Site Logo
Security in the cloud Archives - The Latest on Accounting Tech for SMEs

Desktop Software More Secure Than the Cloud? Not Likely

by

Cloud software, although easily accessed over the internet, was typically much more secure than desktop or server software, said security experts and software developers.

“The developer of a web app takes security seriously because they are exposed to everyone on the internet. Legacy software providers don’t take security seriously,” McLean said Richard McLean, a software developer behind the online payroll program KeyPay.

McLean pointed to an incident last year where a Gold Coast medical centre was held to ransom by Russian hackers. The hackers broke into the server remotely and encrypted the server software containing business and medical records as well as the backups. The business was told to pay $4,000 so the information would be decrypted and the medical centre could continue to operate.

Security issues with desktop accounting software included allowing logins without passwords and the widespread practice of sending data files with commercially sensitive information in unsecured email or mailing unencrypted CDs or USB keys.

Another security risk was running accounting and financial software on a laptop protected just by a system password.

“If they lose the laptop, an IT guy would take 60 seconds to reset that and have access to it,” McLean said.

An attack similar to the Gold Coast example was much less likely to happen in cloud software, McLean said. Usernames and passwords were encrypted in cloud software databases for a start.

“We all run bank-level security so any data that we perceive to be important we encrypt in our database,” McLean said. “We have an extra level of security which is the information sent between the browser to the web server is encrypted as well.”

Security experts say that because cloud software is more accessible, software developers must start with a much higher base level of security than desktop or server software.

“In the case of desktop software, it is assumed there is no protection of the data as it is just files on the local disk. The data and application are both essentially unprotected as they are directly accessible to the user,” said Adam Pointon, director of Sentinel Data Security. “There is essentially no protection to local attack.”

Once a person has control of a desktop computer – either sitting in front of it physically or by remote access over the internet – it was relatively easy to bypass password or licence controls to access the data file. Even if a person couldn’t open a desktop accounting application, for example, they could still copy the data file and examine the contents.

By comparison, cloud software sent only the data requested by the user through a remote process over which the user had no control.

“You can’t directly ask the database for data, or read the data file from disk and inspect the raw contents,” Pointon said. “Likewise you can’t control the application like you can on a locally-executing program nor access its memory space.”

Desktop applications used with remote access software such as Citrix Receiver were also more secure than desktop software alone, Pointon said. The user was prevented from tampering with the files running the application or the operating system.

The risks for online software were twofold, Pointon said. A user had to rely on the online software vendor’s security practices to be sufficiently high enough to protect user data. And poor development of cloud software could expose users to greater risks than the same mistakes in desktop software.

How Secure is Google Apps?

by

Security in the cloud is one of the most common topics with new customers. Business owners are often nervous about moving to the cloud because they can no longer see their servers that hold their valuable information.

The irony is that cloud services such as Google Apps are in many ways much more secure than the typical office server.
For example, data stored in Google’s data centres is spread across many servers so that if one or more servers fail you can still access your information.

In technical terms this is called high availability. Google Apps promises that it will operate 99.9 percent of the time. This equates to nine hours of downtime every year, which is far above the reliability of an office server. You can check whether there are any performance issues by looking at the Google Apps Dashboard.

Google data centres have extremely high security with guards patrolling the premises 24 hours a day. Protecting these are various security measures including access controls, surveillance and guarded fences. Even though all your data is not stored in the same place, the level of physical security makes it even harder for someone to access even a small portion of your data. Google publishes a map showing the locations of Google’s data centres (the Sydney data centre is operated by another company and so isn’t on the map).

Complementing the physical security is the IT security team. As you can imagine Google can afford to hire the best security professionals worldwide. This team of high-level engineers, many recognised as leaders in the industry, have the highest level of qualifications in security.

Who would you rather look after your data? Highly knowledgeable experts or your local IT guy?

