Cloud computing technology has taken off during the course of the 21st century. Beginning in 1999 with a Salesforce service offering to deliver enterprise applications through their website, the definition of the cloud computing service offering has been evolving as providers adapt to the needs of consumers. Presently, cloud computing can be defined as a specialized form of distributed computing that introduces utilization models for remotely provisioning scalable and measured resources. Cloud computing has the potential to reduce operating costs for organizations, provide convenience for the availability of data for personal computer users, and simplify the way that we use information systems today. However, just as with network environments of the past, cloud computing environments are susceptible to malware attacks, advanced persistent threats, and account credential cracking tools. Just as the cloud computing service offering continues to evolve, threat landscape surrounding it evolves at the same rate if not more rapidly. Recent issues in cloud computing environments such as Apple’s iCloud hack show that the lack of best security practices from a cloud consumer’s side can have just as devastating of an effect as a lack of security from the a cloud provider. The information systems that we built our economy upon were primarily focused on information sharing rather than information security and privacy. As the industry continues to proliferate throughout our lives and take a larger margin in the economic market, the information systems of the future must balance the confidentiality, integrity, and availability of data by using best practices in information security and privacy. Presently, the security in cloud computing environments is not adequate, and must be improved by using best practices from both cloud consumers and cloud providers.The main focus of security in cloud computing is the software as a service (SaaS) offering. Storage solutions such as Apple’s iCloud, Google’s Drive, and Dropbox’s self-titled storage service are leaders in the industry. The reason that cloud storage is the main focus is because attackers most commonly penetrate network defenses to compromise sensitive data. Many companies and personal consumers utilize cloud storage for their sensitive data because it is often more cost efficient or more convenient to have data stored, managed, and backed up by another company. With data in the wrong hands having the potential to compromise anywhere from businesses intellectual property to people’s privacy, securing that data is a requirement not to be taken lightly. As covered earlier in this blog, it is important to balance the three aspects of the CIA triangle: Confidentiality, Integrity, and Availability.
A notable case study of a cloud computing environment being susce
ptible to attack from an anonymous attacker due to poor security practices is in Apple’s iCloud environment. iCloud is a cloud service that is available to anyone who has created a free Apple ID. There are many utilities within the iCloud suite including a mail client, calendar, a device locator, and file storage. On August 31, 2014 in an event dubbed as “The Fappening,” numerous A-list celebrities had nude photographs of themselves leaked onto the Internet. The pictures that were released were all at one point stored in Apple’s iCloud using each celebrity’s Apple ID user name and password to protect it. The initial assumption was that the entire iCloud infrastructure had been attacked and that any files stored in the cloud were compromised. This would prove to be a huge impact on the integrity of cloud service providers as a whole because the ability for an advanced persistent threat to compromise such a high-profile environment would numb both personal and business users from trusting 3rd parties to store their information without strict control over the security of their private data. However, after an internal investigation by Apple, the company released a statement announcing that “these celebrity accounts were compromised by a targeted attack on user names, passwords, and security questions.” This implies that the celebrities that were affected by “The Fappening” mass photo release all had weak passwords and weak security questions protecting those passwords. What is evident is that weak security practices from both Apple and end users of Apple’s iCloud provided malicious attackers with the opportunity to gain privileged access to accounts that they did not own.
In the next blog, I will continue to explain how both Apple and the celebrities could have implemented some best practices to completely avoid this event from occurring.
