Chekhov’s Law and “The Notorious Nine” of Data Security

In a recent post on the Six Pixels of Separation blog by Mitch Joel, there was an interesting analogy where data security is compared to Chekov’s law…

Here is an excerpt, 

"The Snowden revelations of massive spying on the American population (and indeed: on anyone who uses Facebook, Google, Yahoo etc) made me think of Chekhov's law. If a gun is hanging on the wall in Act I, it better go off by the end of the play. And in real life: if you put all of your data on servers someone else controls, then you can bet that someone will be looking at it." 

With a rush to get on the cloud, organizations are moving most of their data onto servers controlled externally. The Cloud Security Alliance (CSA) has defined the top nine threats of cloud computing named “The Notorious Nine”.

1. Data Breaches - A single imperfection in the design of a multi-tenant cloud service database or client application could be a threat to data security, not only for clients but for every other client connected as well.
2. Data Loss – There are many ways data could be lost on a cloud server, either because of hackers, due to negligence of the cloud service provider or natural disasters. The added challenge is of encrypted data which could be lost if the encryption key is misplaced.
3. Service Traffic Hijacking – There is a threat of hackers getting hold of credentials. With this information they can eavesdrop on transactions, falsify information and manipulate activities. An example of such a situation was evident in the case of the XSS attack on Amazon in 2010, which led to hackers hijacking credentials to access information on the site.
4. Insecure Interfaces and APIs – In order to enable cloud management and monitoring, IT administrators rely on interfaces and APIs that play an important role in availability and security of cloud services. As third parties build interfaces there is a threat to organizations as they have to disclose their credentials to facilitate cloud integration and management.
5. Denial of service ranks – For customers who are billed based on disk space consumption and compute cycles, DoS outages could cost them. Hackers may cause excessive consumption of processing time, making it to too expensive for companies to run, which they eventually will have to bring it down themselves.
6. Internal Threats – Insiders with critical information and access, and those with malicious intent may pose to be a threat. With access to networks, systems and valuable data, the system is vulnerable to insider attacks.
7. Cloud Abuse – Cloud service providers need to be cautious of identifying hackers who intend to launch attacks, share pirated software and promote malware.
8. Lack of Due Diligence – Many organizations are moving to the cloud without complete understanding of the associated risks in the cloud environment.
9. Shared technology vulnerability – Cloud service providers share applications, platforms and infrastructure to operate in a scalable manner. This poses as a threat if they are not designed to have robust isolation properties required to protect data in a multi-tenant architecture model.

The CSA suggests that in order to maintain data security, organizations need to protect their credentials by prohibiting sharing and introducing authentication techniques, and they need to have due diligence on the implications and risks involved in cloud adoption, integration and management.

Therefore, organizations need to wary of the fact that if they are placing critical information on the cloud, it is  a possibility that someone may be looking at manipulating it and they need to be well prepared to strongly protect invaluable data.