A Tale as Old as Time: Cybercrime is the Nightmare that Keeps Repeating Itself

June 8, 2023

  By Paul O’Dell, Principal, CPP Associates

I would speculate that anyone who has raised kids over the past 30 years has had to sit through that one favorite Disney movie dozens of times. For me, it was “Beauty and the Beast.” (I believe my count stands at 48.) My twins were mesmerized by it; we could recite every line of dialogue and sing every song (in my case, much to my kids’ embarrassment).

I heard the title song recently and I couldn’t help but apply some new meaning to the words. “A tale as old as time…Beauty and the Beast” seems like a fitting way to describe cloud computing. On one hand, cloud become the biggest and most impactful mega trend I’ve seen in my 25 years of consulting in the IT space. The promise of just-in-time infrastructure and application resources, pay as you grow and go, and the ability to rapidly scale up and down, has been a dream come true for many a CFO and CIO.

Developers and app teams promised it will allow us to get to market three times faster. Business units loved it. Why wouldn’t you? It just makes sense.

With all the potential greatness that comes with the public cloud, it never ceases to amaze me that the same mistakes are repeated time and again.  This latest article from the Register is a sobering reminder: UK councils caught in Capita unsecured AWS bucket data leak • The Register

A Tale as Old as Time: Beauty and the BEAST. Only this time, it’s not a fairy tale, it’s a nightmare that keeps repeating itself.

This breach isn’t unique. In our experience, misconfigurations and oversights are so common that companies around the world are rife with similar risks of breach. The latest IBM Data Breach Report revealed that an alarming 83% of organizations experienced more than one data breach during 2022. That number is staggering.

In the rush to get to the cloud and all its promise, many organizations bypassed the need to follow basic technical, security, and fundamental IT practices. For example, not making corporate assets directly accessible from the public internet would be a good place to start. Seems like a very simple basic concept.

There hasn’t been one company that I have spoken with that hasn’t had some measure of failure with this basic concept. I had a CIO tell me, “It’s password protected, so I’m okay.”  He was referencing a mission critical data store on the public internet.

I realize that promises were made to company boards, CEOs and CFOs about all the greatness of the cloud. Don’t get me wrong; it is truly great.  That said, you don’t want to wake up one day and find yourself in the situation Capita is in.  The rose petals are falling and it’s only a matter of time before they are all gone. (Sorry, I couldn’t resist that Beauty and the Beast reference again.)

When Will the Nightmare End?

I believe that at some point, after seeing enough of these incidents, the business and IT world will snap out of it. Those responsible for corporate governance will start asking harder questions about security and sweep away the clouds that blur financial realities, like ROI and TCO.

Realize that there is no substitution for governance, security, discipline, etc.  But there are many ways to achieve your business and technology goals and get to the true definition of cloud computing. (See our Dec. 2022 blog article for the definition used by National Institute of Standards and Technology – NIST.)

And remember: point and click only works forever in fairy tales.