Users are the largest cloud computing security threat
As IT focuses on refined encryption and identity management systems, it may be missing a big vulnerability: users
Follow @DavidLinthicumWhile it's been obvious to me for a long time, those moving to the cloud are coming to grips with the fact that the most considerable threat to cloud computing security is not from hackers sitting thousands of miles away, it's from the people in the office next door. This article on Bnet agrees:
Once upon a time the world of computer security was divided into two zones, inside and outside, but the shift to cloud computing changed that. "How do you design a resilient security system when the source of the attacks are most likely people inside the system?" says Roger Grimes, a 20-year veteran of the security industry [and Security Adviser columnist at InfoWorld.com]. "How do you educate users to make sure they don't accidentally let an intruder in?"
[ The Web browser is your portal to the world -- as well as the conduit that lets in many security threats. InfoWorld's expert contributors show you how to secure your Web browsers in this "Web Browser Security Deep Dive" PDF guide. ]
Nothing really changes. Back in the day, I was asked to do penetration testing for a large minicomputer manufacturer. While password-guessing programs worked from time to time, the easiest way into the system was to call a user and ask for his or her user ID and password. We succeeded about one out of three times.
While there is certainly more education around these days and most people won't provide user IDs and passwords on the phone, this little trick still works. Try emailing everyone in the company and asking for the user ID and passwords for your cloud computing provider, perhaps talking about a "critical software upgrade." You'll still get one or two people to respond before corporate security is alerted. That's all it takes.
However, it's not just phishing attacks that can work around a tight security system. As Google found out with the "China attacks," those users who forgot to update Microsoft Internet Explorer provided a nice on-ramp into their mail system from the outside world, as well as exploited vulnerabilities within PDF files. Also, those who log into their office PCs remotely provide a nice point of access, as do mobile computing devices that are frequently stolen or lost.
