Vault 7, Yahoo Hack Cast Doubt on Cloud Security

Andrew Froehlich
News Analysis
Andrew Froehlich
3/30/2017

The cloud is presumed to be a safe space that enterprises can trust with their organization's most sensitive data and intellectual property. The days of being skeptical regarding the level of data security and protection that could be offered by cloud service providers are well behind us.

Or are they?

In fact, there are a few IT security issues recently revealed that could raise eyebrows for enterprise organizations that demand the utmost trust in their cloud provider's ability to protect corporate data.

Specifically, I'm referring to the publication of Vault 7 documents released by WikiLeaks, and the reported Russian hacking of Yahoo user accounts. These discoveries challenge the true state of IT security in general -- but also point out huge weaknesses when organizations trust a handful of global service providers to protect their sensitive data.

For several years, security has been one of, if not the top concern, for CIOs. One reason these IT leaders have started to move data and applications to the cloud is that these service providers likely had better security, controls and tools than their own internal organization. While that may still be true, these two incidents are challenging that logic. (See Cloud Upends Traditional Security Borders.)

Is it safe? (Source:  Pete Linforth via Pixabay)
Is it safe? (Source: Pete Linforth via Pixabay)

Let's first look at how Vault 7 information casts doubt on the realities of using a third party to protect company data. (See WikiLeaks Strikes Again.)

While the information provided in Vault 7 largely dealt with the CIA's spy tools and a propensity to hoard zero-day exploits for its own benefit, other documents hinted that major technology vendors were either assisting with the collection of public data -- or at least looking the other way.

What's troubling for our discussion is that many vendors on the Vault 7 list are major cloud service providers that claim to do everything they can to protect customer data residing on their infrastructure. While most of the Vault 7 documentational proof rests largely on end-user hardware and software, one must consider the possibility that the CIA and other government spy agencies around the globe have their hooks into major cloud service provider networks.

The second revelation that potentially puts cloud security into question was the news that 500 million Yahoo accounts were once again hacked in 2014 -- with sensitive user details stolen. The US Department of Justice recently indicted two Russian spies in the hack. (See US Indictment Says Russian Spies Were Behind Yahoo Hack.)

Despite the consumer-grade use of Yahoo mail, enterprise organizations should take notice. Webmail is nothing more than a software-as-a-service (SaaS) platform. Considering Yahoo is one of the biggest email SaaS providers in the world, it means that all SaaS providers are vulnerable. This is particularly true from foreign spy agencies that have the money and resources to circumvent some of the best security architectures in the world.

Additionally, CIOs and their IT departments must consider that the use of the largest and most popular cloud providers may inadvertently put you at more risk. Your organization's data is suddenly merged into the same infrastructure with thousands of other companies. That means your data becomes a bigger and more lucrative target, particularly to governments sifting through reams of other data in the hopes they'll uncover something that they can use.

The feeling of doubt and uncertainty is a powerful emotion.

While much of the doubt about security of cloud computing is largely speculation, it still can't be ignored. Cloud service providers are going to have to go above and beyond in 2017 to ensure their customers that the absolute safest place for their data and apps is in the cloud.

Yet, it's important to note that the initial WikiLeaks Vault 7 dump, published less than 1% of all the information the organization possesses on this subject. That means that this story -- and the doubt it's casting -- is far from over.

— Andrew Froehlich is the President and Lead Network Architect of West Gate Networks. Follow him on Twitter @afroehlich.

(4)  | 
Comment  | 
Print  | 
Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
kq4ym
kq4ym
4/7/2017 | 10:15:47 AM
Re: Enterprises
Yep, it can be very very worrisome to realize that we "must consider the possibility that the CIA and other government spy agencies around the globe have their hooks into major cloud service provider. Finding who and where hacks are coming from can be a daunting process with all the unknowns  lurking around the technology changes known and unknown.
Joe Stanganelli
Joe Stanganelli
3/30/2017 | 7:41:58 PM
Re: Enterprises
@Scott: Indeed, this is one thing that Larry Ellison referred to in his infamous "calling everything cloud" rant years ago.  SaaS wasn't exactly new.

A substantial portion of websites today are technically SaaS and/or PaaS unto themselves.
Scott_Ferguson
Scott_Ferguson
3/30/2017 | 4:13:25 PM
Re: Enterprises
@danielcawrey: I like that Andy wrote about how email is essentially the most basic SaaS technology and we know from previous reports, ect..., that SaaS is one way that shadow IT grows within the enterprise, which creates a lot of security concerns.  
danielcawrey
danielcawrey
3/30/2017 | 1:45:58 PM
Enterprises
What's surprised me with Yahoo mail is the number of people in government and business who have used this system. Did they think it was private?

People really have to be careful about privacy on consumer services. I just don't think that is what many of them were built for. 

That is, unless it was built specifically for privacy. 
Featured Video
Upcoming Live Events
September 17-19, 2019, Dallas, Texas
October 1-2, 2019, New Orleans, Louisiana
October 10, 2019, New York, New York
October 22, 2019, Los Angeles, CA
November 5, 2019, London, England
November 7, 2019, London, UK
November 14, 2019, Maritim Hotel, Berlin
December 3-5, 2019, Vienna, Austria
December 3, 2019, New York, New York
March 16-18, 2020, Embassy Suites, Denver, Colorado
May 18-20, 2020, Irving Convention Center, Dallas, TX
All Upcoming Live Events