By now, you have heard about the latest in SaaS security woes: Evernote. As a user of the service, I was notified of the breach on Saturday. Evernote's systems were compromised to the extent that individuals were able to access user information, which included encrypted passwords. Unlike the LinkedIn breach, where the passwords were encrypted, but not "salted" (which provides protection against brute force dictionary attacks,) Evernote's passwords were both encrypted and salted. Evernote, correctly in my view, decided to implement a system-wide password reset, even though there was no evidence of a breach of customer content or credit card information. But this episode does have me thinking about a couple of things.
The Future Of Passwords: One reason why Evernote likely called for a system-wide password reset is it's unknown whether brute force attacks would have yielded passwords to the attackers. Question is, would a system wide reset have even been necessary if two-factor authentication was in use? "Oh, it's too hard." "Too expensive." Not really. As usual, the gaming world leads technology. Blizzard Entertainment's Battle.Net gaming service offers a $6.50 hardware authentication token, and if that presents too much of a challenge to people using the service, Blizzard also offers a mobile phone two-factor authenticator.
There are bright spots in the enterprise when it comes to two-factor authentication, notably in highly regulated industries. However, while most enterprises finally have complexity requirements when it comes to passwords, far too few enterprises support two-factor authentication on all of their remotely-accessible apps.
Attack Surface: The cloud naysayers are always saying that cloud is less secure. That's not quite true -- as I've pointed out before, many cloud provider data centers have a cleaner audit than many mid-sized enterprises. And, these providers have crackerjack security teams at their beck and call due to their scale. But, the bigger you are, the more of an attack surface you present to attackers. So, to that extent, I think that cloud providers have their work cut out for them.
One possible value add that SaaS providers could offer: Instead of forcing a password reset, offer what Blizzard Entertainment does. But that doesn't reduce the massive attack surface. If you're a huge investment bank, you've got a similar attack surface, but the question for smaller enterprises is, is it really true that your attack surface is smaller? Kind of, but not really. If you're using widely used software such as Microsoft Exchange, you have a smaller IP address attack surface, but your software is an enormous target.
Also, with rogue security researchers selling the latest zero day exploits instead of reporting them for fixes, I still don't think that internal is "more" secure than cloud. It's just a question of what type of attack surface, not a "smaller" attack surface.
Use Case: Cloud naysayers will be out in force this week, declaring that this incident shows why we should NEVER use the cloud. Give me a break. When I was in the security business, I saw vulnerabilities in the banking industry that would curl your toes. We all know that internal IT isn't quite as super duper secure as it could be, due to resource limitations and high work load.
As I and others have said before, you need to reframe your "secure/not secure" argument into a "risk management" argument. How risky is something vs. how much in the way of resources do you want to spend on it?
There is no "100% secure," so the question is, are the benefits of using something worth it, given the risks? For my news clipping file that I keep in Evernote, the answer is a big fat yes. I've not considered using it for another use case, but I wouldn't rule it out, and as Evernote (and other cloud services) provide improved security, I absolutely would consider it.
I would be shocked if commercial providers do not follow Blizzard's lead. We all have big, fat attack surfaces, and protecting these with passwords, no matter how complex, is probably a bad idea in the long run, whether you're an enterprise or cloud provider. But to simply chortle and claim that cloud services are simply untenable is to misunderstand the nuances of security at cloud service providers and inside enterprises.
Attend Interop Las Vegas May 6-10 and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by March 22 to save an additional $200 off the early bird discount on All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology. Register today!