There are also some specific security implementations that are relevant to Google Apps. For example:

Updates. When vulnerabilities are discovered in Google Apps Google can update the program instantly while millions of users are using it and not need to take it offline.

  • Encryption. Browser sessions when using Google Apps is encrypted.
  • Single Sign-On (SSO). Google Apps users can either log on with Google’s authentication service or use another provider’s.For example SSO can be used to force users to update their passwords for Google Apps every month.
  • Two-factor authentication: Google Apps can use smartphones and tablets to provide a second password for Google Apps users. It works just like those digital tokens some banks require for business accounts.
  • Administration tools. Google Apps Administrators can easily monitor their users. This includes an overview of accounts, usage and provisioning as well as audit logs to see who has accessed and edited docs in your domain.

There are also various Third Party Applications that help secure your document data further. For more read How to Secure your Documents in Google Apps.

Google Apps is best used with the Google Chrome browser which ensures your data is protected not only on Google’s servers but also on your laptop or desktop. By using both products you can protect your data more efficiently. Here are a few ways that Chrome improves the security of Google Apps.

  • Auto update. When Google finds a vulnerability and pushes out an update, your Chrome browser will see this and update your browser in the background.
  • Sandboxing. This stops programs installing themselves on your computer and stops applications affecting what happens in another tab in your browser.
  • Warnings. Google Chrome will pop up with a warning detailing why it thinks you shouldn’t visit a web page known to host dangerous content.

These are highlights from the full list of Google Chrome’s security features.

It’s important to remember that nothing is 100 percent secure. But when it comes to security in the cloud, Google Apps is far more secure than the vast majority of businesses.

Image credit: Google

 

Why the Patriot Act is Irrelevant

by

A common question asked by companies investigating cloud computing is how the Patriot Act affects them. The Patriot Act is the name of legislation introduced in the US in October 2001 to assist in identifying terrorists in the US and internationally.

The concern is that the US government has access to all data held by American companies anywhere in the world. For example Google, Microsoft and Salesforce.com are subject to the Patriot Act and therefore the US government can access to their customers’ data.

This doesn’t actually play out in practice. Concerns about the Act are largely the result of local IT companies spreading what we call Fear, Uncertainty and Doubt, or FUD. Many of these companies are afraid of losing customers to cloud platforms and therefore spread misinformation.

It often works. I have witnessed companies turn down cloud solutions because of fears about the Patriot Act and the supposed influence it gives the US government over your data.

In fact the concern with holding data in Australia or overseas is irrelevant. The Australian government already hands over data stored in Australia by Australian companies to the US government as part of the Australia-US Mutual Legal Assistance treaty. Under this agreement the Australian government will assist the US government with any enquiry and will provide data that would be legally obtained under US law.

Some US companies do a better job at communicating with customers about government requests for data. Google gets many requests and goes through a very rigorous legal process to ensure the law is met before handing over any data. It shows the number of requests and the results in Google’s Transparency Report.

How many Australian companies discuss requests for company data by the Australian (and by extension the US) government?

As cloud computing becomes the norm we are seeing lots of Australian government agencies and national businesses move to the cloud.

For example NSW Trade and Investment government agency has deployed Google Apps for its staff, Qantas has all of its data hosted by Oracle, and the Commonwealth Bank has deployed Salesforce.com, all of which are cloud programs hosted offshore.
You can rest assured that if Commonwealth Bank are providing services from the cloud they aren’t worried about the Patriot Act.

If you are still worried or unsure about the Patriot Act here are two ways to mitigate your exposure.

  • Don’t host your data with any American company. This maybe a little hard as most cloud products are American based, for example Office 365, Google Apps, Salesforce.com, Netsuite, etc.
  • Use products that encrypt your data in the cloud, for example Ciphercloud. It works by encrypting your data locally and only storing encrypted data in the cloud. It is available for Google Apps and Salesforce.com. If someone wanted to look at your data in the cloud they would need the encryption key or access to your Ciphercloud server stored in Australia.

The Patriot Act shouldn’t be a concern to law-abiding Australian businesses. The benefits of using cloud products far outweigh the remote concern of the US using the Patriot Act to gain access to your data.

Update: An earlier version of this article said that US government agencies needed a warrant to access US data under the Patriot Act. They don’t, however the hosting company has the opportunity to fight the request in court.

Image credit: OneUtah

 

Evernote Hacked: Lessons We can Learn

by

Evernote, a Web-based note-sharing service, forced its 50 million users to reset their passwords after hackers stole an unknown number of usernames, email addresses and encrypted passwords over the weekend.

High-profile attacks such as these always prompt a chorus of responses along the lines: “How can you trust the cloud? My information is much safer on my server or desktop.”

The answer for me is always the same. If you think your backup routines, security policies, security hardware and software, employee screening and controlled access to your computers are better than those of brand-name cloud software companies, then hang onto your data.

For the 95 percent of businesses that don’t fall in this category, your data is safer with companies such as Evernote and its business equivalents in the cloud. Why your systems are less secure than the cloud does a great job of explaining why this is the case.

Things to remember:

  • Any computer connected to the internet can be hacked.
  • Most businesses are essentially defenceless against targeted hacking and highly vulnerable to random hacking.
  • Most businesses would never know they had been hacked or whether sensitive information had been stolen.
  • Businesses that discover they have been hacked are under no obligation in Australia to tell their customers or partners even if customer information has been stolen.
  • The Evernote security team claim they caught the attack in its early stages and that no user information stored on Evernote was accessed, used or lost. All user passwords copied by the hackers were encrypted and unreadable.

 

Evernote took the opportunity to share tips for protecting your data in the cloud. I’ve added one more.

Tips for security in the cloud:

  • Avoid using simple passwords based on dictionary words
  • Never use the same password on multiple sites or services
  • Never click on ‘reset password’ requests in emails — instead go directly to the service
  • Don’t store your passwords in Evernote

If you’re wondering how to remember unique passwords for every online store, blog and sports site you visit – don’t. Use a password manager such as LastPass, 1Password or KeyPassX.

Image credit: Today’s iPhone

 

Safest Way to Access the Cloud? Use Your Phone

by

Security in the cloud is a hot topic and often a major hurdle for businesses looking at using the cloud for the first time. Understanding the actual versus perceived risk is crucial and many people instinctively choose the wrong option.

As an earlier post pointed out, although businesses like to see their servers humming away in their offices, it is more likely that your systems are less secure than the cloud.

But once your data is secure in the cloud it raises another question: what is the safest way to access it?

BoxFreeIT spoke to security expert Adam Pointon from Sentinel Data Security, about the historic vulnerability of desktop operating systems such as Microsoft Windows versus the new breed of operating systems for smartphones from Google and Apple.

The new mobile platforms have been built with security as a key first principle and as a result smartphones and tablets are much more resistant to viruses and hackers than desktops, whether PCs or Macs, Pointon says.

 

BoxFreeIT: What is the most secure way to access cloud software – a smartphone or a PC?

Adam Pointon: As a general rule, smartphones and tablets are safer than PCs. Mobile devices running iOS are still regarded as the most secure for several reasons; from the operating system itself, to Apple’s patch management and security methods, and the vetting processes for apps sold on the Apple App Store.

 

BoxFreeIT: Is it harder for viruses to attack your phone? Why?

Yes. Phones have the luxury of being built from the ground up with modern software techniques and are less flexible in what software it supports. This has brought the benefit of prior research into secure software development and has resulted in platforms that are less susceptible to viruses (often referred to as malware).

The heart of the system – the software kernel – has made use of more modern security features. And as it hasn’t needed to support older software and older hardware, it can be more forceful in controlling access to software applications and components.

 

BoxFreeIT: Can you get a virus by visiting a website with your smartphone?

