Last month, for the umpteenth time in recent memory, a prominent web service was forced to issue a warning to users: change all of your passwords.
This time, those potentially affected included anyone unfortunate enough to have used websites serviced by content delivery company Cloudflare. The now infamous “Cloudbleed” bug resulted in an overflow error causing potentially sensitive website data of its enterprise customers to leak onto the internet – some of it rapidly indexed by search engines like Google. While the leak was quickly identified by a Google researcher, the damage could have been far worse, potentially compromising a stunningly broad swath of private internet content: ride hailing data, hotel reservations, even dating site messages.
“Cloudbleed” made major news, not only because of the sheer volume of potential leaks, but because of the high-level nature of some of its customers. While Cloudfare has been assessing the fallout since the error broke into public view, it’s now estimated the bug could have been triggered more than 1.2 million times – this for a company that counts over 4 million websites as customers, including major consumer brands such as Uber and OkCupid.
Any of the websites serviced by Cloudflare technology are now confronting the prospect of compromised user information. They face a problem endemic throughout the business landscape of 2017: can you trust the technology needed to run your business?
The Problem of Trust
The reality today is that companies rely on the technology of a variety of third-party vendors to help them run their businesses effectively and efficiently, from website features to sales functions. The new normal is a landscape in which businesses put their trust in a technological infrastructure largely opaque to them, but perhaps susceptible to bugs, vulnerabilities, outages, and attacks.
This vendor risk remains a serious weak point for even the most technologically sophisticated of businesses. Often overlooked as an invisible link in the tech toolchain, third-party technology vendors comprise a potentially fatal weakness in effecting digital resilience against attacks and outages.
Ironically, the usual reliability and ubiquity of services like Cloudflare can foster a trust that has not been truly tested, and a complacency to the act in the face of no apparent, looming threat. So long as third-party technology vendors help businesses by effectively and efficiently performing the grunt work of functions like payment processing or web hosting, perhaps it seems there is little left to examine. Here is where a lurking risk resides.
A Perfect Example
Consider an example. If an American bank customer deposits money into an account, they trust they will not lose their savings overnight because federal laws regulate how banks can use their depositors’ money and the government insures customers against bank failure. Yet all too often in the technological world, businesses behave not unlike depositors did prior to the Great Depression, relying solely on their ability to trust in the good offices of the bank they are patronizing. Perhaps all will go well. Perhaps not.
Businesses can do better. The stakes are simply too high, and one does not have to look far for frighteningly portentous examples of how this dangerous dynamic can wreak havoc. A crippling, day-long DDoS attack on DNS servicer Dyn in 2016 succeeded in taking down some of the internet’s biggest websites, resulting in widespread service disruption across the United States. Just recently, the failure of Amazon Web Services similarly resulted in major outages many of the cloud’s biggest enterprise customers. These are not minor interruptions, but whole scale broadsides against some of the largest and most integral services the internet provides. The very ability of the digital economy as we know it rests upon this infrastructure.
Businesses doing damage control in the wake of such third-party failures are doing little more than shutting the barn door after the horse has bolted. In order to begin effecting real digital resilience against such threats, business leaders must begin the crucial work of restoring trust in the IT environment before the next preventable data breach proves even more costly. They must weigh the advantages and risk of outside vendors carefully.
Moving forward, executives across any digital-facing industries need to begin factoring third-party technology into their security environment, as if it were their own.