Is Security a Curse for the Cloud Computing Industry?

Thursday, March 25, 2010

Richard Stiennon


In 1975 my father, a doctor, was approached by some entrepreneurs. They had a brilliant idea. They were going to purchase a mainframe computer and sell computing on a timeshare basis to anyone who wanted to connect to it.  Charges would be based on compute cycles and applications would be provided pre-loaded.  Sound familiar?  That was cloud computing.   Today’s cloud is certainly different in scale. The flexible computing platform is provided by multiple virtual instances of many computers.  The applications are provided by specialist companies like for customer relationship management (CRM) and Google or Yahoo! for email, calendaring and document creation.  The network is different than 1975 and the computing infrastructure has improved but the real difference between today and then is the threat.

Since 2003 there has been a rapid rise in cyber crime.  It is like watching a new economy grow on the back of the Internet.  The criminals target anything that can be turned into profits. And those profits fund new research and development as well as the expansion of the criminal networks needed to execute elaborate money laundering schemes.  

In his just published book, Fatal System Error, Joseph Menn documents the rise of cyber crime.  Menn traveled to Russia to see firsthand the environment; economic, political, and legal ,that gave rise to disperse networks of hackers, extortionists, carders, cashers, and mules that systematically pull off phishing attacks, distributed Denial of Service (DDoS) and feed the proceeds back into their organizations. 

He follows Andy Crocker, a policeman with the UK High Tech Crime Task Force as he stakes out one such hacker's apartment and eventually arrests and prosecutes three cyber criminals and sees them sent to Siberia for eight years' hard labor.

It is those criminals and the legions that join them every year that pose a threat to cloud computing.  There used to be a common defense used by most organizations. It was called "security by obscurity" and was evoked in the statement "I am just a car dealer/attorney/shop keeper, why would someone from St. Petersburg want to hack me?"   

Those days are gone. If there are assets of any sort; financial accounts, intellectual property, or a social network, it will be targeted.   And if there are security vulnerabilities it will be broken into.   

We have already seen cloud services hacked using elaborate techniques.  Lexis-Nexis, the big information database, was hacked repeatedly. 

Lexis-Nexis made the common mistake of trusting their customers.   An individual could use a credit card to purchase access to their database of records.  Hackers used stolen credit cards to purchase access and ran computer programs to systematically deplete their database. 

Let's talk about what could happen.  First  This service is becoming the operational backbone of thousands of companies.  Sales contacts, quotes, pipeline, order processing, invoicing and reporting all go through a single platform that is available on-demand and from anywhere. 

The only authentication asked for is an email address and password.    It is trivial for an attacker to determine the email address of say the VP of sales of a target organization.  Getting the password is equally trivial.  Just send a Trojan horse to that email address and every key stroke is recorded as the VP of sales logs in to his account.  

Once in the attacker has access to everything the VP of sales has: new targets for their attacks, financials, and a view of the sales pipeline.  Imagine the stock manipulation possible if one had a complete view of a publicly traded company's sales forecast in the last week of the quarter! is a lesson in the weakness of simple username/password.  The cloud offers other possibilities to cyber criminals. 

Shared platforms.   Computing on demand services, the so called public-cloud, such as Amazon Elastic Compute Cloud (Amazon EC2) is built on thousands of physical servers running tens of thousands of virtual machines.  A hosted application is granted as much computing power as it needs. 
What happens if a customer of Amazon EC2 is pummeled with fake requests for its services? That application owner may face charges that far exceed its revenue from real customers. 

What if one service, such as Twitter which is hosted in part on Amazon's infrastructure, suffers a global DDoS?  What happens to other services on the same platform? They go down along with the primary service. 

Authentication.  Sometimes it seems like every new computing platform, be it mainframe, client-server, web based, or cloud, must re-learn the lessons of the past.   Most cloud services are launched with few protections against attackers.

Within weeks the developers learn to lock out accounts after too many failed login attempts (a defense against password guessing attacks) and they require the user to read and enter the content of a CAPTCHA.

Vulnerabilities.  Microsoft has contributed its share of vulnerabilities to the world of desktop computing.  Cisco, Sun, Oracle to their platforms.  As sure as there will be new vulnerabilities in OS's and applications there will be vulnerabilities in the implementations of cloud computing platforms.

The beautiful thing about cloud services is that the patch cycle is simplified.  No disclosure, no distribution of a patch, no bad publicity.  The scary thing about cloud computing is that the provider may not discover the vulnerability until after it is exploited.

What should be done to secure the cloud? Once again the answer is layered defense.  The cloud must be segmented in such a way that a hosted application can only see its own data.  And each user's data must be segmented as well.  To guarantee that segmentation the data must be encrypted, only to be unlocked by a user's key.  

Access to the application must be through strong, two-factor, authentication:  a onetime password token, or a cell phone used to provide SMS verification.  Firewalls and DDoS defenses have to be put in front of the cloud and all connections have to be filtered to block everything that is not explicitly allowed.

As major cloud services arise expect to see these lessons to be learned the hard way.  Along with new efficiencies, enhanced service delivery, and lower costs will come massive data breaches, service outages and elaborate schemes that net cyber criminals tremendous riches.  

The security industry is scrambling to provide protections that will enable the safe deployment of clouds but most organizations will fail to make those investments until after they have suffered the ravages of cyber crime.

Possibly Related Articles:
Cloud Security Operating Systems
Cloud Security Cloud Computing
Post Rating I Like this!
Angel Redoble Security is not a's an opportunity, but like any other opportunity, it has to be grabbed and put into action.

It's not even about the budget, it's about understanding the risk and the impact it could possible cause to the organization..the bottomline is the bottomline of the company. If one considers security as a technical aspect in an organization, then that organization is sure to be compromised. However, if one organization considers security as a prime mover and a backbone to its bottomline..then surely the needed budget and investment will surely be integrated all through out the year. You can use all the money in the world to but security hardwares, but as long as you have the what we call "human factor" as part of your infrastructure, you will be hacked.

Another thing is converting the technical security aspect into monetary aspect, unfortunately, only very few technical guys are able to do this.

My take is, security has to be attacked in all aspects (technical, administrative and physical).
Fred Williams Good article as it focuses on some important aspects about the cloud.

If a customer's userid and password is stolen, the cloud provider then absolves themselves of any liability for any financial, data or reputation losses as a result of compromises from the use of that account.

For DDoS attacks, the cloud may enjoy even great availability than traditional data centers. With all of those servers, they can ramp up with additional power as utilization becomes high with the bot attacks.

On Black Friday, used a cloud provider for its website for the holiday rush. (can't remember which one - Amazon S3 maybe) And they experienced only a 55% loss of availability compared with other merchants who were down much lower.

If a company is really concerned with strong security, 99.999% availability, data redundancy, etc. then you can't go with the standard cloud provider offering. You have to get one that offers SLA's like Rackspace ( )
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.