For years now, there has been much talk and concern regarding the security risks associated with storing sensitive data in the cloud. These concerns are not unfounded. Hackers have grown more and more sophisticated, and a large cloud service provider is a high-profile and data-rich target, holding the sensitive information of thousands of companies and perhaps millions of consumers. And yet, there is a (some might say surprising) lack of public information regarding data security breaches in the cloud. BakerHostetler’s just-released 2016 Data Security Incident Response Report provides critical insights regarding the most common causes of data security breaches and the industries most affected. But you won’t find any mention of the cloud.
There could be many possible reasons for this. One – the statistics on industries impacted by data security breaches are based on the industry of the data owner, not the industry of the service provider. Clouds are run by service providers; they are not the data owners. Two – the data security breach notification laws are structured such that service providers, including cloud service providers, must notify their customers and are not required to directly notify affected individuals or regulators. The notice that cloud service providers give their customers may never become public. Three – cloud service providers may be incentivized not to report data security breaches due to the potentially catastrophic impact on their business model. That’s speculation, of course, but should not go unnoted. Four – and this one would be really mind-blowing – maybe data security breaches in the cloud just are not happening? Again, speculation, but think about it.
That’s not to say that we don’t occasionally see reports of purported breaches in the cloud – but often those breaches were the result of a cloud customer’s failure to prevent unauthorized access (e.g., theft of user credentials) or the consequences of the conduct or a rogue employee of a cloud provider. These kinds of reported data security breaches are not actual compromises of the cloud service provider’s infrastructure. As my partner Randy Gainer points out (and, as a CISSP, he really understands the technology and not just the law), security at the application layer in an infrastructure as a service (IaaS) deployment is the customer’s responsibility, not the responsibility of the IaaS provider.
There are some interesting pieces out there on theoretical attacks on the cloud. See, e.g., Man in the Cloud Attacks, Imperva, Hacker Intelligence Initiative Report, p. 5 (2016); Mehmet Sinan İnci, Berk Gülmezoğlu, Gorka Irazoqui, Thomas Eisenbarth, and Berk Sunar, “Seriously, get off my cloud! Cross-VM RSA Key Recovery in a Public Cloud.” But thus far these analyses have been mostly academic.
Don’t get me wrong – I am not suggesting that organizations should not continue to take very seriously the potential data security risks of storing sensitive data with a third party. Nor should potential cloud customers stop engaging in serious due diligence regarding cloud service provider security measures or asking for some form of indemnification and reimbursement in the event of a data security breach that is attributable to the cloud service provider.
If anything, the lack of publicly reported incidents of this type only further solidifies the importance of customers protecting themselves for the “big one” when it does hit. And, much like the earthquake I have been waiting for all my life in Los Angeles, the big cloud data security breach will happen. It is just a matter of time.