[Info-vax] Cloud Security - 68M accounts hacked on Dropbox

Kerry Main kemain.nospam at gmail.com
Fri Sep 2 09:31:58 EDT 2016 

> -----Original Message-----
> From: Info-vax [mailto:info-vax-bounces at rbnsn.com] On
> Behalf Of MG via Info-vax
> Sent: 02-Sep-16 5:07 AM
> To: info-vax at rbnsn.com
> Cc: MG <marcogbNO at SPAMxs4all.nl>
> Subject: Re: [Info-vax] Cloud Security - 68M accounts
> hacked on Dropbox
> 
> Op 1-sep-2016 om 22:00 schreef Kerry Main:
> > As a follow-on note to this - 68M account passwords
> hacked on Dropbox.
> >
> https://www.theguardian.com/technology/2016/aug/31/
> dropbox-hack-passwords-68m-data-breach
> > https://blogs.dropbox.com/dropbox/2016/08/resetting-
> passwords-to-keep-your-files-safe/
> >
> > While security is always a concern, the big issue with
> public cloud offerings is loss of control over security
policy.
> Some companies even have a policy that states storing
> any company information on Dropbox or other similar
> Internet file sharing offerings is potentially a company
> termination offense.
> 
> For this reason I never wanted to use anything from "the
> Cloud"
> or "Cloud-based".  (Hasn't anyone also learned anything
> from
> the iCloud debacle?)
> 
>   - MG

We need to remember that public clouds are just another
name for selective IT outsourcing. 

As it has been for decades, there are pro's and con's with
outsourcing.

To clarify what one loses from a data and security policy
perspective, here are a few examples of what you LOSE when
moving to a public cloud:
- using and updating common data access rules, auditing,
reporting, monitoring, tools and strategies
- using and updating common data backup, data retention
and DR strategies
- using common IT HR policies e.g. for sensitive data,
your company might require annual police checks or at
least before they are hired. Who knows what security
checks the cloud vendor puts their onshore / offshore IT
staff through?
- using common firewall policies (the vendor FW's are all
theirs - you have zero input). From your perspective, it
is one remote flat network and you have no idea of what
those firewall rules are.  There is no concept of "trust,
but verify"
- difficulty in meeting and auditing of new IT audit
requirements (audit XYZ may not be important to vendor
even though it is to you)
- being able to disable at one single point an employee's
access to all internal systems (unless you want to expose
your LDAP / AD to the cloud as well). See previous thread
on internal security issues
- password related length, complexity, change times, 


Regards,

Kerry Main
Kerry dot main at starkgaming dot com

More information about the Info-vax mailing list