Luiz - Fotolia

Experts: It's time to rethink cloud data privacy protection

Brian Krebs, Art Coviello and Kris Lovejoy tackle government conflicts and cybersecurity shortcomings at the Privacy. Security. Risk. 2015 event.

LAS VEGAS -- With the rapid growth of cloud services, enterprises and U.S. government agencies need to re-evaluate data privacy protection before it's too late, according to experts at the Privacy. Security. Risk. 2015 event this week.

Experts, including investigative security reporter Brian Krebs, former RSA Chairman Art Coviello and Acuity Solutions President Kris Lovejoy, painted a gloomy picture of cloud data privacy during the event, which is presented by the IAPP Privacy Academy and Cloud Security Alliance Congress.

During his keynote presentation Wednesday, Krebs said the sad truth is Americans don't have a lot of privacy today, and the issue is further exacerbated by having so much personal information stored in various cloud services and available to users. "Having all that data instantly accessible in the cloud is a massive draw," he said.

However, Krebs said having all of that personal data makes cloud services a huge target for attackers. And users and enterprises need to ask themselves whether the convenience of instantly accessing that data is worth the potential security risks of accidentally exposing it or having attackers steal it. "The longer we delay a decision about whether to have all that data available to us at all times, or to accept the risks and inconveniences of storing it locally, the greater the risk when these systems become compromised," he said.

Coviello, who retired from RSA earlier this year, said new technologies, such as cloud, have often jeopardized data protection and privacy. The attack surface has expanded "so dramatically that it's becoming unfathomable," he said, and public and private entities -- both in the U.S. and abroad -- need to address that fact before it's too late.

"The United States is living in the biggest and most vulnerable digital glass house on the planet," Coviello said during his keynote address. "But not for long, though. With the ongoing expansion of the cloud and the new reality of the Internet of Things, the digital glass house market is exploding in numerous countries."

Another complication for cloud data privacy, according to Krebs, is the lack of strong authentication systems that too often rely on personally identifiable information (PII), such as social security numbers and birth dates, which cannot be changed. He cited the example of the recent IRS data breach, where attackers were able to use previously obtained PII to log in to an online system and access people's tax information.

"From my perspective, an overreliance on static identifiers to authenticate people is probably the single biggest threat to consumer privacy and security," Krebs said.

Lovejoy, formerly general manager of IBM Security Services, echoed those concerns about identity and access management during her keynote, encouraging enterprises to develop risk profiles based on each user's access to sensitive data and privileges. "Not all users have the same risk profile," she said, adding that employees handling PII have a higher risk profile, and need stronger authentication and data privacy protection measures.

"What I've seen in the most effective enterprises is when you onboard an employee, for example, it triggers the HR system to put them in a group; the HR system triggers the identity and access management system to provision their access to the systems, and it also provisions out the endpoint management solutions and security controls to the endpoints," Lovejoy said.

Enterprise threats and government action

Most organizations have neither the risk profiles nor the strong authentication methods, which makes them easier targets for attackers. And Lovejoy offered some sobering statistics from recent IBM security research about how frequent attacks can be.

"An average organization of 15,000 would look at approximately 1.7 million security events per week. Of those 1.7 million security events, 324 of those events were security attacks. Those security attacks were deliberate attacks carried out by motivated attackers," she said. "For those attacks, 2.1 of those 324 attacks would result in a compromise. So, 2.1 times a week a bad guy was getting into the organization."

Only a small percentage of those compromises, Lovejoy said, actually resulted in something significant, such as a privacy breach or a network disruption. But there was still some impact that the organizations had to respond to, she said.

"If your organization tells you that they've had no compromises, then they don't know. This is a biological model and we're all infected," Lovejoy said.

If your organization tells you that they've had no compromises, then they don't know. This is a biological model and we're all infected.
Kris Lovejoypresident, Acuity Solutions

Most often, the compromises were caused by human error, such as weak passwords or clicking on phishing emails, she said, which makes it easy for attackers to gain access to both on-premises and off-premises systems and services.

In addition to revamping authentication methods, Krebs also said it is "high time" for the U.S. government to revisit its outdated privacy protection laws, which haven't been updated since about 1986. He also criticized the federal government's intrusive policies regarding cloud data privacy. "It's really remarkable, given all the regulations that we have in the post-Snowden era that we still have, for example, laws that allow our government to read our email without a warrant and stored on a cloud server when they're more than six months old," Krebs.

While the cloud can be problematic in terms of data privacy protection, Lovejoy said it can be helpful in some areas. For example, she stressed the importance of agile software development enabled by the cloud, which can facilitate agile development. "We need to be thinking about how we build security inside our applications, because this is where it all falls apart," she said. "If we do not get this right, then we have no hope of protecting anybody's data."

The speakers also discussed how information security and privacy protection are often at odds with one another. Krebs said the fundamental question today is "whether we can have better authentication and security without further compromising our privacy."

Lovejoy said she believes there is hope in the privacy field, but only "if we are truthful with one another about the growing contention between the needs of cybersecurity and the needs of privacy protection."

Coviello, meanwhile, called for a "reimagining" of privacy and security in today's world that focuses on collaboration and strong dialogue between opposing sides, rather than constant arguing and inaction. "You know as well as I do that the current state is antiquated, not working, and not keeping up with technology. And it will only get worse for all the reasons I've been talking about," Coviello said. "Take what you learn here and build on it. Propose policies and solutions. Reach agreement on the issues you can, and make incremental progress."

Next Steps

Find out why former RSA Chairman Art Coviello criticized the U.S. government's key escrow plan

Learn why Microsoft and its rivals are challenging the U.S. government over cloud data privacy

Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices