momius - Fotolia
Most companies will experience a data breach in one form or another within the next few years. The estimate of impacted organizations varies based on the source of information, but usually between 40% and 60% of organizations suffer a breach each year. When this inevitable breach does occur, it can have devastating consequences for a company's finances and reputation. Traditional risk management strategies consider the financial impact and the likelihood of occurrence to address identified risks. There are four options to manage these risks:
- Mitigate the risk -- For instance, if the cost of the control is lower than the potential losses;
- Avoid the risk -- This often covers risk with a high financial impact and high likelihood of occurrence;
- Accept the risk -- The organization decides not to implement controls for various reasons, including cost-effectiveness; and
- Transfer the risk -- Usually to a third-party insurance.
Data breach compensation from a responsible third-party service provider is not always considered, but this option should be investigated. What happens if the cloud platform itself is breached, providing access to and even across customer data?
Data breach compensation
Most documented data breach compensation cases cover personal information leaks, such as the 2014 Sony Pictures and the 2015 TalkTalk breaches. In this type of case, personal information is leaked and the responsible organization offers payment before or after a legal battle to compensate the users for their systems for their loss of money or privacy. Although a bit more complex, a similar system does exist between companies. This is usually covered in service-level agreements (SLA), which include a broad range of service metrics and items such as compensation for downtime and data breaches. The main issue with the standard SLAs is that, in reality, the value of the data breach compensation does not even come close to the significant loss an average breach or outage can cause to an organization. For example, an organization had its website crash during Black Friday sales, resulting in a loss of $50 million in revenue. This organization was compensated with a six-hour service credit worth approximately $300.
Cloud environment nuances
To dive deeper into the specifics of a security incident and data breach compensation for cloud customers, it is important to understand some key differences between the traditional options.
The main difference is the shift in responsibilities from the customer toward the cloud service provider. The responsibilities not only cover the infrastructure availability and performance, but they also cover part of the security aspect of the service. These responsibilities go further relative to the depth of the cloud adoption level of the customer. For instance, the security responsibilities of a cloud service provider are higher for an infrastructure as a service model than for a software as a service model due to the increased exposure and risk of the provided services. The potential damage of an attacker exploiting the underlying cloud system becomes larger simply because more services are under the control of the cloud platform.
Another important difference is the multi-tenanted environment. Cloud providers are a high-value target due to the possibility to access the systems of many customers at once. For instance, imagine an attacker getting access to the Azure web services platform or inside the Rackspace infrastructure. If that sounds farfetched at this early cloud adaptation stage, also consider the potential of an insider attack. Who has vetted the cloud service provider staff and is the vetting process at the same standards as their customers? This is still unexplored territory.
Historical cloud breaches
Even though it is hard to find any examples of major cross-customer security breaches in cloud environments, more security experts are warning about the enormous risks. In 2015, researchers from Worcester Polytechnic Institute claimed to have used their Amazon Web Services instance to gain access to another AWS instance on the same machine, which they documented in a rather complex whitepaper. Amazon immediately downplayed the risk and stated that this attack needs "extremely rare, unlikely pre-existing conditions and outdated third-party software" to be present in the targeted Amazon Elastic Cloud Compute instance. This example does show, however, that just because the data is in the cloud and is possibly encrypted, it doesn't mean that the system is bulletproof. It is only a matter of time before the first large cloud-themed security breach hits the media.
It is of great importance to investigate and agree to a cloud data breach compensation policy. This is due to the increased exposure and impact of a breach and with that, the increased risk to any organization. Damages from a private information leak or extensive service downtime cannot be settled with the traditional SLA compensation amounts. Damages can run far into the millions of dollars. A few months of free service simply does not work in that case. An uptime of anything less than 99% on the Azure Application Gateway cloud service, for instance, gives the customer a service credit of 25%. Imagine owning a large webstore and dealing with two days of downtime. It would not even be worth a few hours of paperwork to obtain that service credit, especially when dealing with the aftermath of a recent major outage.
Find out what enterprises need to know about cloud incident response and forensics
Learn how to maximize the effectiveness of a security incident response plan
Discover how security risks are assessed for cyberinsurance policies