Why cloud services are a tempting target for attackers

Jeffrey Carr on the significant and escalating risks of hosting data with cloud providers.

The largest cloud providers today are Google, Microsoft, and Amazon; each offering multiple services and platforms for their respective customers. For example, Microsoft Azure, Google Apps, and Amazon EC2 are all hosting and development platforms. Google Docs, Acrobat.com, and Microsoft Office 365 all provide basic word processing, spreadsheets and other applications for individuals to use via the web instead of on their individual desktops. Then, of course, there’s social networks, online gaming, and video and music sharing services — all of which rely on a hosted environment that can accommodate millions of users interacting from anywhere on earth, yet all connected somewhere in cyberspace. While the benefits are many, both to individuals and to corporations, there are three distinct disadvantages from an individual and national security perspective:

  • The cloud provider is not responsible for securing its customers’ data.
  • Attacking a cloud-based service provides an economy of scale to the attacker.
  • Mining the cloud provides a treasure trove of information for domestic and foreign intelligence services.

No security provisions

A Ponemon Institute study (pdf) on cloud security revealed that 69% of cloud users surveyed said that the providers are responsible, and the providers seemed to agree. However, when you review the terms of service for the world’s largest cloud providers, responsibility for a breach of customer data lies exclusively with the customer.

For example:

  • From Amazon: “Amazon has no liability for …. (D) any unauthorized access to, alteration of, or the deletion, destruction, damage, loss or failure to store any of your content or other data.”
  • From Google: “Customer will indemnify, defend, and hold harmless Google from and against all liabilities, damages, and costs (including settlement costs and reasonable attorneys’ fees) arising out of a third-party claim: (i) regarding Customer Data…”
  • From Microsoft: “Microsoft will not be liable for any loss that you may incur as a result of someone else using your password or account, either with or without your knowledge. However, you could be held liable for losses incurred by Microsoft or another party due to someone else using your account or password.”

Not only do none of the three top cloud providers assume any responsibility for data security, Microsoft goes one step further and places a legal burden upon its customers that it refuses to accept for itself.

An economy of scale

NASDAQ’s Directors Desk is an electronic boardroom cloud service that stores critical information for more than 10,000 board members of several hundred Fortune 500 corporations. In February 2011, an un-named federal official revealed to the Wall Street Journal’s Devlin Barrett that the system had been breached for more than a year. It’s unknown how much information was compromised as well as how or when it will be used.

From an adversary’s perspective, this type of breach offers an economy of scale that has never been seen before. In the past, several hundred Fortune 500 companies would have to be attacked, one company at a time, which costs the adversary time and money — not to mention risk. Now, one attack can yield the same amount of valuable data with a significant reduction in resources expended as well as risk of exposure.

An intelligence goldmine

China’s national champion firm Huawei is moving from selling telecommunications network equipment toward developing Infrastructure-as-a-Service software (IaaS) needed to provide a highly scalable public cloud like Microsoft’s Azure or Amazon’s EC2. If it sells IaaS with the same strategy that it uses in selling routers and switches, Amazon, Google, and Microsoft can expect to begin losing a lot of enterprise business to Huawei, which will cut pricing by 15% or more against its nearest competitor. Cloud customers can expect their data to reside in giant state-of-the-art server farms located in Beijing’s “Cloud Valley” — a dedicated 7,800-square-meter industrial area that is home to 10 companies focusing on various aspects of cloud technology, such as distributed data centers, cloud servers, thin terminals, cloud storage, cloud operating systems, intelligent knowledge bases, data mining systems, and cloud system integration.

Cloud computing has been designated a strategic technology by the People’s Republic of China’s State Council in its 12th Five-Year Plan and placed under the control of the Ministry of Industry and Information Technology (MIIT). MIIT will be funding research and development for SaaS (Software as a Service), PaaS (Platform as a Service), and IaaS (Infrastructure as a Service) models as well as virtualization technology, distributed storage technology, massive data management technology, and other unidentified core technologies. Orient Securities LLC has predicted that by 2015, cloud computing in China will be a 1 trillion yuan market.

According to the U.S.-China Council website, MIIT was created in 2008 and absorbed some functions from other departments, including the Commission of Science, Technology, and Industry for National Defense (COSTIND):

From COSTIND, MIIT will inherit functions relating to the management of the defense industry, with a scope that covers the national defense department, the China National Space Administration, and certain administrative responsibilities of other major defense-oriented state companies, such as the China North Industries Co. and China State Shipbuilding Corp. MIIT will also control weapons research and production in both military establishments and dual-role corporations as well as R&D and production relating to “defense conversion” — the conversion of military facilities to non-military use.

Clearly, the PRC has made a serious commitment to cloud computing for the long term. This doesn’t portend well for today’s private cloud service providers like NetApp or public cloud providers like Amazon, Google, and Microsoft — especially if buying decisions are based on price.

What to consider

The move to the cloud is both inevitable and filled with risk for high-value government employees, corporate executives, and companies engaged in key market sectors like energy, banking, defense, nanotechnology, advanced aircraft design, and mobile wireless communications, among others.

To make matters more complicated, cloud providers may move data to different server farms around the world rather than keep it in the same country as the corporation or individual that owns it. That could potentially put the customer’s data at risk for being legally compromised under foreign laws that would apply to the host company doing business there. For example, Microsoft UK’s managing director Gordon Frazier was recently asked at the Office 365 launch, “Can Microsoft guarantee that EU-stored data, held in EU-based datacenters, will not leave the European Economic Area under any circumstances — even under a request by the Patriot Act?” Frazier replied, “Microsoft cannot provide those guarantees. Neither can any other company.”

The best advice for individuals and companies at this time is to insist that cloud providers build a measurably secure infrastructure while providing legal guarantees and without the use of foreign data farms. Until that occurs, and it’s highly unlikely to happen without strong consumer pressure, there are significant and escalating risks in hosting valuable data with any cloud provider.

Inside Cyber Warfare, 2nd Edition — Jeffrey Carr’s second edition of “Inside Cyber Warfare” goes beyond the headlines of attention-grabbing DDoS attacks and takes a deep look inside recent cyber-conflicts, including the use of Stuxnet.

Associated photo on home and category pages: Dark Cloud, Blue Sky 2 by shouldbecleaning, on Flickr.

Related:

tags: , , , ,
  • Brian

    Untrue report. Not well researched.

  • http://www.porticor.com Gilad

    Interesting. You could also try a solution like Porticor which actually solves many of the trust and patriot-act related issues in the cloud of your choice.
    http://www.porticor.com/

  • http://www.perfectsneaker.com Jason

    Thanks Jeffrey Carr! Good post

  • Eddie

    This is one of the best articles / blog posts I’ve read about cloud computing in the past year or two. Among other things, the info about China and “Cloud Valley” in Beijing is very interesting and I appreciate the author bringing it to our attention. Its also nice to see a balanced article like this that describes the risks (instead of the often seen biased articles that mostly discuss only the upsides and potential of the cloud). The concept of the cloud has been around for decades, and even though its getting less expensive to try things out such as due to the economies of scale from the Amazon’s, Google’s and Microsoft’s of the world, this doesn’t mean that legacy Fortune 500 is going to rush to the cloud suddenly (what’s the reason if their legacy is still working and their profitable?). Furthermore, even for startups and entrepreneurs, owning some bare metal and getting some training wheels on said bare metal I think is an excellent idea before breaking out the credit card and becoming a tenant on someone else’s turf (even if it means getting some hands-on experience with, say, hypervisors on one’s own multi-core desktop tower workstation).