Content

The cloud security capers

Today I am going to share three, semi-fictional cloud adoption horror stories that will make you rethink your current cloud strategies.

The False Choice

A biometrics security and identity solutions provider sought to establish itself as the premium global brand in the physical security industry. To achieve this goal, company leaders knew they had to adopt cutting-edge technologies to gain and maintain a competitive advantage. By leveraging the cloud, the company’s developers were able to innovate quickly and provide its flagship product to users around the globe.

The company was wildly successful; it secured over 1.5 billion users across 150 countries. As a part of its business offering, it was tasked with storing those users’ sensitive biometrics so that users could securely and physically access confidential areas within their organization. However, the company did not have any guardrails in place to verify the work its developers were doing, and eventually, a pair of security researchers discovered that one of the company’s databases was publicly accessible, without even basic password protection. The exposure of the database, which contained nearly 30 million of the company’s users’ biometrics and other personally identifiable information (PII), resulted in hefty fines -- 4% of its annual global turnover for violating GDPR, and a loss of consumer trust, which caused their market share to plummet. To pay the fine and fees from other resulting lawsuits, the company had to take out loans that it was unable to pay back and filed for Chapter 11 bankruptcy.

Businesses continue to adopt cloud technology to allow developers to innovate and reduce the overall time it takes to bring new products and services to market, scale the company, and increase process efficiency by reducing IT costs. However, as companies continue to embrace cloud apps and services, they often overlook the cultural and personnel changes that are necessary to maintain security and compliance in this environment. To recognize the full benefits of cloud infrastructure, organizations believe that they must either choose between security or innovation. However, this is a false choice -- companies don’t have to choose. Organizations can recognize the full benefits of cloud by leveraging automated security strategies that ensure developers are acting wisely and not creating preventable risks, such as misconfiguring a database containing millions of customers’ biometric data.

M&A Mayhem

An American hotel chain yearned to increase its global presence to become the largest hotel company in the world. As a result, the hotel acquired an international resort group for $15 billion, bringing its combined number of global properties to 6,000 with a total of 1.5 million rooms. One year after acquiring the international resort, the American hotel chain’s net income dropped from $850 million to $750 million, but its total assets increased from $6 billion to $25 billion. Two years after, the net income rose exponentially to $1.4 billion, about a 65% increase.

The success of the acquisition not only made the hotel happy, but its shareholders were also pleased because the price per share of the hotel’s stock jumped from $67 to $101 within a year. However, the American hotel chain made a critical error throughout the acquisition process -- it mishandled the M&A risk IT security and compliance risk assessment and failed to account for, and minimize, existing security risks. In fact, the acquired resort was already compromised when it was bought -- a database stored in the cloud was not locked down properly. As a result, a cybercriminal was able to obtain access to the American hotel’s infrastructure and continued to siphon off guest’s PII for years before being discovered.

Ultimately, the hotel group was fined a combined $550 million for violating GDPR and its shareholders were not happy. The total cost suffered for this data breach ended up being the total difference between the hotel’s net income before and after acquiring the international resort group, resulting in a major loss of capital.

Mergers and acquisitions are an essential part of the enterprise business landscape. These deals foster innovation and create some of the biggest and most successful companies in the world. But one of the largest potential pitfalls in any M&A transaction is mishandling IT integration and creating or failing to mitigate security risk. In the era of cloud computing, the cost of inheriting poor security can be massive and quickly destroy the value of the transaction. Companies must have the proper tools in place to gain complete visibility over assets stored across all cloud environments, then be able to identify risk. Furthermore, companies must be able to enforce security best practices and ensure compliance with relevant regulations at all times during the M&A process.

Cloud Adoption with No Silver Lining

A multinational logistics corporation invested in AWS to improve its customer communications, effectively store customers’ PII and reduce the time it would take for a consumer to make a purchase online. As a result, the corporation improved its users’ experience, which led to a distinct increase of market share. After realizing the cloud enabled its developers and engineers to bring new services to market faster and store additional user data as the corporation scaled, the company was running most of its workload in AWS. The ability to innovate at an accelerated pace and increase revenue resulted in the organization’s developers and engineers bypassing basic security practices. Organizations believe they either need to choose between innovation and security.

One day, a group of ethical researchers that were using Shodan identified an exposed S3 instance from the logistics corporation that contained hundreds of thousands of customers’ passports, shipping addresses, photo IDs and more. The researchers tried contacting the corporation for days in an attempt to either secure the database or bring it offline, but  the logistics company ignored these warnings and continued business as usual. Just three days after the discovery, researchers noticed that a Chinese IP address connected to the exposed S3 instance, wiped it out and left a ransom note.

The international courier company was in disbelief, as this attack caused significant business operations disruption and loss of productivity that led to a massive decrease in expected revenue. The company opted to pay the ransom, hoping that it would see the return of its customers’ sensitive  information.  Unfortunately, the attackers did not return the data, and once the public became aware of the data breach, the company faced class-action lawsuits, fines for violating data privacy laws, a sinking stock price, and huge loss in customers who had lost trust in the company and instead opted for a competing shipping service.

Conclusion

The cloud offers countless benefits, but the self-service and dynamic nature of cloud infrastructure creates challenges for risk and compliance professionals that are tasked with protecting their organization from cyber threats. As organizations continue to adopt cloud and multi-cloud environments, many fail to realize that tools and controls that worked well for security and compliance in the traditional datacenter do not translate to the public cloud.

Organizations need policies that span all clouds and a platform that can automatically remediate misconfigurations in real-time.These modern services will help your enterprise innovate quickly and maintain a competitive position in the market, but the implementation can be highly complex and can lead to an abundance of potential security gaps. The choice between innovation and security is not one that cloud users have to make, but the stories above above highlight a few scenarios that can play out if companies don’t take control of their cloud environments.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.