I stumbled across a tattered paperback copy of Kurt Vonnegut’s Breakfast of Champions as I was reflecting on the latest Microsoft Cloud security breach reported last week. So, in his style of discarding preconceived notions about humanity (and a nod to the first chapters of Genesis), I offer a few thoughts on the incident, and what can be done about it:
Once upon a time, there were thoughts and ideas, and they were plentiful, but waste and void. And there were people who wanted to share ideas, but the ideas were isolated and darkness was upon the people’s faces. Some of these people worked at ARPA, and they were chartered with doing something about the void. They created what would become a set of protocols to enable users in distant lands to share their ideas. And the spirit of sharing expanded, and users came from all around, and began communicating on the system, and it was good. And some of the data on the system was fruitful and multiplied and became information, and some of that information became knowledge, and some of that knowledge became wisdom. And folks began transacting on the system, and firmament of internet commerce was made. And expensive machines called servers proliferated, and people developed expertise and eventually careers in mastering the servers. And the sharing was good, and gained popularity among the people who used the protocol for sharing, and interest among people who didn’t yet. After all, even non-believers knew that ideas could potentially be traded for currency. As popularity increased the community needed some way to describe this system to non-believers in order to evangelize it, and chose a graphic representation of an amorphous gaseous condensation called “the cloud”. And the cloud became the name for a less expensive way to share ideas, essentially sharing machines among the users so that they paid for only what they used.
But sharing information in the cloud was not without rules. Chief among them was that only folks who were approved to see the information could actually access it. These rules became codified and applied to machines under a system called configurations. And the configurations stratified themselves according the type of information they were protecting, and the users who were accessing the information. But these configurations are only as strong as the users who ensure they are in place. And so a tiny hole began to appear in the cloud.
At this point, the bright orange flyleaf of Breakfast of Champions was beginning to burn my eyes…
Configurations are critical in sewing up potential holes in the cloud as well as physical systems. This may sound familiar to some of you who may recall a DoS attack on Microsoft’s website due to a router configuration error in 2001 (http://www.enterprisenetworkingplanet.com/netsecur/article.php/600341). Last week, Microsoft found a hole in their Business Productivity Online Suite (BPOS), allowing non-authorized users to download data. This could have been avoided with proper configurations. There are many solutions available to help with sewing up the potential holes in the Cloud. Tripwire Enterprise is one such solution. For information, see http://www.tripwire.com/it-compliance-products/te/
As adoption of the cloud increases, so will the potential for larger and more damaging holes in the cloud. Tripwire Enterprise can be an effective solution to sew up those holes.