Sep 19, 2017 3:00 AM

Safer but not immune: Cloud lessons from the Equifax breach

Suddenly, everyone is an expert on enterprise security, and the cloud is claimed to be a silver bullet for security. It’s not that simple

Thinkstock

I’ve stopped covering breaches. First, because clouds are nowhere to be found among them. (The focus of this blog is advice to enterprises that are moving, or have moved, to cloud computing.) Second, because it just seems like piling on a company that’s already in distress.

However, breaches are on the minds of enterprises on the move, due to the latest breach at Equifax.

What we know now about Equifax is that Equifax was aware of the breach well before it announced that hackers had gained access.Hackers made off with Social Security numbers, birth dates, and addresses of 143 million people. That’s enough to steal your identity. A few Equifax people resigned, but that does not fix anything.

Like the other major breaches that have occurred in the last few years, a tool betrayed Equifax: an unpatched vulnerability in Apache Struts, used to support an online dispute portal, provided the hackers with access to the website and attached data.

So, could this happen in the cloud? That’s not likely, considering that the cloud providers are more proactive with patches and fixes than the typical in-house IT department, especially when it comes to security exposures.

However, despite what you may hear from some cloud vendors and consultants or the press, being in the cloud does not make you immune from breaches. For example, cloud users themselves could make key mistakes in a single-tenant environment (hosting, for example), so applications running in the public cloud are not completely immune from breaches.

The cloud is safer than on-premises deployments, but you’d be foolish to think it’s completely safe, at risk of getting complacent and as a result making the kind of mistake that gets you in trouble.

There’s a lot of commentary out there from people—vendors, consultants, and the press—who don’t know what actually happened at Equifax or don’t really know much about enterprise security, yet claim they would have done better. Don't listen to such people.

Focus instead on what’s known, and what lessons you can learn from the mistakes of others—without the moralizing. Someday, this could be you who neglected a patch or made a mistake that got exploited—whether on-premises or in the cloud.