Aardvark DailyNew Zealand's longest-running online daily news and commentary publication, now in its 25th year. The opinion pieces presented here are not purported to be fact but reasonable effort is made to ensure accuracy.
Content copyright © 1995 - 2019 to Bruce Simpson (aka Aardvark), the logo was kindly created for Aardvark Daily by the folks at aardvark.co.uk
Please visit the sponsor!
Into every life a little rain must fall.
Well that's the age-old saying which could apply to a group of universities in the UK and Canada, after the provider of their cloud-based services was hacked and subjected to a ransomware attack earlier this year.
Cloud-based computing is an attractive option for many organisations both large and small. It effectively outsources much of the burdensome need to produce backups, maintain security measures and mitigate hardware failures.
If you lack the skills, resources or finances to provide such basic services in-house, cloud-based solutions can seem very, very attractive and, if the brochures are to be believed, are a cheap way to gain "peace of mind".
But should you believe the brochures?
Well I suspect that the long list of organisations affected by an attack on the Blackbaud cloud-services provider are no longer sure of that.
According to this BBC report a significant amount of data was downloaded from the cloud service and then ransomware was installed so as to make the original files unavailable to the legitimate users.
Perhaps just as worrying as the hack and attack itself is the fact that the whole fiasco has been essentially covered-up until now, even though it happened back in May.
Blackbaud is not only being criticised for the cover-up but also for paying the ransom demanded by the hackers.
One thing's for sure... I'd be very wary of any cloud-based service provider that actually had to pay a ransom in this situation. Where were their backups?
I guess it's easy for companies to make all sorts of wonderful claims in respect to the services they delivering, confident in the knowledge that customers will have no real way of knowing how many of those claims are legitimate and how many are just fiction.
Now that the provision of these services has become such a huge growth-area within the IT industry, it must be very tempting for new or smaller players to over-sell their offering in an attempt to gain a toe-hold. If nothing goes wrong, nobody will ever know -- but if the shirt hits the flange... well perhaps this is a fantastic example of how quickly things can fall apart.
I suspect that most people simply have blind faith in the big players such as Amazon et al but there will always be some (who should know better) that opt to save a dollar or two here and there. Or perhaps it's simply that there are no other options. In the education sector there are almost certainly going to be some vertical markets which give the user no option but to use the supplier's cloud service and simply trust that they have their security and backups operating to the required standard.
The real problem is that hacking cloud-based providers offers the promise of very rich pickings for those who succeed. Instead of just being able to extort money from a single company they are effectively leveraging their efforts to every company that uses that service. The return on effort invested could be orders of magnitude higher for the snotty hackers that succeed.
Many countries are now criminalising the payment of ransomware demands. The obvious intention here is to make such attacks unprofitable for those who conduct them.
Whilst this sounds like a reasonable way to try and reduce the problem, it ignores the fact that most ransomware code also copies the data to the attacker's own servers so that it can be sold on the dark web. Even if these villains don't get paid for their ransom demands, they can still earn a healthy crust by selling the data to others who will use it to commit fraud or ID theft.
Am I the only one who looks back at "the good old days" when the biggest heists were bank robberies? At least back then the amount the bad guys could get away with was limited by their ability to carry bags of notes and coins. These days, thanks to fibre-based Net connections, there seems to be no limit to what they can steal.
Has the Blackbaud attack shaken your faith in cloud-based services?
Please visit the sponsor!
Have your say in the Aardvark Forums.