Of all the people to finally bring cloud security to the fore front, I never would have guessed it would be Jennifer Lawrence, but since she unintentionally “exposed” this issue, I’ll take a swing at separating fact from fiction.
Since the very beginning there has been a slight uneasiness with turning over important data to some esoteric technology. When pressed, cloud providers hem and haw about security and a layers approach but never really give you a straight answer as to who is ultimately responsible for the security of your data.
Even Apple, from whom the risqué images leaked stood firm that “None of the cases we have investigated has resulted from any breach of Apple’s systems including iCloud or Find my iPhone.” Basically; “It’s not our fault.”
I tend to agree with them – the “hack” was essentially a targeted attack using brute force (repeated guessing passwords) until they succeeded. At this point, you may ask, why don’t they simply lock out accounts after so many bad attempts – well, they do. Turns out that that the “Find My iPhone” doesn’t have account lockouts and while the jury is still out; this appears to be the way the hackers gained access.
So if someone ‘guesses’ your pin number on your debit card, is it the debit card companies fault or yours? I suppose the debit card company could require 15-digit pins (which would make the guessing a whole lot harder) but who would use such a product? Cloud storage is built to be easily accessible from anywhere. The more security you pile on it then less likely you will get massive adoption – people don’t want to be bothered with multiple levels of security and in most cases cache their password so they don’t even need to enter them.
Personally, I’m way more alarmed by the coordinated attacks on several banks just a few days prior to J.L.’s personal photos showing up on the web. Hackers broke into several banks (including JPMorgan) and stole data including account information. Worse – the FBI believes this was an attack financed at least in part by the Russian Government as a reprisal for recent sanctions.
You must assume a certain level of risk when you send your important data our into the ether to fend for itself. You also need a heavy dose of expectations; I’m not sure there is any level of implied security on a service that is cheap or close to free!!
The end result – YOU are responsible for the security of your company data, NOT the cloud providers.