Home > Blogs > Rethink IT


What The World’s Biggest Bank Heist Tells Us About Cloud Security

During the launch of VMware's vCloud Datacenter Services, I was asked if there were applications or datasets that could never be moved to public or hybrid clouds because of security concerns. It's a legitimate question given the uncertainty of what security, exactly, is provided in many public clouds. My answer is an emphatic "No", as an implicit assumption is that the physical walls of an organization offer superior security.

A sophisticated attempt to steal $440m from Sumitomo Mitsui bank's London offices in 2005 showed that what is within the four walls of one’s own building are just as vulnerable to attack as those outside them. The criminal case was tried in 2009, convicting everyone involved and providing the following details.

Bribed security staff disabled security cameras and let in hired hackers under the cover of an after-hours poker game. The hackers installed key logging and "screen scraping" software onto Sumitomo's inter-bank transfer systems. Armed with credentials collected from these systems, the would-be thieves returned a month later disguised as office cleaners and attempted to transfer 229 million Pounds Sterling (approximately $440m at the time) to accounts in Dubai, Spain, Hong Kong and Singapore.

The key takeaway is this: security is about transparent risk management, whether it is implemented inside the walls of your building or someone else's. Yet security teams are often correct that their own datacenters are more secure than some of the best-known public clouds, because internal security controls are fully transparent — all physical and logical controls are known and can be audited.

Many public cloud providers take the approach of "security by obscurity", the reverse of transparent security. It's characterized by refusing "for security reasons" to provide details on the actual security controls implemented in the public cloud datacenter and infrastructure, and refusal to provide logs and documentation for security audits. You don't need to be a security professional to see that "just trust us" is a triumph of hope over experience.

True cloud security requires service providers who offers transparent security operations, where you know what security is in place and can audit the logs and records from the security controls. This is one of the key capabilities of all vCloud Datacenter Services offered by VMware's service provider partners. We also made sure VMware security technologies like vShield Edge provide logs for audits. While this sounds like a simple thing, firewall logs simply aren't offered by many public cloud providers.

Fortunately for the bank’s customers, the hackers knew more about programming than they did about inter-bank transfers and tidiness: they were unable to complete the transfer screens correctly, and the transactions failed. Returning bank staff found unplugged cables on their computers, leading them to conduct checks which uncovered the bogus transfer attempts. Fundamentally, this story illustrates that transparent, audited security controls – whether internal or external – are key.