Attacks seem to be following a familiar pattern, with the recent Evernote service-wide password reset indicative of a trend where attackers are targeting users’ login credentials. As has been widely reported, password databases are a popular attack vector in part due to the widespread use of shared passwords to access multiple services.
However imagine the consequences if an attacker was able to penetrate further into the cloud and not just steal credentials but also access cloud storage. For example, how many users of the popular Evernote, Penultimate or Dropbox apps store confidential notes in the cloud? While some companies have been swift to implement effective BYOD policies, others have no formal policy and appear to turn a blind eye to staff taking notes on personal iDevices.
If password hashes, usernames and mail addresses can be stolen it shows that other data in the cloud needs to be protected whenever possible. There are solutions; for example some versions of the Evernote apps allow users to encrypt portions of their notes before they’re pushed up to the cloud. Evernote state that when this feature is used even their staff cannot access customer data. Use of this feature is optional, but naturally I’d recommend users encrypt any sensitive or confidential notes.
Cloud providers often write about the use of industry standard SSL or disk encryption. Yet both of these approaches leave the data vulnerable when it’s being processed on a cloud-based server. Merely encrypting customer data on cloud disks is often transparent and therefore cost effective for service providers. Unfortunately transparent works both ways, network and storage encryption can also be largely transparent to an attacker who is able to compromise a cloud provider’s application server.
For many cloud services where data doesn’t need to be accessed or processed by a service provider there’s relatively little reason for the data to be available in plaintext (although encrypted data may impact the business model of some free cloud services). Encryption and decryption can happen on client laptops and tablets before data is pushed to the cloud and users can retain control and custody of encryption keys.
In the Evernote example encryption keys are essentially passphrases. One of the problems with this simple model is that if a user forgets their passphrase (their encryption key); the data is effectively rendered unreadable. Sometimes this “feature” of encryption is considered desirable and can be termed “encrypt erase”, but there’s a world of difference between accidentally forgetting an encryption key and choosing to permanently destroy an encryption key. Passphrases do not make good encryption keys; they’re often poorly chosen, are easily forgotten and scale badly when used to control access to resources that must be shared between users or escrowed.
In the enterprise the solution to this tricky problem is likely to come from on-premise key management solutions that control access to sensitive encryption keys based on strongly defined policies and recognised key management standards such as OASIS Key Management Interoperability Protocol (KMIP). Cloud providers that wish to host valuable and therefore often confidential data will need to demonstrate that they support recognised key management standards and employ robust controls that earn them the privilege of controlled access to data protection keys.