iCloud Watch

Celebrity nude photos scandal a wake-up call for cloud users

If photos were stolen during a cloud hack, enterprises may be more skittish over cloud use

Hacked, unlocked, unsafe.

An apparent hack of cloud storage sites that caused a slew of nude images of female celebrities to hit the Internet over the weekend should serve as a wake-up call for the public, and for enterprises, to be more cautious with the information they store in the cloud.

Whether the scandal will make some enterprises, already nervous about cloud security, more hesitant about migrating to the cloud remains to be seen.

"This is a great example of what can go wrong with the cloud," said Jeff Kagan, an independent IT industry analyst. "I don't know if this will make people or enterprises more hesitant about the cloud, but it will make them more careful, and that's good. That's how we learn. We learn not to touch the hot stove when someone else gets burned."

Over the weekend, stories emerged about nude photos of model Kate Upton and actresses like Mary E. Winstead and Oscar-winner Jennifer Lawrence appearing online. Some of the photos appear to be authentic. Others do not.

The FBI and Apple both told NBC News that they're investigating what appear to be hacked iCloud accounts. Apple's cloud-based service is used to store photos, music and videos from Apple devices.

According to a story in the Wall Street Journal, Apple said it is investigating reports that hackers exploited vulnerabilities in its cloud service.

A scandal involving cloud security that receives attention in mainstream media could give pause to IT and business executives who have been moving toward the cloud. Some companies already are nervous about the reliability and security of cloud-based systems, and headlines about a cloud hack and privacy breach could add to those concerns and slow cloud adoption.

Dan Olds, an analyst at Gabriel Consulting Group, said the reported hack is not good news for cloud computing.

"While some people might think that this is just celebrity-chasing, consider that the guy who revealed all of this stuff didn't make any money on it," said Olds. "Wouldn't someone who was motivated to make money have even more motivation to steal trade secrets and things like that?"

A hacker going after an enterprise would be more motivated and might work harder, he said.

"What happens when true professionals start taking a run at data stored in the cloud?" Olds asked. "I would think that all of this would give potential corporate and government customers pause."

However, what enterprise executives need to remember is that the cloud is not inherently less secure than any other IT deployment platform, said Allan Krans, an analyst with Technology Business Research. Individuals' cloud-based accounts aren't likely to be as well protected as companies' cloud-based systems, he said.

"There are security, password and identity-management issues with all types of IT systems that can and have been hacked," Krans said. "I think this type of personal backup service is more inherently unsecure due to the type of access allowed. It is not centrally managed by an organization, but by a number of individuals who require frequent and easy access, which creates more security gaps that can be exploited."

People who, for example, use the same password for various services and want quick and easy access to their cloud accounts are unlikely to set up defenses that meet the strict standards of enterprise security requirements.

Kagan noted that this celebrity hack should serve as a wake-up call for users to be more careful and for cloud vendors to build more secure infrastructures.

"We don't know in this case whether the weak link was with the cloud itself, or with the user -- like with a weak password or no password," he added. "There are so many ways to break into the cloud, and users simply are not aware there is a risk."

Patrick Moorhead, an analyst with Moor Insights & Strategy, said the problem isn't necessarily with Apple's iCloud service.

"It's possible that a cloud service was hacked, but not probable," he said. "It's more than likely an intrusion came through compromising a PC, a stolen phone or phone app passwords, or a rogue phone app."

If it turns out that the hack stemmed from a flaw in cloud security, individual users and enterprises may be pushed to boost their own cloud security.

"If a cloud service was hacked, enterprises will be more hesitant about using the cloud," said Moorhead. "But in many ways, the cloud is safer than on-premises IT, as [cloud vendors] can afford the latest and greatest in security techniques.… Enterprises need to ensure that a few things are in place. It's important that all data is encrypted everywhere in the workflow, including the client device, the network and the server. It's also important to limit certain data from administrators, who may have access to account information or unencrypted data."

Other analysts said that enterprises need to conduct their own penetration testing and should not treat all workloads and data the same. Some data and applications will need tighter security than others, and IT departments should make sure they get it.

Moreover, companies embarking on cloud migrations should start by deploying less sensitive data and then working up to more confidential data based on what they learn.

Companies, and individuals, need to focus more on security when storing information in the cloud, Kagan said.

"We must focus more on security and protecting our private data," he said. "That just makes sense. Companies need to raise security to the top of the page…. I would expect we will start to see some [cloud service] companies use security as a marketing tactic."

Copyright © 2014 IDG Communications, Inc.

Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon