At the EAGE earlier this year, geophysicists were bombarded with the notion that the cloud is where the smart folks are going. We were left with the impression that the move to the cloud is the very first, essential, step in the journey to digital nirvana-cum-transformation. Concerns about security in the cloud were brushed aside. Schlumberger’s Ashok Belani stated that “it is [Google, Amazon…] their profession to do this. Data is safer in the cloud than inside an IoC, let alone smaller companies. Google’s Gmail is one of safest platforms around.”
Of course, what Belani and nobody else knew was that some months earlier, Google had indeed been hacked but had decided not to tell anyone about it! OK, it was Google +, the company’s flagging attempt at a social network that was breached, but users of the ‘safest platform’ Gmail were also invited to use the ‘Security Check-up’ to see what other apps are linked to their account and revise their security parameters accordingly. The Guardian’s report on the incident has it that 438 different third-party applications may have had access to private information due to the bug. Google apparently has ‘no way of knowing’ whether they did because it only maintains logs of API use for two weeks. Ouch! That does not sound like a cyber security best practice to me. It doesn’t even sound like Google’s regular data retention which has been described as a ‘backup of the internet’ I guess there is one policy for stuff that Google plans to make money with, another for regulatory-sensitive data!
Even nearer to the geophysical bone, as we reported is the fact that Schlumberger’s Delfi uses Google’s Apigee API management platform to provide ‘openness and extensibility’ allowing clients and partners to add their intellectual property and workflows into Delfi. We asked Google if the flaw was in Apigee itself. We were assured not and pointed to the official release. This merits a good read through. It lets you know just what you are signing up for when you ‘accept’ the default T&Cs – chez Google and indeed with a labyrinthine network of unseen third parties.
Speaking at the 2018 CERA Week, Rice University’s Charles McConnell opined, re cyber security, that ‘No one has really got a great pathway or program, with everyone hunting in the dark. Everyone is searching for comfort, hoping that they are doing the right thing, with the right technologies and with support of the right companies and partners. Regulations do not exist and need to exist, and the leadership needs to be in place’. McConnell called for an ‘ISO-like’ cyber security standard for high performance industries. Well, good luck with that! McConnell also gave a gentle push to steer oil companies away from their traditional posture of ‘keeping data within their gates’ which ‘limits the usefulness of the digital ecosystem’. Maybe it does. These are oil companies after all.
Currently the world seems to be in denial about cloud insecurity. You may buy into the idea that the cloud providers are better than you are at cybersecurity. But on the other hand, there are billions of users of cloud data centers and even more anonymous IoT endpoints ready to be exploited. I guess it is easier for a CIO to buy into the ‘cloud is secure’ notion. The alternative is to work your way through the multiple cyber security offerings as exemplified in the latest Cyber Security Round-Up in this issue. BTW, Oil IT Journal has been tracking cyber security in oil and gas for over 20 years. From ‘deperimiterization’ to ‘re-perimeterization’ and now, well, what is the cloud? A cyber fortress or the next Maginot Line?
© Oil IT Journal - all rights reserved.