia and managing director of internet security company Sophos notes that it appears Distribute.IT’s security was clearly lax. In particular Mr Forsyth observed:
To me it seems really that there were inappropriate security settings within a number of their databases … It appears that some of the data was not encrypted and therefore was once the servers were cracked, was available in clear text. That seems a shame.[6]
It has also been suggested that the Distribute.IT hack highlights the need for a regulatory overhaul of customer protections and obligations of cloud providers (see below). Rob Forsyth has stated that the hack demonstrates the need for ‘mandatory disclosure legislation’ that requires companies to inform customers and authorities immediately when a security breach occurs.
A number of other takeaways from the Distribute.IT hack are outlined under relevant headings below.
