Security and the fear of it being breached has been the principal issue holding back the expansion of cloud computing ever since its inception. Users are inherently less trustful of a computing service that appears less physically tangible than what they have been previously used to. While the problem is partly a lack of proper understanding of what the system entails, it would be grossly naïve to think that cloud security breaches are not a serious threat.
Despite initial reservations, more and more companies are now embracing cloud technology. Additionally, with the release of Google Drive, a cloud computing service offering users 5GB of free remote storage, more and more individuals will likely utilise cloud computing for their personal day-to-day tasks. However, with this ever-increasing popularity come proportionally increased security risks.
Harry Sverdlove, the chief technology officer at computer security firm Bit9, likened cloud computing to a car on the road of the Internet, elaborating “that’s where the risk lies, because nobody owns the highway. You might have paid extra to drive in a private lane, but you are still on a public road where others can peep into your car window.”
Problems With Security
Although you would expect large companies to have better security, the reality can sometimes be quite the opposite. A large company will likely operate a distributed database and as such are perfect platform from which to launch DDoS attacks or password forcing cracks. All a cybercriminal need do is rent a server from the company’s cloud service and use it as a base to penetrate the network from within, using its entire strength to perpetrate the attacks. Such a system was used in the PlayStaion Network attack last year that compromised the personal data of its 77 million users.
There is also an increasingly prevalent problem of zero-day threats. These are security vulnerabilities that get disclosed to everyone listening before the updates that address them can be properly tested and rolled out. The frustrating reality is that the criminals are often in possession of greater resources than the software engineers battling them. It often comes down to a race between how quickly engineers can write patches versus how quickly hackers can write malware exploiting the discovered weaknesses. All too often, it’s the latter of these that comes out on top.
Such are the exploitable loopholes in cloud architecture that industry experts expect a major breach to take place some time this year that will likely spark a shift in focus onto the development of security rather than the variant applications that CSPs can provide for their customers.
Problems With Providers
UK security company Context Information Services recently published details of a report on the security flaws of four large cloud service providers: Amazon EC2, Gigenet, Rackspace and VPS.net. It was discovered that the virtual machines were lacking up to date security and antivirus software. Additionally, some of them had back doors built in to allow the CSP administration staff access to them.
A more serious flaw was that data on a virtual machine was not deleted automatically after use and as result could turn up on the virtual machine of the next customer to use the disk space. Criminals could exploit this problem by accessing a virtual machine and copying any data remaining on it, then shutting it down and accessing another and then another in a constant data harvesting exercise. The process could easily be automated and all that the attacker would have to do would be to sift through the resulting information for things like credit card numbers, login details, security details for business accounts, passwords and personal information.
Although the initial findings were over a year ago, Context gave the companies time to patch the security before going public with the information and naming them in the process. Full details of the so-called “dirty disk” problem can be read here.
Like all issues that affect security, educating users about potential threats and various methods of countering them once affected (or safeguarding against them completely) is one of the best ways of ensuring that criminals do not get the upper hand.
Although there is ongoing contention between some cloud service providers and users over precisely who is accountable for their security, the simple fact is that if more people take are willing to take responsibility for ensuring that safeguards and contingencies are in place, then the cloud – and the Internet as a whole – will be a much safer place.