As the FBI announces it is investigating the 'Cloud' celebrity photo leaks, we take a closer look at cloud computing and its risks.
The FBI has said it is looking into how intimate pictures of celebrities have been stolen and leaked over the Internet. It is understood that some of the images could have been obtained from Cloud services, the most commonly mentioned being Apple's iCloud which backs up content from devices on to the internet. Apple is investigating whether iCloud accounts have been hacked but at the time of writing states that iCloud's security was not breached but that users own security may have been overcome.
The news follows concerns raised by computing experts over the security of cloud storage sites and reminding users that images and data no longer just reside on the device that captured them. Although many Cloud providers may encrypt the data communications between the device and the Cloud, it does not mean that the image or data is encrypted when the data is at rest. Accordingly there are risks for both users and providers which we examine below.
Benefits of cloud computing
The Cloud is not just limited to personal users uploading photos or backing up their smart phone or tablet. Cloud computing is becoming increasingly attractive to businesses, largely due to the potential cost savings in being able to store large quantities of data remotely, negating the cost of purchasing and maintaining complex bespoke computer systems and software. It also allows data to effectively be more portable and accessible from virtually anywhere. As such, it can profoundly change the way people and companies work. According to the Economist, the Cloud will transform the information technology industry.
The Cloud in essence is a form of outsourcing, where parts of the business's IT environment are rented, instead of being operated by the business itself and can then be connected to as needed. Many businesses now use Cloud computing in some way, often for services such as payroll and payment processing, employee benefit portals and data storage.
How does the Cloud impact cyber risk?
Many Cloud users already had some reservations about the use of this relatively new phenomenon. However, businesses put their money into offsite banks and their paper files into third party owned storage facilities without much anxiety, so why should the Cloud be different?
On the one hand many companies may actually improve their security by using the Cloud as Cloud providers will usually make security a top priority. On the other hand, the Cloud is an attractive target to hackers because of the volume of data and the number of users.
Last year, American cloud infrastructure security provider, CloudPassage, detailed the outcome of The Gauntlet cloud hacking contest, which was aimed at understanding how vulnerable cloud environments are to hackers. According to CloudPassage, the winning hacker was able to fully compromise a cloud server in less than four hours. This demonstrates just how easily a motivated hacker can gain access to remote data.
While almost every service used online requires a password, more often than not, it is human weaknesses that give hackers the simplest route to compromising accounts. 'Phishing' - meaning to trick the user into giving up their password - is now considered perhaps the simplest and most effective way hackers gain access to accounts. Phishing is already being blamed for giving access some of the leaked celebrity photos.
The challenge of the Cloud is that it is a shared responsibility between the cloud vendor and the cloud customer. Both sides have to be aware of security issues to prevent a breach and it may not always be clear as to who is at fault when there is a security failure. Many companies will believe they have transferred their risk when their data is in third party hands. The reality is that Cloud contracts often seek to leave little liability for Cloud providers.
The Cloud and insurance
Cyber insurance policies often define the insured's computer system to include third party networks with which the policyholder has contracted. Accordingly if a breach occurs, the policy will usually respond regardless of whether the breach occurred on a local computer system or in the Cloud. However there is still a question mark over who has responsibility for the breach.
It is a good idea to require the cloud service provider to carry cyber cover as well to help fund a loss. This is something that should be discussed with the Cloud provider before becoming a customer.
Another consideration is that if companies rely on a third-party Cloud vendor to transact business on their behalf and a security failure shuts down the Cloud, the policy may not cover the resulting loss of profit. In order to do so, the policy should specifically include cover for contingent business interruption.
We expect to see insurers and insureds continue to analyse their exposure to events in the Cloud. For insurers, this could give rise to concerns about numbers of insureds using a given Cloud vendor and so aggregating risk.
Celebrity photo leaks aside, the cloud has provided efficiency for businesses and in many cases, improvements in security. But cyber threats continue to be a growing issue, and add complexity to risk management decisions. The bottom line is that when it comes to storing data in the cloud, risks should be identified and managed in the same way as if you were storing data yourself.