Cloud // Software as a Service
Commentary
3/4/2013
08:56 AM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Evernote Breach: What It Means To Enterprise IT

Cloud naysayers will insist that this incident shows why we should never use the cloud. Give me a break.

By now, you have heard about the latest in SaaS security woes: Evernote. As a user of the service, I was notified of the breach on Saturday. Evernote's systems were compromised to the extent that individuals were able to access user information, which included encrypted passwords. Unlike the LinkedIn breach, where the passwords were encrypted, but not "salted" (which provides protection against brute force dictionary attacks,) Evernote's passwords were both encrypted and salted. Evernote, correctly in my view, decided to implement a system-wide password reset, even though there was no evidence of a breach of customer content or credit card information. But this episode does have me thinking about a couple of things.

The Future Of Passwords: One reason why Evernote likely called for a system-wide password reset is it's unknown whether brute force attacks would have yielded passwords to the attackers. Question is, would a system wide reset have even been necessary if two-factor authentication was in use? "Oh, it's too hard." "Too expensive." Not really. As usual, the gaming world leads technology. Blizzard Entertainment's Battle.Net gaming service offers a $6.50 hardware authentication token, and if that presents too much of a challenge to people using the service, Blizzard also offers a mobile phone two-factor authenticator.

There are bright spots in the enterprise when it comes to two-factor authentication, notably in highly regulated industries. However, while most enterprises finally have complexity requirements when it comes to passwords, far too few enterprises support two-factor authentication on all of their remotely-accessible apps.

Attack Surface: The cloud naysayers are always saying that cloud is less secure. That's not quite true -- as I've pointed out before, many cloud provider data centers have a cleaner audit than many mid-sized enterprises. And, these providers have crackerjack security teams at their beck and call due to their scale. But, the bigger you are, the more of an attack surface you present to attackers. So, to that extent, I think that cloud providers have their work cut out for them.

One possible value add that SaaS providers could offer: Instead of forcing a password reset, offer what Blizzard Entertainment does. But that doesn't reduce the massive attack surface. If you're a huge investment bank, you've got a similar attack surface, but the question for smaller enterprises is, is it really true that your attack surface is smaller? Kind of, but not really. If you're using widely used software such as Microsoft Exchange, you have a smaller IP address attack surface, but your software is an enormous target.

Also, with rogue security researchers selling the latest zero day exploits instead of reporting them for fixes, I still don't think that internal is "more" secure than cloud. It's just a question of what type of attack surface, not a "smaller" attack surface.

Use Case: Cloud naysayers will be out in force this week, declaring that this incident shows why we should NEVER use the cloud. Give me a break. When I was in the security business, I saw vulnerabilities in the banking industry that would curl your toes. We all know that internal IT isn't quite as super duper secure as it could be, due to resource limitations and high work load.

As I and others have said before, you need to reframe your "secure/not secure" argument into a "risk management" argument. How risky is something vs. how much in the way of resources do you want to spend on it?

Global CIO

Global CIOs: A Site Just For You

Visit InformationWeek's Global CIO -- our online community and information resource for CIOs operating in the global economy.

There is no "100% secure," so the question is, are the benefits of using something worth it, given the risks? For my news clipping file that I keep in Evernote, the answer is a big fat yes. I've not considered using it for another use case, but I wouldn't rule it out, and as Evernote (and other cloud services) provide improved security, I absolutely would consider it.

I would be shocked if commercial providers do not follow Blizzard's lead. We all have big, fat attack surfaces, and protecting these with passwords, no matter how complex, is probably a bad idea in the long run, whether you're an enterprise or cloud provider. But to simply chortle and claim that cloud services are simply untenable is to misunderstand the nuances of security at cloud service providers and inside enterprises.

Attend Interop Las Vegas May 6-10 and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by March 22 to save an additional $200 off the early bird discount on All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology. Register today!

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
John Humkey
50%
50%
John Humkey,
User Rank: Apprentice
3/4/2013 | 2:57:47 PM
re: Evernote Breach: What It Means To Enterprise IT
Evernote.com is blocked by my companies web filtering as (Personal Storage Site) . . . so I'd say the breach means . . . nothing at all.
David Berlind
50%
50%
David Berlind,
User Rank: Apprentice
3/4/2013 | 4:51:58 PM
re: Evernote Breach: What It Means To Enterprise IT
Great thoughts here Jonathan. The Blizzard approach is pretty interesting. I have to say that it's hard to believe that a lot of consumer facing companies don't offer the same thing. For example, I'd opt-in if my bank (a pretty big bank) allowed me the option of a hardware token for online banking (my friends who live in Europe have them, but I'm told they're culturally to inconvenient for Americans).

It has been a while since I brushed up on my token expertise -- but I'm trying to figure out why, for example, RSA can turn this opportunity into a big business. Give me one SecureID token that, as an end-user, I can apply the services of my choosing (my bank, Evernote, etc.).

Finally, in its post-breach messaging, I'm surprised Evernote didn't advise users and customers to be cautious about continued usage of your old Evernote password for other services.
Laurianne
50%
50%
Laurianne,
User Rank: Author
3/4/2013 | 7:29:31 PM
re: Evernote Breach: What It Means To Enterprise IT
What are the potential downsides of Blizzard's mobile phone two-factor authenticator approach with the Evernote user crowd?

Laurianne McLaughlin
dlowe88801
50%
50%
dlowe88801,
User Rank: Apprentice
3/5/2013 | 3:12:29 PM
re: Evernote Breach: What It Means To Enterprise IT
I am a customer of Evernote and Blizzard's Battle.Net. I also use Google's Authenticator (on my smart phone) to access my Gmail accounts.

With 2-factor authentication, a downside is the inconvenience that comes when you lose your physical authenticator (token or smart phone). In my opinion, that is minor comparing to having your one-and-only password compromised and you have to change the password right away or your account is at risk as every minute goes by.
moarsauce123
50%
50%
moarsauce123,
User Rank: Ninja
3/5/2013 | 3:05:58 AM
re: Evernote Breach: What It Means To Enterprise IT
This is all nice until hackers find a way to clone hardware dongles or fake their presence or even find ways around them entirely. The cloud naysayers typically do not dislike the concept of cloud computing, but they shudder that someone else somewhere in a place unknown is in charge of security for the services. Evernote hosts a bunch of grocery lists, but this can happen to any cloud service provider and it did happen to many of them. Hackers only need to crack the digital doors in one place with the cloud. In distributed non-cloud on premises systems hackers would need to attack each of those systems individually. And that is not supposed to be more secure? May this is a logic the cloud huggers cannot follow.....
jfeldman
50%
50%
jfeldman,
User Rank: Strategist
3/5/2013 | 11:49:47 AM
re: Evernote Breach: What It Means To Enterprise IT
Heh. "Cloud huggers". :)
8 Steps to Modern Service Management
8 Steps to Modern Service Management
ITSM as we know it is dead. SaaS helped kill it, and CIOs should be thankful. Hereís what comes next.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 18, 2014
Enterprise social network success starts and ends with integration. Here's how to finally make collaboration click.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
The weekly wrap-up of the top stories from InformationWeek.com this week.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.