The recent Apple (AAPL, Financial) iCloud accident has raised a lot of storm not only against Apple as the service provider but against the whole cloud system.
Today on every media and web portal, people have voiced their concerns and anger against what happened on the iCloud and how they are now shying away from putting their data on the cloud. People have gone to the extent of terming the cloud as a big technical bubble that has now burst, and it's time to lay the cloud under its tombstone.
This reminds me of the first massive motor car accident dating back to somewhere between 1908 when Henry Ford rolled out the first motor car, and 1970 when seatbelts came into existence. Henry Ford rolled out Model T cars from his assembly line in 1908; until then there hadn’t been any automobile fatality in nearly 40 years prior to that – not since Mary Ward was run over by a steam-powered car in Ireland in 1869. But with modern production, engineering improvements, better roads and more cars on them, automobile safety became a growing concern.
One of the most important safety features in a car, the seatbelt, became standard equipment by the 1970s, but it wasn’t until 1984 that seatbelt use was made mandatory after a lot of public ruckus over the use of seat belt. Finally, with time and education people came to realize that seatbelts save lives.
Since then, safety in cars has gone from being an optional to a must-have feature, accredited by National Highway Traffic Safety Administration’s star ratings. One of the major focuses in modern-day cars is the innovation engineered to make them safer to drive and to protect passengers. Many of these features, like breakaway steering columns, ABS and crumple zones, are not as evident as the ubiquitous seatbelt but are integral parts of the design because we have come to realize that the universal truth is: Accidents are inevitable.
The accident on the CLOUD
For a better understanding of how to manage our drive on the cloud in the future, let us have a brief understanding of what happened. A celebrity’s personal photos that were clicked on her phone and saved in the iCloud were hacked by some unscrupulous cyber miscreants and uploaded on image-sharing web portal and went viral – thus seriously jeopardizing the privacy of the celebrity and wreaking havoc on her life.
Amid the industry’s massive shift to cloud computing and software as a service, this recent Apple iCloud photo hack incident should be regarded as the tech industry’s wakeup call to start innovating safety features for cloud instead of letting the teaming millions of users shy away from cloud. The inflection point is when security awareness became so acute as to demand that information security and data privacy features be tightly integrated into cloud architecture.
How to innovate the Cloud safety?
The iCloud incident, after all, should not be read as a portent of “don’t adopt cloud,” but rather, “use cloud wisely.” And the innovative developers and vendors of cloud services will compete on the basis of safety and create the cloud “crumple zones,” to cushion against occurrence of accidents and avert the likelihood of breaches and classify data accordingly.
Cloud architecture has been designed to give the benefit of mass storage and application sharing in order to reduce data load and cost on individual devices or enterprises, thus making their operational output more efficient. However, just like any other product, even cloud technology is facing outage and an infrastructure has to be built that can withstand failure and even autonomously recover from it. The common notion is that breach can be avoided by adopting preventive measures but one thing that has to be considered is that even the cyber hoodlums are upgrading themselves constantly. With the examples of car safety we have added the best possible car safety features; but have we been able to eradicate car boosting totally? The answer is no; though we have been able to reduce it considerably.
As cloud vendors and service providers and developers, we also have to adopt similar constant safety upgradation process in order to avert data theft and hacking. Cloud service providers have standardized on a “shared responsibility model,” which essentially places the onus of infrastructure uptime on the vendor and breach protection on the customer through difficult-to-hack password encryption. Some customers buck the trend and attempt to negotiate better terms with the vendors, but most of us are stuck with the terms of service as they are, indemnifying cloud vendors in the event of a breach.
Cloud protection model
So how can we design crumple zones into our cloud security strategy?
First and foremost, we will have to define the risk appetite for breach depending on the sensitivity classification of a particular dataset – we need to accept the inevitable.
Second, we need to design compensating controls. Let us assume that a breach might happen at any point, and accordingly calculate its impact on the organization – this means dataset sensitivity classification, which then enables us to determine our appetite for things like data loss, data tampering and even extortion thus enabling us to calculate the quantum of loss in an event. Then these can be counterweighted with compensating controls such as cyber insurance, cloud access security brokers and additional security headcount, thus adding security layers to our dataset according to its risk classification.
Cloud computing users need to re-engineer their cloud movement
We don’t need a Tarot card reader to point out the consequences of not adopting this data safety model, or for that matter any data safety architecture. For example just a few months ago, Code Spaces, a code-hosting and software collaboration Platform Company, had to shut shop when a hacker deleted the company’s data and backups.
As more businesses walk into the cloud space, it’s crucial that we incorporate "design for breach" into our "design for failure" methodology, thus putting extra effort on data security in the cloud. In other words, we need to design the crumple zones in the cloud because accidents can happen anytime anywhere.
