Could public cloud breaches drive a resurgence in private data centres?

News of a recent hacking attack on Microsoft’s cloud platform had me wondering whether the risk of potential data exposure could drive some businesses back into private data centres. The current growth in spending on the cloud says not, but other hacks may prompt a rethink in strategy.

Background

The hack in question was a zero-day exploit on a Microsoft API (GetAccessTokenForResourceAPI) that enabled Chinese hackers to gain access to a limited number of sensitive Exchange Online and Azure AD accounts (including the US State Department). Microsoft has stated that the exploit has been patched and denies that any wider exploit on the Azure platform has taken place.

Elsewhere, a wide range of organisations have been affected by the MOVEit hack, exploiting a data transfer tool as a way to exfiltrate data. The potential loss in this instance could be as much as $100 million in ransom payments, according to one source.

Cloud Attacks

Of course, there have been many breaches in public clouds in the past. Personal data was stolen from Facebook in 2019, resulting in a $5 billion fine and a $100 million payment for inadequate notification. LinkedIn lost the data of 700 million users in 2021, while Accenture lost corporate data the same year. Who can forget the SolarWinds hack that attacked the software supply chain to embed malware and access the systems of up to 18,000 customers?

To my knowledge, in the public cloud IaaS market, the only major security breaches reported have occurred from end-user mistakes rather than zero-day exploits on the infrastructure of cloud platforms. This statistic seems quite remarkable, considering the scale, complexity, and extent of modern public cloud platforms.

We do, of course, live in a world of data “oversharing” where multi-cloud and hybrid cloud have become accepted IT architectural models. Ingress points and attack vectors are increased with the added complexity of multiple security models on each platform.

Integrity

From the list of hacks mentioned above, we can see two major groups. There’s personal ID theft (the Facebook and LinkedIn examples), while the others relate to the theft of sensitive corporate assets, including emails. Where ransomware might target data for encryption to gain money by releasing the decryption key, corporate thefts of data look to blackmail organisations into paying to avoid leaking sensitive information.

Think back, for example, to the Sony Pictures hack from 2014. The logic here is that organisations would rather pay a ransom than have corporate secrets leaked to the Internet that might lead to reputational or competitive damage. As IT organisations become more adept at detecting and recovering from encryption attacks, blackmail attacks may be being seen as more lucrative (and more likely to be successful), especially on multi-billion dollar organisations.

Cloud Breach

Could a public cloud platform be breached from the inside? There are two scenarios for gaining access to business data on the cloud. The first is to compromise a user account; the other is to compromise the platform itself. Compromised user accounts are the most common issue we hear about, where poor process leads to the leak of security credentials.

Zero-day exploits in a cloud platform itself are almost unheard of (hence the interest in the Microsoft story). What are the implications of a public cloud vendor suffering an internal security breach?

Possibly the most significant issue is the use of integral key management solutions. If the platform itself is compromised, then the encryption provided by integral key management could be worthless. In a worst-case situation, those keys could be used elsewhere to access data on (for example) internal platforms.

A zero-day attack on a public cloud that leads to privileged access is probably the worst-case scenario to imagine.

Reputation

I’m not a security expert, but I’m sure a significant portion of public cloud IaaS and SaaS budgets are spent on security. In a podcast episode we recorded recently with Commvault, we discussed the layers of security involved in delivering the Metallic SaaS backup service. SaaS vendors focus not just on stopping hackers from getting in but managing the risk of malicious internal attacks.

However, are we lulled into a false sense of security with the public cloud, which only uses the same basic components (hardware and software) as any on-premises data centre? Software bugs can exist in any system – no platform is entirely immune.

The Architect’s View®

Should businesses consider moving back to private data centres? I believe that the cloud genie is out of the bottle. We’re not going to see a mass return to private data centres anytime soon. However, businesses should question any process that shares data outside the corporate data centre. That could be for EFT purposes, log management, or other B2B processes. It’s notable that the most successful hacks in recent years have been on software intermediaries (MOVEit and Solarwinds). We should all be cautious as to how these solutions are used and how data is encrypted across them.

There will definitely be a renewed focus on 3^rd party software used by businesses, including SaaS platforms. A lens will be placed on the software supply chain and processes for secure software development.

But the greatest benefit is perhaps not to overshare our data and to implement solutions in-house where possible, including repatriation of more sensitive data and applications.