Head in the iClouds
The recent celebrity "nude selfie" scandal has had a lot of mainstream media attention as well as setting social media ablaze with opinions of varying political correctness.
When discussing this with a friend and former colleague, he summed up the situation (from a security professionals perspective) very succinctly; "If you don't want your nude photos all over the internet, you shouldn't upload them to the internet." When put so bluntly, it is a rather obvious statement. Before I go any further, and to exonerate myself of any libel accusations, I should say Apple has stated that their security processes have not been breached. Odd then, that Wired have published an article speculating all the different ways it was possible to circumvent some of the iCloud security controls including the "Find My iPhone" API which does not enforce a lockout policy on password guesses. In a way it doesn't really matter whether there is a flaw with iCloud or just bad password choices by the user. The fact is - a cloud service is being trusted with some important data.
I imagine there are a lot of people who, in this interconnected world, forget about the iCloud. Take a picture on the iPhone, view it on the iPad without transferring a single file; an excellent user experience all round.
If we imagine that our favourite Hollywood starlets are companies, then their naked photos are probably akin to some of the most valuable corporate secrets. Would a company blindly and automatically upload their valuable data to the cloud? Data classification and handling is something that a lot of companies struggle with. There are several things to think about and several stages to go through:
- What classification levels should we have?
"Public, Restricted, Secret?" "Not Protected, Confidential, Internal, Eyes Only?"
- What protection should be applied to each level?
"Can every employee see Restricted but only management see Secret?"
- What determines what falls into each classification category?
"Everyone will want to see these pictures from the Christmas party, but it will damage our public image if they were seen by our customers!"
- How do we get our staff to start marking the things they produce and marking them accurately?
- How do we retrospectively classify all the data we store and process what was created before the classification policy?
There are several models that address the practical methods of enforcing access rights, such as the Bell-LaPadula model and the Graham-Denning model. Unfortunately classifying data is a very bespoke and company specific exercise which is difficult to standardise into a model. The Cabinet Office does this very well. As a result of their guidelines, the majority of HMG have information classified appropriately.
Unfortunately private companies (and celebrities) don't always have the same strict guidelines. If they did, their most valuable corporate secrets, such as the recipe to Coca Cola (or a private photo) would be subjected to the highest classification. In this case, the private photos were probably classified at the highest level, in the sense that if you asked one of the victims "is it important that this picture does not enter the public domain?" they would most likely answer with a categorical "YES". They don't need a formal written policy on what is sensitive, as it is their personal data, and they will have an emotional response to who they want to share it with. What they may need guidance on is how to handle this data, especially when technology is involved.
If a company revealed to me that they were storing their most valuable data with a cloud provider I would immediately be concerned. It is not necessarily the wrong thing to do, but I would hope that there was some serious consideration given to the benefits vs. the risks, and that there was a full due diligence process. I've not yet touched on one of the biggest, and possibly overlooked storing secrets in the cloud issues; email.
Email has become as much of a data storage and archiving tool as it has a communication tool. I myself am guilty of not saving off or filing attachments and just relying on Outlook's index and search features to find that document or that important message. I imagine that if you had access to an entire organisation's email storage database, not only would you have a mountain of data, there would also be some very sensitive information stored within them. Of course, many companies now outsource their email to cloud providers as it's easy and cheap. The counter to this though, is it's very hard to control the sensitivity of information that is being sent and received over email, and subsequently stored on a remote cloud server that belongs to a third party.
It's easy to think of cloud services, especially storage services, as our own little internet island where we and our data can live undisturbed. It's probably more realistic to think of it as a little fenced garden where you can't see an attacker approaching on the other side of the fence. And they can attack from any direction, using a variety of methods. And of course, it is assuming that the person who built the fence remembered to secure all the panels down. And there's a good combination on the garden gate lock.
If you're worried about what you're putting into the cloud or how to classify and protect data then please get in touch.