Cyber security is a concern for all IT professionals, not just those working within that important discipline. Every true IT pro does their part to ensure their organization’s data is as secure as possible. How so?
As if that burden wasn’t enough, along came “the cloud”. Of course, the Cloud allows a business – or any other organization, for that matter – to collaborate in an even more convenient and rapid matter – from all over the world, instantaneously. This is inarguably a boon in these Pandemic times, but where does that leave the IT pros charged with protecting data within the cloud? And we’re not just talking about THE cloud, but potentially many clouds, including those of tech giants like Microsoft. And, as if it weren’t challenging enough, like snowflakes, no two clouds are alike. Enter the black hole.
All these concerns come to a head at times like these, when large Cloud databases have massive cybersecurity concerns. Currently, Reuters is reporting that researchers discovered a massive flaw in the primary Microsoft database within the Azure Cloud platform. These researchers are now urging all users, not just the 3,300 Microsoft notified earlier on, to change their digital access keys.
Working out of a Cloud security company known as Wiz, (which was, interestingly, founded by four veterans of Azure’s in-house security team), researchers discovered in late August 2021, they were easily able to gain access to primary digital keys for many Cosmos DB database system users. If Wiz had been malevolent hacker types, they would have been able to steal, change, or even delete millions of records. Ouch!
Microsoft, in a blogpost dated late August 2021, said their company “warned customers who had set up Cosmos access during the weeklong research period. Microsoft found no evidence any attackers had used the same flaw to actually get into customer data yet.” According to Microsoft, “our investigation shows no unauthorized access other than the [Wiz] researcher activity. Notifications have been sent to all customers who could have potentially been affected due to this [Wiz] researcher activity.” Microsoft went on, ostensibly to dig itself out of the hole it had already dug itself into: “though no customer data was accessed, we recommend you regenerate your primary read-write keys.” Huh?
This Microsoft Cloud cybersecurity failure was such a potential disaster, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency was forced to get involved. The agency affirmed Microsoft’s warning and strongly encouraged Azure Cosmos DB customers to roll and regenerate their certificate keys. Wiz Chief Technology Officer Ami Luttwak chimed in: “In my estimation, it’s really hard for [Microsoft & CISA], if not impossible, to completely rule out someone actually used this [hacking technique/security flaw] before.”
Indeed, Microsoft was unable to even give a direct answer to the question of whether the company “had comprehensive logs for the two years when the Jupyter Notebook feature was misconfigured or had used another way to rule out access abuse.” According to Microsoft spokesman, Ross Richendorfer, “[Microsoft has] expanded our search beyond the [Wiz]’s activities to look for all possible activity for current and similar events in the past.” While Wiz worked closely with Microsoft on this vital & bleeding-edge research, they were careful with their words not to say how either company could be sure earlier customers had been safe. As one of the Wiz’s lead researchers, Sagi Tzadik, said: “it’s terrifying. I really hope no one besides us found this bug.”
With a tip of the hat to Joni Mitchell, let’s take a quick look at clouds from both sides now. As scary as the above account may be, I personally find the other side of the cloud story much scarier. Consider this. If Microsoft, with their in-depth knowledge and vast resources, cannot keep the cyber bandits at bay 100% of the time, what chance do mere mortal organizations have of doing so? I would suggest slim to none.
Keeping it real, everyone is a Microsoft hater at some point in their user experience. Certainly I have been. Yet, they remain one of the few firms on the planet I would trust with my company’s and clients’ data. So, when Bandit Beaters comes calling with Release 1.0 of their impenetrable cloud solution, think about IT long and hard lest you find yourself looking at clouds from the dark side.
