Evernote Breach: What It Means To Enterprise IT - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud // Software as a Service
08:56 AM
Connect Directly

Evernote Breach: What It Means To Enterprise IT

Cloud naysayers will insist that this incident shows why we should never use the cloud. Give me a break.

By now, you have heard about the latest in SaaS security woes: Evernote. As a user of the service, I was notified of the breach on Saturday. Evernote's systems were compromised to the extent that individuals were able to access user information, which included encrypted passwords. Unlike the LinkedIn breach, where the passwords were encrypted, but not "salted" (which provides protection against brute force dictionary attacks,) Evernote's passwords were both encrypted and salted. Evernote, correctly in my view, decided to implement a system-wide password reset, even though there was no evidence of a breach of customer content or credit card information. But this episode does have me thinking about a couple of things.

The Future Of Passwords: One reason why Evernote likely called for a system-wide password reset is it's unknown whether brute force attacks would have yielded passwords to the attackers. Question is, would a system wide reset have even been necessary if two-factor authentication was in use? "Oh, it's too hard." "Too expensive." Not really. As usual, the gaming world leads technology. Blizzard Entertainment's Battle.Net gaming service offers a $6.50 hardware authentication token, and if that presents too much of a challenge to people using the service, Blizzard also offers a mobile phone two-factor authenticator.

There are bright spots in the enterprise when it comes to two-factor authentication, notably in highly regulated industries. However, while most enterprises finally have complexity requirements when it comes to passwords, far too few enterprises support two-factor authentication on all of their remotely-accessible apps.

Attack Surface: The cloud naysayers are always saying that cloud is less secure. That's not quite true -- as I've pointed out before, many cloud provider data centers have a cleaner audit than many mid-sized enterprises. And, these providers have crackerjack security teams at their beck and call due to their scale. But, the bigger you are, the more of an attack surface you present to attackers. So, to that extent, I think that cloud providers have their work cut out for them.

One possible value add that SaaS providers could offer: Instead of forcing a password reset, offer what Blizzard Entertainment does. But that doesn't reduce the massive attack surface. If you're a huge investment bank, you've got a similar attack surface, but the question for smaller enterprises is, is it really true that your attack surface is smaller? Kind of, but not really. If you're using widely used software such as Microsoft Exchange, you have a smaller IP address attack surface, but your software is an enormous target.

Also, with rogue security researchers selling the latest zero day exploits instead of reporting them for fixes, I still don't think that internal is "more" secure than cloud. It's just a question of what type of attack surface, not a "smaller" attack surface.

Use Case: Cloud naysayers will be out in force this week, declaring that this incident shows why we should NEVER use the cloud. Give me a break. When I was in the security business, I saw vulnerabilities in the banking industry that would curl your toes. We all know that internal IT isn't quite as super duper secure as it could be, due to resource limitations and high work load.

As I and others have said before, you need to reframe your "secure/not secure" argument into a "risk management" argument. How risky is something vs. how much in the way of resources do you want to spend on it?

Global CIO

Global CIOs: A Site Just For You

Visit InformationWeek's Global CIO -- our online community and information resource for CIOs operating in the global economy.

There is no "100% secure," so the question is, are the benefits of using something worth it, given the risks? For my news clipping file that I keep in Evernote, the answer is a big fat yes. I've not considered using it for another use case, but I wouldn't rule it out, and as Evernote (and other cloud services) provide improved security, I absolutely would consider it.

I would be shocked if commercial providers do not follow Blizzard's lead. We all have big, fat attack surfaces, and protecting these with passwords, no matter how complex, is probably a bad idea in the long run, whether you're an enterprise or cloud provider. But to simply chortle and claim that cloud services are simply untenable is to misunderstand the nuances of security at cloud service providers and inside enterprises.

Attend Interop Las Vegas May 6-10 and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by March 22 to save an additional $200 off the early bird discount on All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology. Register today!

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
3/4/2013 | 7:29:31 PM
re: Evernote Breach: What It Means To Enterprise IT
What are the potential downsides of Blizzard's mobile phone two-factor authenticator approach with the Evernote user crowd?

Laurianne McLaughlin
11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
Time to Shift Your Job Search Out of Neutral
Jessica Davis, Senior Editor, Enterprise Apps,  3/31/2021
Does Identity Hinder Hybrid-Cloud and Multi-Cloud Adoption?
Joao-Pierre S. Ruth, Senior Writer,  4/1/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll