With the recent Uber hack coming to light, the value and worth of code sharing comes to the forefront of the discussion. The main question for most organization is do you know if your teams are sharing and/or storing data in the cloud? If the answer is yes, then do you also have the ability to ensure that sensitive data is not also contained in those shared files? For most organizations, including Uber, the answer is typically no to both questions. Consequently, while code sharing sites have many benefits, many organizations have not adapted their security posture to safely enable this new way to work and the time to do that is now.
For those who haven’t heard of the recent Uber hack, two hackers broke into the company in late 2016 and stole personal data, including phone numbers, email addresses, and names, of 57 million Uber users. Among those, the hackers stole 600,000 driver’s license numbers of drivers for the company. Hackers accessed Uber’s systems via a popular code sharing site GitHub which many engineers and companies use to store code and track projects. There, hackers found the username and password to access Uber user data stored in an Amazon server. Consequently, the origins of this breach is more opportunistic versus complex given that many companies frequently accidentally keep credentials in source code that is uploaded to GitHub and other code sharing sites.
While code sharing has many benefits, how can organizations maintain those benefits all while ensuring sensitive data is not also ‘shared’? It’s time to ensure your cloud security is treated like your on-premise security. Many companies utilize on-premise type security controls, technologies and processes however, these typically have not adapted to the new model – cloud based code sharing. Cloud sharing is not limited to code, it also includes documents, files, images and other items that are being accessed via Microsoft’s O365, Google Docs, and others.
Back in the day when I was a coder (which seems like 100 years ago), my company used an on-premise code sharing technology that brought many benefits and it also included many security checks to ensure sensitive data was not included – which was often the case. Today’s cloud-based model now requires a different approach to identifying & securing sensitive data that may go beyond your current on-premise security solution. If not, then use of cloud based ‘sharing’ increases the exposure – and the risk.
Some questions to answer:
1. Does your current security technology detect access to all cloud services regardless of where your users are located or what device they are using?
2. Can appropriate access be applied via a security policy?
3. Is access effectively monitored and are automated responses triggered for non-compliance?
In conclusion, code sharing sites makes it easy to share, but this same capability also makes cloud services an attractive target for hackers. if your organization has not recently assessed whether your current security posture can enable & secure cloud sharing, perhaps now is the time.