info@qualityplusconsulting.com l 262.425.0026

Special note for Ubuntu users

Breakfast Bytes podcasts are streaming MP3. In order for Firefox on Ubuntu to play the streaming MP3, install the GStreamer extra plugins that list MP3 as one of the supported formats. GStreamer can be obtained through the Ubuntu Software Center.

Breakfast Bytes - When the Credential is the Perimeter

9/16/2016

 

 

In the Cloud, the Credential is Often the Perimeter



 

When you use cloud hosted services, usually, the credential is the perimeter. In this case, MFA is absolutely required, and you need to use a system that also alerts you to authentications, password changes, and any other changes to your account. Using a system with anything less is just unacceptable.

MP3 - When the Credential is the Perimeter

 
 

 

 

It is logical to be suspicious of cloud-hosted things

 

It is very right to be suspicious of the cloud and not trust it. It is wise to look at the advantages of on-premise solutions versus cloud solutions.

When you consider an on-premise solution, there are protection mechanisms in place that are used to filter out authentication attempts that should not be allowed to happen. Then the logs associated with that authentication mechanism are visible to the organization including date/time, where the authentication was initiated from, what account, and other information including the associated IP addresses.

With a lot of cloud systems, you have no visibility into that log data and the first layer of defense is the credential. Frankly, that is too late.

 
 

Examples of systems that should be using MFA, but are not

There is no multifactor authentication and no logging of authentication events to the console for Acronis Cloud that is exposed to the end user.

Imagine you have a system where your credentials are used to control and ACCESS all the backups and therefore the data of many organizations. That seems like something that the bad guys would be very interested in. 74% of all breaches are due to credential theft. MFA is not an option in Acronis Cloud. Yet, it must be ubiquitously used, especially in a scenario where the system that is being accessed is an administrative console with a lot of access to sensitive content. So the fact that Acronis Cloud is connected to the internet allowing authentication attempts from anywhere with my credentials without MFA is just totally unacceptable.

Also, I as the end user of the system have no visibility into any logs or alerts that tell me when someone has logged on with my credentials into Acronis Cloud, and from what IP. Anyone who is using this system, in my opinion, does not understand the basic requirements for security that must be in place in order to mitigate even basic credential theft.

If we are talking about Acronis on-premise, I can put many layers of authentication in front of that access. I have FULL logging of who has authenticated and accessed and when. I can also make it so that no one can even attempt to authenticate unless the traffic is coming from an approved setup of IP addresses.   The admin page of my company website uses not only MFA, but administrator IP whitelisting. In order to login, the party must be initiating traffic from a set of approved IP addresses, must have the correct username and password, and must have a key that changes every 30 seconds. Further, I have full log of exactly when, from where, what account logged on and what they accessed. This is literally the level of security that you have to go to if it is your desire to maintain the integrity of the system.

And if this level of security can be done for any website, Acronis can do it for their cloud platform.

As systems have gone to the cloud, they must not weaken security, but enhance it

All of the cloud systems that I use that have any consequence also use MFA. If you look at your Twitter account, you can see when and from what IP your account has been logged into. Your Google and Microsoft accounts let you know by alerts when a new device has authenticated. Your bank lets you know when you change information on your account such as a password or a new device has been used to access your account. You have immediate feedback and accessibility to that data. But with Acronis Cloud, you have none of that. Nor do you have the basic protections to prevent credential theft and misuse. Therefore, I cannot understand how anyone would use the system because by doing so they are exposing all of the data backed up by and stored in Acronis Cloud to theft. A hacker could easily create a new backup job that would back up the client’s data to a destination they control. And who would ever even know about it?

Other examples are SolarWinds N-Able, which is a RMM platform, and Cirius email encryption system.

 

 

National Cyber (in)Security 2016

 

Excellent article by Gary Miliefsky

 

Systems that do offer multi-factor authentication

Amazon, LinkedIn, Twitter, Microsoft, Google, Office 365

Linkedin