Honda Data Breach Highlights Need to Set Strong Cloud Security Policies

In light of recent data breaches, including a December 2010 incident which affected 2.2 million Honda customers, IT managers need to limit what data is actually shared with cloud service providers.

Corporations partnering with cloud service providers need to think carefully about what data is being shared to adequately protect consumer privacy, according to security experts.

As companies outsource various business functions, which can range from e-mail marketing to e-discovery and e-mail archiving, it's important to remember that the data leaving the corporate network still needs to be protected. The protection should be worked in to the contract, ensuring a standard level of security, before the company hands over the data.

There are many benefits of the cloud, but "all that goes out the window when there is a data breach," Ben Goodman, principal strategist for identity, security, and compliance at Novell, told eWEEK. When the cloud provider gets breached, the company that hired the provider is help responsible, he said. Companies "outsource the job, not the responsibility," Goodman added.

That was the case when an e-mail marketing firm that Honda partnered with had a data breach in late December. Criminals stole a database containing names, login names to a Honda portal, e-mail addresses, and 17-character Vehicle Identification Numbers for 2.2 million Honda customers, according to a Dec. 28 report in Columbus Dispatch. A separate list of 2.7 million Acura customer e-mail addresses was also stolen from the same marketing firm, but that list did not have any other customer data.

The inclusion of VINs in the stole data was surprising, as Honda shared its customer information with the firm for e-mail marketing services. People understand that a certain level of "data granularity is required" when the data is stored on-premise, but when that information "crosses the firewall," it's not acceptable, said Goodman. Enterprises should be exercising "minimum disclosure," and not giving external providers "more data than they need," he said.

Enterprises are "not as concerned as they should be," about how other providers are using their data, Brian Singer, senior security management solution manager at Novell, told eWEEK. Honda's relationship with the e-mail marketing provider was analogous to the one an enterprise would have with a cloud provider, Singer said, and similar rules applied. Enterprises need to be careful what data they provide to cloud service providers, because the providers may not have the kind of security controls that would exist internally, he said.

"Don't take for granted the provider will secure the data," Goodman said.

Companies should discuss security measures such as access control, network monitoring, and regular audits when negotiating the partnership, Singer said. It should be clearly part of the contract that the provider needs to make sure the data is being secured, he said.

There is no reason to just hand over the information as is to the provider, said Singer, just because it might have taken some extra time to remove unnecessary data fields from the files. Prior to sending the data, it needs to be examined to verify that the bare minimum of what the provider needs is sent, and nothing else, he said. In Honda's case, the VIN numbers clearly were unnecessary for the firm to send customers a Welcome email after they bought the car at a dealership, or created an account with Honda Financial Services.

Cloud applications deployed "under radar" without IT approval or supervision are also a challenge for IT managers who need to ensure proper data granularity, Goodman said. "All the effort to put in access control and security" measures are compromised when the data is being passed on to these cloud applications without thinking about whether it's really necessary to share all that information, , Goodman said.

Another concern with cloud service providers is the fact that they are multi-tenanted, Singer said. It is difficult for the enterprise to know the extent of a data breach that hits a cloud service providers, whether the data of one company or multiple companies were compromised by the breach. "Companies don't know which companies are affected," he said.