Not all cloud providers are created equal as recent news of the Adobe Cloud’s poor implementation of password protection resulted in 150 Million Adobe documents being published online. Paul Ducklin of Naked Security provides an excellent break down into the investigation of exactly what went wrong within the user authentication mechanisms for the Adobe Cloud. Adobe would have benefited greatly from undergoing the FedRAMP Security Authorization process as these security holes would be uncovered ahead of a public compromise.
For a time I was optimistic that large, medium, and small firms would come to an universal understanding that they had no choice but to take action to implement effective security measures within their source code, infrastructure, and identity management solutions. It appears that large companies that have the financial resources still choose not to tackle even basic security to protect their customers.
The obvious needs to be said, hacking groups that exist in the wild are continuously evolving into a sophisticated attack force. Let’s think about it for a moment, cyber theft results in at least a $300 Billion loss to the global economy according to this McAfee report. With money to fund operations, entry level hackers have a career path into the depths of sophisticated brand destruction and pilfering from the global financial coffers. The money available to these groups and individuals provides them means to devote more time into their craft, forging even stronger more efficient hackers. As new technologies creep into the business world, the skilled will continue to adapt an exploit the next best thing. And it’s not going to stop; the genie has been let out of the bottle.
The time for warnings is over. If the company that you own, work for, have stock in does not care about its cyber security then expect it to get pawned one way or another by sophisticated attackers. Losses are going to affect you one way or another. Everyone as a collective has to get smart, and fast, but that is not going to happen. Let’s be realistic.
I would suggest to anyone operating a cloud environment to take a look at the security requirements that FedRAMP requires. Even if you are not intending to go through a FedRAMP Security Authorization, valuable insight will be uncovered to how to protect your cloud service through required security control implementations. It will help those who are challenged in the ways of cyber security to check themselves before ending up as a breach headline.