According to Google Apps director of security Eran Feigenbaum, the location of a data centre doesn’t have any impact on cyber security for users of the cloud. The statement came during a keynote at InfoSec 2015.
Feigenbaum argued that it’s a common misconception from Europe that their local data centres offer better security. In fact, he says it’s a dangerous thought to make because data location doesn’t improve security, but rather the reverse.
“Adversaries do not abide national borders. I've never seen a hacker say: 'Oh, it's in London. I don't want it. I'm going to hack Belgium,” he said.
While he acknowledged that users have to be careful due to the differing legislation in companies, like Swiss banking law that means their data can’t leave the country, he pointed out that just because data is a specific country that doesn’t mean it’s inherently safer. He noted that Google has data centres everywhere and they all get audited and follow the same practices.
If there’s a point to take from that, it’s that you should never assume your data is safer in one location over another. You need to apply the same levels of caution to every single data centre, no matter which territory it’s located in.
Feigenbaum explained that the largest security problems for cloud users are actually poor authentication and a lack of preparation for a cyber-attack. The majority of online services just rely on a username and password to authenticate the user, which he argues is a poor method.
Eighty percent of the cloud account breaches in 2014 were because a user’s password was compromised. Despite many people being aware about the importance of a strong password, the percentage of people using the same one across multiple accounts is alarming. In that situation, if someone gets a password for one of your accounts then they’ve got in everywhere else too.
“The problem is all these services don't have great security and a consequence is if [the victim's] Netflix account gets hacked it's a big deal. We need to make it easier to do the right thing and alert people when they don't. The goal is making passwords even more invisible to users,” he said.
There are also a growing number of cyber-attacks, which Feigenbaum argues means that businesses should all be operating under the assumption that their security will be breached. Enterprises need to have security drills where they act as if they’ve been hacked, to put strain on their systems and test their disaster recovery. It’s not a case of if, it’s a case of when, and businesses need to be prepared for the inevitable.
Practicing a drill will let you know what people you need involved – engineers, lawyers, PR – and what steps you need to take before contacting a customer. He says this is something all businesses should do on a yearly basis.
When questioned about privacy concerns around GCHQ are a problem for businesses, following the Edward Snowden leaks, Feigenbaum dodged the question slightly, but acknowledged that businesses need to put on security practices to stop eavesdroppers and allow states to have legal processes to request the data if needed.
Hackers Don't Care About Data Centre Location
No comments yet. Sign in to add the first!