The recent Wikileaks Vault 7 documents, combined with the massive scale of the hacks at Yahoo, are raising concerns about how secure enterprise is in the cloud.

Andrew Froehlich

March 30, 2017

4 Min Read
Vault 7, Yahoo Hack Cast Doubt on Cloud Security

The cloud is presumed to be a safe space that enterprises can trust with their organization's most sensitive data and intellectual property. The days of being skeptical regarding the level of data security and protection that could be offered by cloud service providers are well behind us.

Or are they?

In fact, there are a few IT security issues recently revealed that could raise eyebrows for enterprise organizations that demand the utmost trust in their cloud provider's ability to protect corporate data.

Specifically, I'm referring to the publication of Vault 7 documents released by WikiLeaks, and the reported Russian hacking of Yahoo user accounts. These discoveries challenge the true state of IT security in general -- but also point out huge weaknesses when organizations trust a handful of global service providers to protect their sensitive data.

For several years, security has been one of, if not the top concern, for CIOs. One reason these IT leaders have started to move data and applications to the cloud is that these service providers likely had better security, controls and tools than their own internal organization. While that may still be true, these two incidents are challenging that logic. (See Cloud Upends Traditional Security Borders.)

Figure 1: Is it safe? (Source: Pete Linforth via Pixabay) Is it safe? (Source: Pete Linforth via Pixabay)

Let's first look at how Vault 7 information casts doubt on the realities of using a third party to protect company data. (See WikiLeaks Strikes Again.)

While the information provided in Vault 7 largely dealt with the CIA's spy tools and a propensity to hoard zero-day exploits for its own benefit, other documents hinted that major technology vendors were either assisting with the collection of public data -- or at least looking the other way.

What's troubling for our discussion is that many vendors on the Vault 7 list are major cloud service providers that claim to do everything they can to protect customer data residing on their infrastructure. While most of the Vault 7 documentational proof rests largely on end-user hardware and software, one must consider the possibility that the CIA and other government spy agencies around the globe have their hooks into major cloud service provider networks.

The second revelation that potentially puts cloud security into question was the news that 500 million Yahoo accounts were once again hacked in 2014 -- with sensitive user details stolen. The US Department of Justice recently indicted two Russian spies in the hack. (See US Indictment Says Russian Spies Were Behind Yahoo Hack.)

Despite the consumer-grade use of Yahoo mail, enterprise organizations should take notice. Webmail is nothing more than a software-as-a-service (SaaS) platform. Considering Yahoo is one of the biggest email SaaS providers in the world, it means that all SaaS providers are vulnerable. This is particularly true from foreign spy agencies that have the money and resources to circumvent some of the best security architectures in the world.

Additionally, CIOs and their IT departments must consider that the use of the largest and most popular cloud providers may inadvertently put you at more risk. Your organization's data is suddenly merged into the same infrastructure with thousands of other companies. That means your data becomes a bigger and more lucrative target, particularly to governments sifting through reams of other data in the hopes they'll uncover something that they can use.

The feeling of doubt and uncertainty is a powerful emotion.

While much of the doubt about security of cloud computing is largely speculation, it still can't be ignored. Cloud service providers are going to have to go above and beyond in 2017 to ensure their customers that the absolute safest place for their data and apps is in the cloud.

Yet, it's important to note that the initial WikiLeaks Vault 7 dump, published less than 1% of all the information the organization possesses on this subject. That means that this story -- and the doubt it's casting -- is far from over.

— Andrew Froehlich is the President and Lead Network Architect of West Gate Networks. Follow him on Twitter @afroehlich.

About the Author(s)

Andrew Froehlich

As a highly experienced network architect and trusted IT consultant with worldwide contacts, particularly in the United States and Southeast Asia, Andrew Froehlich has nearly two decades of experience and possesses multiple industry certifications in the field of enterprise networking. Froehlich has participated in the design and maintenance of networks for State Farm Insurance, United Airlines, Chicago-area schools and the University of Chicago Medical Center. He is the founder and president of Loveland, Colo.-based West Gate Networks, which specializes in enterprise network architectures and data center build outs. The author of two Cisco certification study guides published by Sybex, he is a regular contributor to multiple enterprise IT related websites and trade journals with insights into rapidly changing developments in the IT industry.

Subscribe and receive the latest news from the industry.
Join 62,000+ members. Yes it's completely free.

You May Also Like