From: Paul Ferguson (RD-US)
Sent: Friday, March 26, 2010 1:28:18 PM
Subject: NEWSBANK:: Is Security a Curse for the Cloud Computing Industry?
Auto forwarded by a Rule
Is Security a Curse for the Cloud Computing Industry?
Thursday, March 25, 2010
In 1975 my father, a doctor, was approached by some entrepreneurs. They had a brilliant idea. They were going to purchase a mainframe computer and sell computing on a timeshare basis to anyone who wanted to connect to it. Charges would be based on compute cycles and applications would be provided pre-loaded. Sound familiar? That was cloud computing. Today’s cloud is certainly different in scale. The flexible computing platform is provided by multiple virtual instances of many computers. The applications are provided by specialist companies like Salesforce.com for customer relationship management (CRM) and Google or Yahoo! for email, calendaring and document creation. The network is different than 1975 and the computing infrastructure has improved but the real difference between today and then is the threat.
Since 2003 there has been a rapid rise in cyber crime. It is like watching a new economy grow on the back of the Internet. The criminals target anything that can be turned into profits. And those profits fund new research and development as well as the expansion of the criminal networks needed to execute elaborate money laundering schemes.
In his just published book, Fatal System Error, Joseph Menn documents the rise of cyber crime. Menn traveled to Russia to see firsthand the environment; economic, political, and legal ,that gave rise to disperse networks of hackers, extortionists, carders, cashers, and mules that systematically pull off phishing attacks, distributed Denial of Service (DDoS) and feed the proceeds back into their organizations.
He follows Andy Crocker, a policeman with the UK High Tech Crime Task Force as he stakes out one such hacker's apartment and eventually arrests and prosecutes three cyber criminals and sees them sent to Siberia for eight years' hard labor.
It is those criminals and the legions that join them every year that pose a threat to cloud computing. There used to be a common defense used by most organizations. It was called "security by obscurity" and was evoked in the statement "I am just a car dealer/attorney/shop keeper, why would someone from St. Petersburg want to hack me?"
Those days are gone. If there are assets of any sort; financial accounts, intellectual property, or a social network, it will be targeted. And if there are security vulnerabilities it will be broken into.
We have already seen cloud services hacked using elaborate techniques. Lexis-Nexis, the big information database, was hacked repeatedly.
Lexis-Nexis made the common mistake of trusting their customers. An individual could use a credit card to purchase access to their database of records. Hackers used stolen credit cards to purchase access and ran computer programs to systematically deplete their database.
Let's talk about what could happen. First Salesforce.com. This service is becoming the operational backbone of thousands of companies. Sales contacts, quotes, pipeline, order processing, invoicing and reporting all go through a single platform that is available on-demand and from anywhere.
The only authentication asked for is an email address and password. It is trivial for an attacker to determine the email address of say the VP of sales of a target organization. Getting the password is equally trivial. Just send a Trojan horse to that email address and every key stroke is recorded as the VP of sales logs in to his account.
Once in the attacker has access to everything the VP of sales has: new targets for their attacks, financials, and a view of the sales pipeline. Imagine the stock manipulation possible if one had a complete view of a publicly traded company's sales forecast in the last week of the quarter!
Salesforce.com is a lesson in the weakness of simple username/password. The cloud offers other possibilities to cyber criminals.
Shared platforms. Computing on demand services, the so called public-cloud, such as Amazon Elastic Compute Cloud (Amazon EC2) is built on thousands of physical servers running tens of thousands of virtual machines. A hosted application is granted as much computing power as it needs.
What happens if a customer of Amazon EC2 is pummeled with fake requests for its services? That application owner may face charges that far exceed its revenue from real customers.
What if one service, such as Twitter which is hosted in part on Amazon's infrastructure, suffers a global DDoS? What happens to other services on the same platform? They go down along with the primary service.
Authentication. Sometimes it seems like every new computing platform, be it mainframe, client-server, web based, or cloud, must re-learn the lessons of the past. Most cloud services are launched with few protections against attackers.
Within weeks the developers learn to lock out accounts after too many failed login attempts (a defense against password guessing attacks) and they require the user to read and enter the content of a CAPTCHA.
Vulnerabilities. Microsoft has contributed its share of vulnerabilities to the world of desktop computing. Cisco, Sun, Oracle to their platforms. As sure as there will be new vulnerabilities in OS's and applications there will be vulnerabilities in the implementations of cloud computing platforms.
The beautiful thing about cloud services is that the patch cycle is simplified. No disclosure, no distribution of a patch, no bad publicity. The scary thing about cloud computing is that the provider may not discover the vulnerability until after it is exploited.
What should be done to secure the cloud? Once again the answer is layered defense. The cloud must be segmented in such a way that a hosted application can only see its own data. And each user's data must be segmented as well. To guarantee that segmentation the data must be encrypted, only to be unlocked by a user's key.
Access to the application must be through strong, two-factor, authentication: a onetime password token, or a cell phone used to provide SMS verification. Firewalls and DDoS defenses have to be put in front of the cloud and all connections have to be filtered to block everything that is not explicitly allowed.
As major cloud services arise expect to see these lessons to be learned the hard way. Along with new efficiencies, enhanced service delivery, and lower costs will come massive data breaches, service outages and elaborate schemes that net cyber criminals tremendous riches.
The security industry is scrambling to provide protections that will enable the safe deployment of clouds but most organizations will fail to make those investments until after they have suffered the ravages of cyber crime.
"Fergie", a.k.a. Paul Ferguson
Trend Micro, Inc., Cupertino, California USA