How Managed Services Threaten Enterprise Clouds

Cybersecurity

By: Mary Jander

An attack on a managed service provider has made SEI Investments Company (Nasdaq: SEIC) a focal point of concern about loopholes in cloud security.

The Wall Street Journal (WSJ) broke the news this week that information about clients of SEI was exposed during a ransomware attack on a client portal and online dashboard service from M.J. Brunner (Brunner). When this service was attacked in early May, Brunner refused to pay the ransom and notified SEI. Apparently, SEI didn’t find any threat to its data at that point, but in July the unhappy perpetrators released the stolen information to the dark web.

SEI holds hundreds of billions of dollars in assets under management for a range of high-profile investment and pension funds. Brunner has its own reputation as a long-time developer of analytics and marketing automation solutions, often integrated with Salesforce and other cloud-based platforms. So it’s no surprise that the breach forced attention on how managed services can perforate security in hybrid clouds.

Third-Party Services Broaden Cloud Risk

2020 futuriom primo pro 300x600

The COVID-19 crisis and subsequent focus on work from home (WFH) has boosted enterprise adoption of cloud services. In part this means data centers are tapping into a range of third-party services for everything from remote desktops to software-defined wide-area networking (SD-WAN) to storage to, ironically, security-as-a-service. But overlapping services could expose data to fresh attack vectors. Indeed, some experts say security risks grow with the number of cloud services an enterprise uses in its hybrid environment.

Back in February, Udi Mokady, CEO of CyberArk (Nasdaq: CYBR), made this observation during the company’s quarterly earnings report: “IT environments are changing at an unprecedented rate driven by digital transformation and cloud migration strategies. These trends are expanding the attack surface, while at the same time there is a sprawl of privileged activity.” Hence, the upsurge in ransomware, he said.

Financial services companies seem particularly at risk. On July 10, the U.S. Securities and Exchange Commission posted an online risk alert stating that publicly registered financial services firms are increasingly reporting ransomware attacks. Additionally, the SEC cited not only direct attacks but “ransomware attacks impacting service providers to registrants.” [Emphasis added.]

How Managed Services Get Hacked

When attacking third-party cloud services, hackers deploy, among other things, openings in code, access vulnerabilities and misconfigurations, weak links in data movement and storage, and well-known open-source vulnerabilities.

For example, mobile banking provider Dave reported this week that personal customer data was breached when one of its managed service providers, Waydev, was hacked. Waydev is an online managed service that deploys analytics to gauge the performance of corporate software engineering teams that use Github, Gitlab, Azure DevOps, and Bitbucket. The breach, according to Dave, involved “user passwords that were stored in hashed form using bcrypt, an industry-recognized hashing algorithm.”

Solving Third-Party Risks to Hybrid Clouds

There's no single answer to the hybrid cloud risk issue. But cybersecurity vendors are clamoring to help, building security into edge devices, integrated network services, artificial intelligence (AI) software, and other solutions. Cloud suppliers and providers of SD-WAN are seeing a chance to combine their solutions with tighter security. And startups are emerging to address the problem from new angles.

The answer may not be merely technological: In each of the situations cited above, law enforcement experts, including the FBI, were called in to ascertain criminal activity and enforce liability. And increasingly, legislators are fighting against companies’ exposing data via third parties.

One of the first lawsuits emerging from the California Consumer Privacy Act, for instance, involved accusations that a breach exposed the data of consumers using a retail site based on Salesforce managed solutions.

It’s likely we’ll see many more examples of companies drawn into lawsuits via security threats to managed services. Whether that will actually help solve problems is debatable, since most companies that address the enterprise market for cloud services depend on a reputation for reliable security. Being blamed for a breach can be punishment enough.

Support unfettered independent technology analysis! Futuriom research and analysis is supported in part by Primo Pro, our premium subscription product. See our detailed reports on important markets and trends, including Cloud Capex Trends, 5G Cloud Edge, SD-WAN, and more!