Most Businesses Haven't Inspected Cloud Services For Malware

Ian Barker, reporting for BetaNews: Echoing the findings we reported earlier that companies leave cloud protection to third-parties, a new study from cloud security company Netskope reveals most companies don't scan their cloud services for malware either. The study conducted with the Ponemon Institute shows 48 percent of companies surveyed don't inspect the cloud for malware and 12 percent are unsure if they do or not. Of those that do inspect 57 percent of respondents say they found malware. It also shows that while 49 percent of business applications are now stored in the cloud, fewer than half of them (45 percent) are known, officially sanctioned or approved by IT.

How?

[Anonymous Coward]

Exactly how does one scan for malware on the cloud?

Do they mean scanning files once downloaded on your computer?

Scanning local app installers required to use the cloud app?

Because short of that, there is no way to scan a cloud application. Sure your AV can scan URLs and content download on your machine via web rbwoser, but if you access services via an app on a lockdown mobile device, how do you scan that?

Scanning packets sent by cloud provider? How do you accomplish that if it's all encrypted?

Re:

[Anonymous Coward]

Best not to ask these kinds of questions. In God and Cloud we trust.

Cloud is a cute word for "outsourcing your shit to someone else's data center" (disaster recovery an optional add on, which no one buys)

This is how we get there... CIO read something in a magazine while sitting on a Delta Airlines flight in first class, and said: Dude... we gotta have this cloud shit. Look at the size of this fucking Amazon AWS advertisement. It's a whole page. IN COLOR. That's probably pretty expensive. These guys clearl

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[The-Ixian]

I am assuming this is stuff like OneDrive/SharePoint/Google Drive/Dropbox etc. where files are sync'd from user computers to the cloud.

It would make sense that malware would live in the cloud since it is user computers that are interfacing with it.

That doesn't necessarily mean that the malware is automatically going to infect anyone else inside the organization or out.

Re:

[The-Ixian]

Another thought is email cloud services will be rife with malware because that is the standard deployment vector these days.

TFA is pretty much FUD...

Re:

[mlts]

For home use, something like Viivo, Tresorit, or Boxcryptor comes to mind for clientside encryption. A party with access to the cloud files can delete or corrupt stuff, but can't turn a saved off download into something malicious.

Amazon actually has an API for all that, and secur

[raymorris]

> How do you protect yourself? Again, no one solution.

Actually Amazon's APIs can be used to watch for the kinds of things you listed, and security providers such as Alert Logic have security suites built around those APIs.

Cloud apps and servers Alert Logic specializes in

[raymorris]

For pure consumer-like cloud *storage* ala Dropbox, scanning on upload and download is probably fine. You *could* map it it as a drive and scan it.

In the enterprise, I think more of cloud-hosted applications and cloud servers, not files. One company that specializes in security for cloud is Alert Logic. When you get cloud services from Amazon, there is a checkbox to add Alert Logic security services (and they have other services not directly through Amazon).

Re:

[rewardian]

I'd argue that sites like Beta News exist to publish commercial propaganda, and that they'd like you leave questions of that sort to a cloud security company, like Netskope (http://betanews.com/2016/10/12/business-cloud-service-malware/) or CTERA Networks (http://betanews.com/2016/10/12/enterprise-cloud-protection/).

News flash: they don't care.

[LTIfox]

True story: A guy I know was developing cloud based real estate management suite. Lots of sensitive information in there as you can imagine.
So I was, like, "Are you nervous about hackers and stuff because it is hosted God knows where by God knows whom?"
And they guy's reply was: "Nope. I have this here certificate"
I was like: "But that certificate will not protect you from hackers!"
He replied: "It would".
Me: "What?! Are you nuts?!"
He looks at me as I'm a kind of an idiot and patiently explains that he does not care if users data will get stolen or not. If something bad happens - his ass is protected by this here certificate. I.e. he did his due diligence and whatever happened is not his fault.
Me: "..."

Re:

[Anonymous Coward]

One would be surprised. The defense with the cert is that the company took all reasonable precautions, but got hacked anyway, which I have personally seen win lawsuits.

Re:

[Monoman]

Yes because many businesses today do not care about doing what is right. They only care about minimizing costs and their exposure to risk ... risk only matters if it incurs costs.

Re:

[mlts]

Yep, "security has no ROI" is a catch phrase I've heard many times. It won't change anytime soon in this climate.

This suprises me not at all

[Jawnn]

We're encumbered by industry and government regulations when it comes to security. Many (most, actually) of our similarly encumbered peers have no idea how the rules apply when it comes to cloud services. If the vendor says "Yeah, it's compliant", that's all they need to hear. So it is absolutely no surprise that most cloud customers do not vet the security of the things they're buying. What was it, barely a year ago? When it was discovered that "big data" vendors had exposed entire databases to the world with exactly zero security? That's not a little screw up. It's a fundamental fail. How did the customers not know this going in? Answer: They did not look.

Re:This suprises me not at all

[Attila Dimedici]

In some ways it is worse than that. Many IT professionals are aware that they do not know exactly how to meet the government regulations (and criteria for certain quality certifications). In addition, they know that they can be held accountable for doing so (even though they are not even aware of all of the regulations they are accountable for). However, most of those regulations (and certification standards) offer them an out if they have purchased a service from someone else who promises to make them compliant. Theoretically, that someone else will be held accountable if they are discovered to not be compliant. In practice that does not happen. AND the IT professional who fobbed the responsibility off on them is no longer responsible (as long as they have done their due diligence by hiring a company that is big enough to not be held accountable).

Re:

[mlts]

In a lot of compliance regs, servers, even Linux machines have to have some sort of AV on them. I've had to install McAfee on Solaris LDOMs and AIX LPARs just to be able to tick off checkboxes before, even though in real life, it is difficult for a POWER8 machine is going to get nailed by a Windows executable.