Suddenly, everyone is an expert on enterprise security, and the cloud is claimed to be a silver bullet for security. It’s not that simple Credit: Thinkstock I’ve stopped covering breaches. First, because clouds are nowhere to be found among them. (The focus of this blog is advice to enterprises that are moving, or have moved, to cloud computing.) Second, because it just seems like piling on a company that’s already in distress. However, breaches are on the minds of enterprises on the move, due to the latest breach at Equifax. What we know now about Equifax is that Equifax was aware of the breach well before it announced that hackers had gained access.Hackers made off with Social Security numbers, birth dates, and addresses of 143 million people. That’s enough to steal your identity. A few Equifax people resigned, but that does not fix anything. Like the other major breaches that have occurred in the last few years, a tool betrayed Equifax: an unpatched vulnerability in Apache Struts, used to support an online dispute portal, provided the hackers with access to the website and attached data. So, could this happen in the cloud? That’s not likely, considering that the cloud providers are more proactive with patches and fixes than the typical in-house IT department, especially when it comes to security exposures. However, despite what you may hear from some cloud vendors and consultants or the press, being in the cloud does not make you immune from breaches. For example, cloud users themselves could make key mistakes in a single-tenant environment (hosting, for example), so applications running in the public cloud are not completely immune from breaches. The cloud is safer than on-premises deployments, but you’d be foolish to think it’s completely safe, at risk of getting complacent and as a result making the kind of mistake that gets you in trouble. There’s a lot of commentary out there from people—vendors, consultants, and the press—who don’t know what actually happened at Equifax or don’t really know much about enterprise security, yet claim they would have done better. Don’t listen to such people. Focus instead on what’s known, and what lessons you can learn from the mistakes of others—without the moralizing. Someday, this could be you who neglected a patch or made a mistake that got exploited—whether on-premises or in the cloud. Related content feature A GRC framework for securing generative AI How can enterprises secure and manage the expanding ecosystem of AI applications that touch sensitive business data? Start with a governance framework. By Trevor Welsh Nov 19, 2024 11 mins Generative AI Data Governance Application Security news Java proposals would boost resistance to quantum computing attacks OpenJDK proposals would provide Java implementations of a quantum-resistant module-latticed-based digital signature algorithm and key encapsulation mechanism. By Paul Krill Nov 08, 2024 2 mins Java Quantum Computing Application Security news ‘Package confusion’ attack against NPM used to trick developers into downloading malware Attackers gunning for supply chains again, deploying innovative blockchain technique to hide command & control. By John E. Dunn Nov 06, 2024 4 mins Vulnerabilities Open Source Security news analysis What Entrust certificate distrust means for developers Secure communications between web browsers and web servers depend on digital certificates backed by certificate authorities. What if the web browsers stop trusting your CA? By Travis Van Oct 30, 2024 9 mins Browser Security Web Development Application Security Resources Videos