By Byron V. Acohido
Cyber attack scenarios have become fairly common. It doesn’t take too much imagination to conjure plausible assumptions and project Armageddon-scale damages attributable to crippling cyber attacks.
One prime example is the Cybersecurity Ventures’ 2017 cybercrime report which suggests damage caused by cyber criminals is climbing towards a whopping $6 trillion in annual global encomic damage by 2021.
Related article: Why Amazon, Microsoft, Google need to lock down cloud services
By comparison, the more narrowly defined estimates put out last week by insurance underwriting giant Lloyd’s of London and risk modeling consultancy Air Worldwide are on the conservative side. The two put out a new report, Cloud Down – The impacts on the US economy, which analyzes the financial impact of the failure of a leading cloud provider in the US.
One can actually visualize how the level of damage projected by the Lloyd’s/Air Worldwide report could play out – and how it could actually happen in the very near term. The study concludes that any failure of a top cloud services provider that extends for at least three days would cost the U.S. economy $15 billion.
Small- and mid-sized businesses that have come to rely so heavily on cloud services would be hit more heavily than Fortune 1000 companies; SMBs would sustain some two-thirds of the economic losses, the report says.
Rattling the economy
I can easily wrap my mind around how a three-day outage of Amazon Web Services, Microsoft Azure or Google Cloud could rattle the U.S. economy at that scale. These projections are sobering because they are based on tangible historical data.
Goddijn
“If anyone is in a solid position to estimate these losses it’s AIR Worldwide and Lloyds,” observes Inga Goddijn, executive vice president at Risk Based Security Inc., a Richmond, Virginia-based supplier of risk management services.
Goddjin points out that Lloyd’s has been responding to business interruption claims, related to all manner of physical events, for decades. That puts the Lloyd’s in possession of actual downtime cost that is typically kept confidential.
“Lloyds is uniquely situated to understand business interruption losses,” she says. “So they are able to use this knowledge and experience to help estimate costs from cyber outages and downtime.”
Combining this data with AIR Worldwide’s modeling expertise makes for a “powerful combination that should be taken seriously.” Goddjin says. “AIR Worldwide’s cyber modeling capabilities adds an additional layer of confidence into the projections as they have been modeling losses including damages from cyber events for many years.”
A malicious strike
A 72-hour outage at one of the top-tier cloud services providers would cause material damage. The U.S. manufacturing sector would sustain an $8.6 billion hit; the wholesale and retail sectors $3.6 billion; financial services and insurance institutions $447 million; and the transportation and warehousing sectors $439 million.
Maynard
“Clouds can fail or be brought down in many ways — ranging from malicious attacks by terrorists to lighting strikes, flooding or simply a mundane error by an employee. Whatever the cause,” Trevor Maynard, Lloyd’s head of innovation, told Zdnet reporter Steve Ranger. “It is important for businesses to quantify the risks they are exposed to as failure to do so will not only lead to financial losses but also potentially loss of customers and reputation.”
The report is based on the top 15 cloud providers in the US, which account for 70 percent of the market. Though the specific providers aren’t named, the Big Three are obvious: Amazon Web Services, Microsoft Azure, and Google Cloud.
Potential causes range from a well-placed lightning strike to elite hackers executing zero-day. In broad strokes, the most likely causes of an extended cloud outage include malicious cyber-attacks, errors by internal workers, as well as hardware and software failures.
Prime targets
So now businesses turning to cloud services much account for this emergent risk. We’ve arrived at this point as a natural consequence to public cloud services going mainstream. Cloud services have been a boon to businesses, especially SMBs, by allowing companies to ramp up quickly and efficiently, and saving them the expense of building and maintaining large data centers.
But in this rapid ramp up, not enough attention has been paid to fully addressing the attendant risks and fresh forms of liability. It turns out the ensuring the security of cloud services is vastly more complex and cumbersome than anyone ever anticipated. This creates fresh attack vectors for clever and motivated cyber criminals to exploit. And the popularity of AWS, Azure and Google Cloud has made them prime targets.
“Major infrastructure service providers like Amazon Web Services and Microsoft Azure are now also critical points for systemic failure,” Goddjin says. “Any data breach or significant downtime can have a cascading effect impacting thousands of businesses, with a great potential for economic impacts.”
Big takeaways
So what’s the big take away for SMBs? This is from Goddhin: “Do your homework and be prepared. As the saying goes, the cloud is just another word for someone else’s computer. If you’re entrusting critical business operations and sensitive data to these companies, it’s important to include security in the evaluation process and fully understand what sort of recourse is available should the service fail.”
And what about large enterprises? Goddjin again: “Pretty much the same as for SMB, times ten. Companies with deeper pockets can and should investigate third and fourth party vendors to the extent it’s possible to do so. Meaning, it is also very important to know who your vendor’s are relying on to deliver their complete services to your organization. If nine out of ten of your vendors are relying on AWS, then AWS availability becomes just as critical to smooth operations as the vendor themselves.”
A global supply chain that is steadily increasing its reliance on cloud services is, at once, highly complex and continually morphing. Brian Contos, Chief Information Security Officer at Verodin, a supplier of security instrumentation systems, observes that cloud computing weaves together four fundamental layers around which data flows: the Internet cloud, web browsers, business applications and data bases.
“Most security issues happen because we are not continuously validating that these layers — and the security around them — are working as they should,” asserts Contos.
Contos
Observes Contos: “Cloud security isn’t like security in your local datacenter. As such, we’re usually getting the easy stuff wrong. What’s more frightening is that we generally don’t know we’re getting it wrong because there is a lack of validation and measurement. Simple misconfigurations have been responsible for a great many of the breaches that we see related to the cloud.”
Contos offers this check list of oversights that persist in cloud-reliant networks:
•Failure to validate that cloud traffic follows the expected path
•Failure to enforce security policies
•Failure to perform regular cloud performance assessments
“Misconfigurations can accidently expose data directly to the public. This includes things like S3 buckets and Azure Storage,” Contos says. “When we bring new data sources only the data can be accidently exposed directly to the public.”
Contos advises Verodin’s customers that the key to robust cloud security lies in “continuously validating that changes in any of the cloud network layers, and/or any security controls, don’t have an unforeseen, negative impact on security.”
Clearly company decision makers, including board members, need to have at least a working understanding of these new exposures – and do the due diligence necessary to mitigate them. Navigating the clear and present risks of cloud computing has become a fiduciary responsibility.