Pointon: Yes you can, however the number of moving parts on the phone, also known as the attack surface, is far smaller, which naturally results in many fewer vulnerabilities.

Take Adobe Flash for example. For a few years it was in the top five programs that caused infections on the internet. Java and Adobe Acrobat and are the number-one and number-two attack paths for desktops at the moment, with Adobe slowly getting better.

None of those applications exist on smartphones mostly due to the fact phones don’t need them.

 

BoxFreeIT: Does a phone offer more protection against fake online banking websites?

Pointon: Sort of. In the case of online banking, banking application developers do not allow new billers to be set up on a smartphone because the phone also receives SMS codes or tokens required to set up a new biller.

That stops an attacker from adding a new biller and moving money on your phone. Still, an attacker who controls your phone can get your username/password, log into the normal banking web site, get the token sent to your phone, log into your phone and steal the token hopefully without you noticing, then transfer money.

However, it’s not as simple (and therefore lower likelihood) as stealing credit card details. And there are no public methods for hacking an iPhone remotely, and custom attacks cost hundreds of thousands of dollars. So they’re not used to drain bank accounts of small businesses.

 

BoxFreeIT: What about scammers running fake sites for Paypal and Amazon and so on?

Pointon: When it comes to scammers, fake emails and the like, the phones don’t really offer any further protection over a desktop.

In fact, all mobile phones, not just smartphones, have had problems with fake SMSes. These appear to come from legitimate phone numbers or just a word like “Commbank”. A spoofed SMS can be used to trick people into visiting web sites or replying to the text message which may go to a premium SMS phone number, costing the sender $5 per message, for example.
BoxFreeIT: Is it possible for a botnet to take over your phone? Why not?

Yes, it is possible, however bot-herders (as they are often called) see phones as little value. The main aim of a botnet is to have a distributed cluster of internet-feeds or computing power. In the case of a phone, it neither has a fast upload and download link nor has fast computing power, so there’s little value to a bot herder.

 

BoxFreeIT: What other types of wireless attacks are there?

Pointon: Phones also open other avenues of attack, mostly physical/presence attacks, such as against Bluetooth, or against near-field communications (or NFC, a wireless payment technology). Both have proven exploitable, however it’s a different threat because the economics are different.

An attacker can sit in any country around the world, and send millions of attacks out against PCs and get a 0.02 percent conversion rate which is still economically viable.

However, attacking Bluetooth or NFC by placing attacking devices at a busy area, such as an airport, is different.
BoxFreeIT: Should you run anti-virus software on your smartphone?

Pointon: No. Phones don’t need the current form of anti-virus technology because they have the luxury of a modern software platform and design. These limit access through controls and have new security features (such as hardening, kernel protection mechanisms and memory randomisation) and control of the hardware.

In the case of non-rooted or non-jailbroken devices, smartphone manufacturers provide a layer of control over the applications installed on their smartphones through their app stores. The stores provide a vetting process to weed out malicious apps, and smartphones won’t install random files that can be run by any user (such as virus.exe). Whilst not perfect, it does prevent users from running or installing random files found on the Internet.

Also the operating systems in smartphones are purpose-built and don’t need to bloat out to do crazy things no one really cares about, such as supporting embedded file-types and flash-movies/javascript within PDF documents, which unnecessarily increases the attack surface. This is just one example of a security problem around Microsoft Word and Adobe Acrobat on the desktop.

 

BoxFreeIT: Is it more secure to do your internet banking on a 3G network rather than public wifi?

Pointon: Yes, most definitely. Telco networks such as 3G or 4G can only be intercepted by those within the telco network.

Unauthorised attackers would need to overcome the telco’s security measures or otherwise find themselves in the path between the phone, the telco network and the internet-banking web site.

Image credit: Top10reviews.com

 

About D1

Digital First covers news and opinions on accounting technology and is read by tech-savvy accountants who understand the importance of technology in establishing competitive advantage.
>