Heartbleed: Fresh Evidence for the Cloud Debate

Kevin Whalen, CPA, CGMA, MST, MSRED

Editor’s Note: To assist our clients in understanding the issues surrounding cloud computing, we are posting a series of short write-ups about the subject. The following is the third post in this series and it deals with current events relevant to the topic. See the first and second posts in this series to benefit from the full discussion.

Wake-Up Call

Those people who thought cloud-based technology could provide an easy answer for all their computing needs received a wake-up call with the recent announcement of the Heartbleed security breach. Heartbleed (formally known as CVE-2014-0160) is the name given to a security bug that affected some 17% of Internet servers that had previously been certified as secure. This latest event reinforces a major point we have been making in this series of blog posts: While cloud computing offers many advantages, it still has serious potential problems in the area of data security.

In our second blog post on this subject, we had asked: If cloud computing is so great, why is there still so much debate about it? This rhetorical question was answered by Heartbleed with resounding clarity just weeks later. Obviously, the issue of security for data stored in the cloud has not yet been totally resolved. The Heartbleed bug is just the latest reminder of this fact.

Widespread Impact

If you did not appreciate this situation before, the following excerpt from Wikipedia may be illuminating:

“… around half a million … of the Internet’s secure web servers certified by trusted authorities were believed to be vulnerable to the attack, allowing theft of the servers’ private keys and users’ session cookies and passwords. The Electronic Frontier Foundation, Ars Technica, and Bruce Schneier all deemed the Heartbleed bug “catastrophic”.  Forbes cybersecurity columnist Joseph Steinberg wrote, “Some might argue that [Heartbleed] is the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet.” (http://en.wikipedia.org/wiki/Heartbleed)

Perhaps the most disturbing aspect of the Heartbleed bug is that even computer security experts were surprised by the severity and widespread impact of the potential breach. This admission should drive home the reality that server security has not yet progressed to such a degree that concerned users can be assured their data is completely safe.

To be fair, this issue was not confined solely to the internet or cloud computing. Actually, anyone with a server using the OpenSSL protocol was at risk. That group would include most data centers as well as any office server that used Linux/OpenSSL. Nonetheless, people expect cloud companies to be the experts in this area and to not have these issues.

Balance Needed

Despite such risks, however, there are still distinct advantages that argue for the adoption or continued use of cloud computing.  Our company believes in these benefits and the next version of our family office software will be totally compatible with cloud computing. However, we will not release a cloud version until we are confident we have adequately addressed the security issues. The data of our clients is too important for us to do anything else.