How Managed Services Threaten Enterprise Clouds
An attack on a managed service provider has made SEI Investments Company (Nasdaq: SEIC) a focal point of concern about loopholes in cloud security.
The Wall Street Journal (WSJ) broke the news this week that information about clients of SEI was exposed during a ransomware attack on a client portal and online dashboard service from M.J. Brunner (Brunner). When this service was attacked in early May, Brunner refused to pay the ransom and notified SEI. Apparently, SEI didn’t find any threat to its data at that point, but in July the unhappy perpetrators released the stolen information to the dark web.
SEI holds hundreds of billions of dollars in assets under management for a range of high-profile investment and pension funds. Brunner has its own reputation as a long-time developer of analytics and marketing automation solutions, often integrated with Salesforce and other cloud-based platforms. So it’s no surprise that the breach forced attention on how managed services can perforate security in hybrid clouds.
Third-Party Services Broaden Cloud Risk
Related Articles
Databricks' AI Ambitions Revive IPO Chatter
Databricks' large language model DBRX was recently released to general applause. Could it be another step toward IPO?
ROI Through Converged Cloud Networking and SecurityThis leadership briefs explores ways to reduce cloud costs with distributed Networking and network security convergence
AWS re:Invent Roundup: Cost Optimization, Vector Search, and MoreAWS re:Invent 2023 was big on AI, but here are some other announcements in hot cloud technology areas
The COVID-19 crisis and subsequent focus on work from home (WFH) has boosted enterprise adoption of cloud services. In part this means data centers are tapping into a range of third-party services for everything from remote desktops to software-defined wide-area networking (SD-WAN) to storage to, ironically, security-as-a-service. But overlapping services could expose data to fresh attack vectors. Indeed, some experts say security risks grow with the number of cloud services an enterprise uses in its hybrid environment.
Back in February, Udi Mokady, CEO of CyberArk (Nasdaq: CYBR), made this observation during the company’s quarterly earnings report: “IT environments are changing at an unprecedented rate driven by digital transformation and cloud migration strategies. These trends are expanding the attack surface, while at the same time there is a sprawl of privileged activity.” Hence, the upsurge in ransomware, he said.
Financial services companies seem particularly at risk. On July 10, the U.S. Securities and Exchange Commission posted an online risk alert stating that publicly registered financial services firms are increasingly reporting ransomware attacks. Additionally, the SEC cited not only direct attacks but “ransomware attacks impacting service providers to registrants.” [Emphasis added.]
How Managed Services Get Hacked
When attacking third-party cloud services, hackers deploy, among other things, openings in code, access vulnerabilities and misconfigurations, weak links in data movement and storage, and well-known open-source vulnerabilities.
For example, mobile banking provider Dave reported this week that personal customer data was breached when one of its managed service providers, Waydev, was hacked. Waydev is an online managed service that deploys analytics to gauge the performance of corporate software engineering teams that use Github, Gitlab, Azure DevOps, and Bitbucket. The breach, according to Dave, involved “user passwords that were stored in hashed form using bcrypt, an industry-recognized hashing algorithm.”
Solving Third-Party Risks to Hybrid Clouds
There's no single answer to the hybrid cloud risk issue. But cybersecurity vendors are clamoring to help, building security into edge devices, integrated network services, artificial intelligence (AI) software, and other solutions. Cloud suppliers and providers of SD-WAN are seeing a chance to combine their solutions with tighter security. And startups are emerging to address the problem from new angles.
The answer may not be merely technological: In each of the situations cited above, law enforcement experts, including the FBI, were called in to ascertain criminal activity and enforce liability. And increasingly, legislators are fighting against companies’ exposing data via third parties.
One of the first lawsuits emerging from the California Consumer Privacy Act, for instance, involved accusations that a breach exposed the data of consumers using a retail site based on Salesforce managed solutions.
It’s likely we’ll see many more examples of companies drawn into lawsuits via security threats to managed services. Whether that will actually help solve problems is debatable, since most companies that address the enterprise market for cloud services depend on a reputation for reliable security. Being blamed for a breach can be punishment enough.
Support unfettered independent technology analysis! Futuriom research and analysis is supported in part by Cloud Tracker Pro, our premium subscription product. See our detailed reports on important markets and trends, including Cloud Capex Trends, 5G Cloud Edge, SD-WAN, and more!
Related Articles
Threat Boom Boosts Cybersecurity Vendors
Earnings season reveals how some firms are keeping pace with digital transformation, while others lag
The Top 10 Cloud Tech Trends of 2021Futuriom takes a look back at the top trends in cloud technology for the year 2021 and peeks at what's ahead
Citrix Sold for $16.5 BillionCitrix will be taken private and combined with TIBCO by investment firms Vista Equity Partners and Evergreen Coast Capital Partners in a cash transaction worth $16.5 billion