I was reminded today of a story about the U.S government trying to get people to use clouds because it was more secure. Then, I read a new report of an old hacking expose, Operation Cloud Hopper, by PWC and BAE, that lays out the details of how they know China is hacking clouds and service providers, and how the networks are controlled. The scale is broad and deep. They come to the obvious conclusion that when you hack a cloud, the hackers get a lot of people using that cloud, some they did not specifically go after. They fall in the Chinese lap because they use the cloud being hit.
They have some nice charts in this report that show the links to the 13th Five Year Plan and the industries they are trying to build though theft. There are also some good arrays of the C&C networks that were used. It is obvious that the Chinese have not stopped stealing information about businesses and they are not going to.
For the user of clouds and service providers like Apple, Amazon, and Microsoft, there is a good reason to do better security. We have to rely on these folks when our data is in their hands. We can't do anything about what they don't do because we have no visibility into how they control those networks and what they do internally to find people hacking their customers. Customers have no say in the service level agreements that are shoved down their throats. If I were a large business paying for services like that, I might want to know more about what is being done. Look critically at what they say about the protection standards for some of these services. Only lawyers can read half of those agreements. Get one to review yours.
They used to say that they were doing "industry best practice". That only sounds good until you recognize that it means "whatever we say is standard". Under the covers, they were not even doing basic security and separation of user data. Now that the industry has matured, maybe they can tell you what that means.
No comments:
Post a Comment