An Interview about Cloud Security with Chris Meacham
The increasing number of cyberattacks on US businesses and organizations prompts many to ask, “What is the cloud?” And a second question closely follows: “Is the cloud safe?”
Recently, many of our clients have been asking the same questions about the cloud. So as the Director of Content Marketing, I interviewed Chris Meacham, CEO of Now IT Works, who has over 20 years of experience helping clients to manage and secure their information.
By the way, we used Sound Cloud to edit this interview. Let us know in the comments if you enjoyed the sound bites.
This interview has been edited for clarity and length.
Jenny: So, Chris, let’s begin with a really elementary question. Maybe it’s too simple, but here it is: “What is the cloud?”
Chris: No, it’s a great question because I’ve had people ask me that. The “cloud” can mean many different things, and there’s more than one cloud.
Sometimes, I’ve asked people, “What cloud are you in?” And they get this funny look, “There’s more than one cloud?”
So, if we break this down a bit, “the cloud” is a marketing term. Period. “The cloud” is you the consumer or business owner paying money to somebody so that you can host your data on their physical equipment.
The “cloud” is just a nice term to use when talking about data that exists somewhere on the Internet. Well, where does it physically exist? Another great question.
We use a company called US Signal. They have data centers in Detroit, Grand Rapids, Los Angeles, and Florida. Most of the data that we use on a daily basis exists in Grand Rapids or Detroit—one of those two.
Chris: So, when someone asks, “Where’s your cloud?” I answer, “My cloud is in Detroit.” It’s in a building somewhere. I just know that I can access it 100% of the time.
Let’s consider some examples.
What about Egnyte [a data and file management system]? Egnyte has two data centers, which are located in California and North Carolina.
Where does the Microsoft cloud live? In Virginia and in every time zone.
Amazon is the same as Microsoft.
So, the cloud is a physical entity somewhere on Planet Earth—where a giant computer filled with stuff and blinking lights accepts your data.
And it’s always there because there’s so much redundancy built into it, right? Like a server that has four power supplies. So, if one dies, the server keeps running on three and sends an email alert over to the IT department, telling them, “Go grab the power supply off the shelf and then go to Rack 35, Server 4. Take out the one with the red light and replace it with this one.”
And then the log clears; there’s four power supplies. And there’s redundant memory and redundant everything. So, systems can continue to keep on chugging along.
Jenny: Do you think that there’s anything that could ever take that system down? I mean, you’re telling me that the cloud is still in a physical place, it’s still a physical entity. I guess the building could blow up, right?
Chris: Yeah, I mean, you know, if you drop a bomb on it, it’s definitely going to go down. And that’s why we have a couple of our clients set up with a disaster recovery site.
For instance, we have a client in Glastonbury, CT, who runs eight or nine servers out of their office. They have physical hardware. So, we have a solution in place that backs up all of their data in real time and puts it onto a server at US Signal in Detroit.
Once a year, we reach out to our client and say, “We’re about to do a DR [disaster recovery] test. Then I call US Signal and tell them it’s time to do a test. We then turn on all those servers that have been backed up to the Detroit data center to make sure that they all work.
So, when the real disaster happens and the client calls me and says, “Hey, every telephone pole within 10 miles is on the ground. We don’t have power and we don’t have any Internet connections.” We can then call US Signal, and they can spin up their data center. And we can take some actions for our client within a couple of hours and they’re up and running—just as they once were, just as they always are in Glastonbury, except their local server is unavailable.
Another of our clients uses US Signal full-time. Their servers are running out of the Detroit data center, and they have a disaster recovery site in Grand Rapids. So, every minute of every day, the data in Detroit is being replicated in real time, fast, to the Grand Rapids data center.
So, if the building blew up, we’d go to Grand Rapids and spin it up.
Jenny: With all the cyberattacks increasing in frequency and sophistication, what else, if anything, makes the cloud vulnerable? After all, most of our data is now stored there. Should this be a concern?
Chris: Let me begin with a story. Toward the beginning of this year, Amazon Web Services (AWS) had this issue. A client who got hacked was running their business in the AWS environment [See https://bit.ly/3gXQoEs].
AWS investigated and determined that the hacking incident was not AWS’s fault. The AWS platform was secure. The hack occurred because the client had not configured the system to be as secure as it could have been. The fault lay purely with the client.
Think of it this way. Amazon says to the client (in their documentation), “Look at this security control panel. There are 1,010 individual options that you need to configure. If you configure 1,000 of them, but don’t check the other 10, you didn’t configure the system optimally. You are at fault for the lack of security.”
So, what was the question?
Jenny: Where is the cloud most vulnerable to cyberattack?
Chris: I would say that the cloud becomes most vulnerable in two ways.
One, an IT security team failed to configure the system correctly.
And two, users continue to use dumb passwords.
For both reasons, I still blame IT professionals because we know that people use dumb passwords. So, it’s up to us to make sure that we put precautions in place to protect against that. One way is to require multi-factor authentication (MFA). Another is single sign-on.
