The recently reported Capital One data breach has once again turned the technology world’s attention to cloud security. A lot of speculation is all that the industry can surmise about exactly what happened and how the events came to pass. The indictment is vague and the companies are in PR crisis mode.
Let’s not waste this time on conjecture. It’s important to focus on the uncomfortable yet completely valid cloud security concerns while everyone is listening.
The elephant in the room in cloud platform security is the inherently problematic issue of customers not knowing which cloud provider employees are entrusted with administrative-level access to the clouds themselves. Cloud Customer X does not know the names of employees at Cloud Provider Y who, upon succumbing to moral failing, could theoretically abuse privileged knowledge, credentials, or internal cloud provider tools in order to inappropriately access, copy, or otherwise interact with Cloud Customer X’s provisioned systems or stored data.
To be clear, there’s no suggestion that the Capital One breach is the result of insider access or privileged knowledge abuse. While the alleged perpetrator’s prior work history includes employment at Amazon Web Services — the cloud provider which data was downloaded from — the amount of cloud service know-how necessary to pull off the alleged wrongful acts can certainly be gained by anyone with an internet connection and enough curiosity.
Instead, we need to talk about cloud platform security in a broader sense. We need to make sure when executives sign on the dotted line and agree to put mountains of their own customer data under someone else’s control that they understand the stark trade-off realities, rather than the myths, of cloud platform security.
Simply put, moving operations into the cloudspace means you are putting yourself at the mercy of the cloud host. Ultimately, the cloud provider can take their ball and go home, leaving your business stranded. Doing so might be in violation of some words that an attorney typed up and both sides agreed to. But those words cannot physically stop a cloud provider’s rogue subcontractor from abusing trusted access — of which the cloud customer would most likely never know.
There are no easy fixes for such a scenario. But it would be foolish to wait for egregious examples of cloud platform insider abuse to be known publicly prior to sparking the very important conversation, even if the topic is uncomfortable for cloud providers to acknowledge and unsettling for cloud users to realize.