Recently, there has been quite a bit of media coverage about some sensitive, private pictures of celebrities stolen and published. While we have seen similar incidents in the past (from celebrities to British royals’ mobiles being compromised), this incident is focused around consumer-centric cloud offerings from heavyweight companies.
When incidents like this happen, the popular knee-jerk reaction tends to be to find someone to blame. In this case, the candidates are:
1. The attackers
2. Consumer-centric cloud services providers (used on iOS, Android, Windows Mobile, for example)
3. The celebrities themselves
Of course, the attackers are ultimately responsible, but it is interesting to see the service provider and the end-users sharing a piece of blame assigned by some (the Internet provides a forum for everyone who wishes to share their opinion, for better or worse).
If, for this post, we can set the attackers aside (hackers gonna hack, as it were), we can instead focus on the defenses. Things do get a bit murky once we take the attackers out of the equation. This is not to minimize the role that the attackers play and how they capitalize on the coverage, but rather is to shift focus to those on the side of the defenders.
In this, there is a strong parallel between how organizations use public cloud resources, and how consumers experience these services.
The superficial similarity is cloud. iCloud and others are consumer-centric public cloud services, Infrastructure-as-a-Service providers cater to business-centric public cloud requirements. Ultimately, they are all public cloud, but there is a different parallel exposed when considering things from a security point of view across the providers and end-users.
The idea of shared security responsibility immediately comes to mind. First, let’s look at the largest corporate-centric public cloud player, Amazon. Here they lay-out the shared security responsibility model in straightforward terms. In the section labelled, “Sharing the Security Responsibility” the model is quite clear.
However, the audience is assumed to be relatively tech-savvy folks. Not many consumer end-users have the need to spin-up a Linux instance on Amazon, and so Amazon’s assumptions are fair, and the model is well communicated.
Turning to consumer-centric public cloud-based offerings, it gets… convoluted. To again go to the well that is John Leyden over at The Register, murky is as murky does. While the article focuses on iCloud, the take-away is about shared security responsibility, and the understanding of that model as presented (or not) to the consumers of the service.
In a shared security responsibility world, blame should also be shared. While the service provider may protest that their service was not compromised, only the end-user was compromised, the question is:
“Were end-users adequately informed of their responsibilities in this relationship?”
Yes, the attackers are the ultimate culprits, but we’re focusing on the defenses. In a shared security responsibility model, if one party is utterly unaware of their role, it’s fair to say the model has not been implemented properly.
Further, the consumer isn’t the one declaring their role in the sharing of responsibility, it is the service provider who decides. Worse, those terms are often buried in End User License Agreements, and I’m sure we can all agree that few outside of the lawyering community give them more than a passing, “Where’s the ACCEPT button?” glance.
I myself have purchased a device or many. I am always amused to see the pre-loaded mechanisms offering me wonderful value (never lose a picture again….yay!) without a clear explanation of the underlying mechanisms, limitations, and the distribution of security responsibilities.
We are a convenience-over-security crowd. That is not likely to change. There may well be a simple lesson in breaches of consumer data; when securing consumer data, the onus of understanding security is shared between the service provider and end-user, but it is up to the service provider to make users aware of the bargain that they are striking; convenience, but with security implications included.
Simple steps can be used to avoid incidents. Enforce strong passwords. Use two-factor authentication (three authentication failures, and you have to enter a code SMS’ed to your mobile, for example). In general, put the end-user a bit out of their way to help them secure their end of the bargain.
Surely, adding layers of warnings and requirements atop the usual value presentation could thwart end-user adoption of a service, and marketing departments don’t like that. Yet, when the shared security model fails, will adoption not also feel the effects?
How will the marketing folks spin these recent, high-exposure, security failures? Effectively, I imagine, while avoiding the root cause.
Perhaps I’m wrong, and those with consumer-centric cloud services will learn – I really don’t know how this will spin-out. The time-tested indications from the past indicate it will flare for some time, then fizzle. Then again, there’s nothing like celebrity power.
Looking across the spectrum of public cloud, it is clear that extending trust is part of the equation. Amazon knows their audience; a tech-savvy group. On the consumer-centric side, it is much more difficult. The goal of cloud providers is marketshare – to provide more services, and see those adopted by more people, than other companies. In focusing on that - much broader - market, simplicity is the goal. Introducing elements of the shared security model complicates things at the point of adoption.
The open-ended question is, who carries the responsibility in a shared security model? The data belongs to the consumer, or it does until the point at which the consumer agrees to nifty back-up stuff. The mechanisms and details of authentication and authorization belong to both parties, while the end-user credentials, and the system from which they are used, are out of the hands of the service provider (beyond setting minimum password complexity rules, and the like).
In the end, sharing responsibility also means sharing blame. Shared defenses are complicated, especially when the parties involved have diverging, or at least unshared, goals. If this group of incidents does provide value, it will be in service providers and end-customers recognizing that they are in this thing together.
The good news is that consumer service providers have heard the call. Apple’s Tim Cook commented:
“When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece, I think we have a responsibility to ratchet that up.”
Meanwhile, Facebook – which has experienced its fair share of privacy concerns – has recently expanded a program that is downright obtrusive (in a good way) in putting security and privacy settings in front of the end-user.
What can you do? Here is a helpful guide for setting-up two-factor authentication with various services.