You know—those tools that provide and enforce a password policy or security policy.
Jenny: What do you mean by dumb passwords?
Chris: Let’s say that your favorite team is the Boston Red Sox, and your password is RedSox1. When your password is about to expire, you’re probably gonna type in RedSox2.
Well, a typical password policy will help protect you by not allowing you to use the most recent passwords. We know that people are like water, right? They’ll take the path of least resistance. But that option is no longer available.
Jenny: Right, so if those protocols are followed, if IT does their job, we won’t have dumb passwords. Then, would you say that the cloud is as safe as the non-cloud option?
Chris: I think the cloud is very safe. And I would argue that it has the potential to be safer than hosting your infrastructure and securing it in your office.
Now, I know some people like to say otherwise.
Jenny: Why do you think that is?
Chris: Well, I know my office is something that I’m physically connected to. But in the cloud, I can’t touch anything.
However, just think about the amount of work that you’d have to do [to secure onsite infrastructure]. Even in our office, we’d have to bring in two really strong Internet connections. We’d need to have giant battery backups. We’d need to have a diesel generator. We would also need to have two different electrical grids that terminate in this building. And we’d want to make sure that there are no windows and everything is totally secured from people trying to break in. Of course, we’re not going to do all of those things.
Right now, every data center has multiple ways to prevent someone from physically getting into the space. Hackers are not going to force their way through the front door. Hackers even have stopped trying to hack through digital firewalls because those things are locked up pretty tight.
So now, they’re hacking the easiest thing—people. Which is why phishing emails are rampant and why malware exists.
Jenny: Could you say more about how hackers operate?
Chris: I have no idea how hackers operate. The “why” is beyond me—the “how” is even more complex. The tools they use to hack are not the same ones we use to protect.
However, I am working on a presentation titled, “Everything I Learned About Marketing, I Learned from a Hacker.”
Hackers are smart. Because they go after the most vulnerable person.
Jenny: They’re like these phone calls that I get, saying that my Social Security number has been compromised and that I need to call right away to get that rectified.
Chris: Exactly. They need only one or two people to fall for this every day to meet their quota. Some of these hacking businesses are real, legitimate businesses with help desks and call centers who appear to be there to help you.
Maybe they’ll help you un-ransomware and get your data back. When you call back, they’ll pass you along to Pete who will take care of you. Then Pete will walk you through everything so that he can hack into your machine.
Jenny: To prevent this sort of hacking, I presume that businesses need to train their staff. What do you recommend for staff training regarding safety in the cloud?
Chris: What you absolutely need to do is use multi-factor authentication (MFA). And you need to do this at every point of entry that provides access to your data. Your data is valuable. I’m speaking of your payroll system, your CRM system, your contact list, your workflow system.
I personally install MFA on nearly everything that I do. Here’s why.
Let’s say that your phone alarm goes off at 2:00 a.m. and says, “beep, beep, Are you trying to log into [some system] of yours?” And you know that you’re not. You realize that someone is compromised, perhaps your username or password. But with MFA, the login will be unsuccessful. When you wake up the next morning, you go and change your password.
This gives you peace of mind.
Jenny: Since the pandemic hit, many people have been working from home or remotely. What security measures do you recommend for those situations?
Chris: First, never trust public Wi-Fi. You don’t know who configured it or how. If you’re accessing sensitive data such as email, financial information, personnel information, it’s better to wait until you can log onto a secure network.
For remote workers, we are using a single-log-on application that requires a single sign-on to access any of our other applications. While employees are working in our office, we presume that they’re on a safe network and, therefore, we don’t bother them with MFA codes.
But anywhere else, when they join any wireless network, then we will absolutely prompt them to return an MFA code.
Our program even has a little bit of artificial intelligence that allows it to recognize where a person usually logs in from. So, it knows that an employee usually logs in from our office, or from home, and that this happens consistently for the past 100 or 200 times. And now the login request comes from a foreign country? Whoa! That just seems way bizarre. So, now the program might put up even more barriers for the person to get in. If those barriers are passed, access will be granted.
Jenny: Could you say a little more about the single sign-on tool? Is this the kind of thing that managed service providers know about and can help with?
Chris: Well, MSPs can certainly drive the efforts on that because now these tools are becoming easier to purchase and implement.
However, I don’t think most small businesses really understand the single sign-on tool. They don’t really know what it can do for them.
I just ask them, “Do you like changing your passwords?” No, they hate it. Of course, they tell me they hate it. Everyone hates changing passwords.
Then I ask, “What if you had a system that could do that? You know, one password could get you into all of your applications and sites?”
Well, they think, “That doesn’t sound secure.”
I then say, “Ok, now we need to talk about what security really looks like.”
Jenny: Well, it sounds like we need to have another interview about single sign-on being secure and how all that works. That’s perhaps a good place to stop. Thanks for sharing your thoughts about the cloud.
Chris: My pleasure.