Cautiously Reaching for the Cloud
By Larry Mogelonsky , Owner of Hotel Mogel Consulting Limited and the founder of LMA Communications Inc.
The world has already moved online, and what's now making this global interconnected web churn are the numerous data storage facilities housing terabytes of readily accessible information no matter the local access point. We call this 'The Cloud'.
Loss of Control
With cloud-based systems, you are never in total control because it is not your system. Whether the information is housed with Google, Apple or any other major supplier, if they go down, your hands are tied. And please don't shrug this off because of the trust you might have in such large tech companies - it can still happen! Depending on the cloud architecture and how your information is hopping around from server to server, it may take a long time to get your data back or, worse, there may be no data left to recover at all. With on-premise data management, however, system availability is never a problem.
Moreover, all this hopping around represents a potential point of breach as you will not have full control over the security of your information. As well, the more middlemen, storage devices, administrators and governing bodies you fold into to this processing chain, the more weak points you are also introducing. The bottom line is that the bigger the cloud you host your data with, the more users there are on the system and the more possible access points there now are.
A straightforward hybrid solution for this is to install a local backup for seamless business continuity. This ensures that the moment you lose your connection to the cloud, you can work on an on-premise backup then sync the information once the internet is fully functional again.
In its most basic form, a Janus or man-in-the-middle attack (MITM) happens when someone impersonates the digital identity of a trusted online authority then, for instance, warning a user that his or her account might be compromised and requesting sensitive details to remedy the situation. Believing that the correspondence is being made on behalf of an official source, victims would then enter their passwords or other private information via what appears to be a secure access point, thereby giving the attacker the key to their email records or online data backups.
Phishing is a common form of a MITM attack with the objective being simply eavesdropping or something more malicious like the installation of ransomware. This occurs when a phisher secrets relays or possibly alters the communications between two parties who both believe that they are communicating directly and privately. Every online service you recruit thus presents yet another opportunity for a MITM attack as you are introducing yet another form of communication between the hotelier and the cloud. First, relying on a trusted vendor means that there is now the potential for a phisher to impersonate this supplier. Second, once someone has gained access to your online data systems, it is far easier for them to do damage or delete records.
A straightforward example of how a MITM attack might occur at a hotel would be when a guest tries to access the WiFi network. A hacker can create an online portal that looks legitimate and asks for the guest's name, room number and possibly a username or password. It seems trustworthy, but now the phisher has a back door into the guest's system. And worse still, there's already a limited variety of WiFi auditing and vulnerable device collection software available for everyday purchase that allows nearly anyone to perform a MITM intercept.
What's on the Horizon
As cybersecurity is of tremendous importance to not only safeguard your guest's sensitive credit card information but to also protect your hotel's reputation, the near future will present many possible solutions to the current forms of data breach. However, it's a bumpy road, and in this arms race where hackers are going ever-more creative with their techniques, there will be new problems cropping up that you must also keep in mind.
The most relevant issue to follow is the deregulation of online data privacy and net neutrality currently afflicting companies operating in the United States. Unless the European Union which is moving towards increased regulation of the cloud, this rollback has the potential to amplify those kinds of cyberattack addressed above.
Next is the act of skimming which was traditionally used by identity thieves to illegally collect data from the magnetic stripes of a debit card, credit card or even those used to manage guestroom doors. Moving towards keyless entry has reduced the likelihood for this old-style form of skimming, but has then presented a more pernicious mutation where hackers can now hijack information via RFID (radio-frequency identification) or NFC (near-field communication) processes. These forms of transactions are considered contactless because they rely on proximity and generally do not require any form of 2FA (two-factor authentication) like simultaneously punching in a pin number. The scary part is that there are tools that can spoof a card's details from as far as 50 yards away.
Third is the proliferation of augmented reality (AR) devices which can be used in tandem with a traditional computer monitor to different content display. With AR equipment synced to a set of software protocols, basic security is heightened as you can all but eliminate the problem of shoulder surfing whereby sensitive information will only be projected onto a user's glasses and not onto the big screen's desktop.
Lastly, although only tangentially related to cybersecurity, the realm of biometric and intelligent video analysis is worth mentioning as oftentimes any online attack is accompanied by an onsite activity of some sort such as locally accessing your property's WiFi network or leaving a device plugged in. Increased security measures in this regard translate to significantly better real-time facial recognition as well as object analysis. For instance, monitor systems can now tell when someone leaves a bag unoccupied and alert personnel to investigate.
Any way you slice it, this will be a hot button topic for many years to come. With the potential for enormous damage, though, it would be prudent for you to keep apace with how cloud technologies are progressing, especially given the fact that they are not as safe as you may have been led to believe.