When clouds attack: 5 ways providers can improve security

Private, public are all up for grabs

Criminals intent on attacking others can lease networks of compromised computers, or botnets, from other criminals serving the underground community. These resources could be considered "clouds" in their own right, but researchers warn that operators of legitimate clouds need to worry about being used for illicit attacks as well.

In a presentation at the DEFCON hacking conference in August, two researchers did just that. David Bryan of Trustwave and Michael Anderson of NetSPI created a handful of virtual servers to attack a small financial company--a client that wanted to test its security against just such an attack. Rather than renting a botnet from criminals, the researchers used Amazon's Elastic Computing Cloud (EC2) to rent less than a dozen virtual servers to overwhelm the target's network with traffic.

The researchers claimed there was no indication that Amazon detected the attack and called for all cloud providers to take more care in monitoring how their resources are used.

"Lets get ahead of this before it turns into the Wild West," says Trustwave's Bryan.

[In the cloud, what's the security responsibility of the customer, not the cloud service provider? See CIO.com's Cloud Computing's Top Security Risk: How One Company Got Burned. ]

While Amazon may not have caught these particular security researchers, the company asserts that catching the bad guys will be much easier in the cloud.

"Illegal activities across the Internet have been commonplace long before the cloud," Amazon said in a statement sent to CIO.com. "Abusers who choose to run their software in an environment like Amazon EC2, make it easier for us to access and disable their software. This is a significant improvement over the Internet as a whole where abusive hosts can be inaccessible and run unabated for long periods of time."

Yet, companies have to monitor their own cloud space for such usage.

Here's a look at some of the security strategies that Amazon and its peers are taking now to improve cloud security.

1. Easy for customers, easy for attackers

Making cloud resources easy to use for customers or internal clients is good business. Yet, those same benefits can easily extend to attackers, says Archie Reed, chief technologist for Secure Advantage and Cloud Security at Hewlett-Packard.

"All the benefits that we subscribe to cloud, especially the public cloud services--the relatively low cost, instant provisioning, and the ability to access anywhere and any time--all of those benefits can be taken over by someone with the knowledge and the will," Reed says.

Rather than making a decision to shutdown a possible customer based on incomplete information, HP opts for less black-and-white choice. Rather than block a potential malicious user, the company's technology throttles back their bandwidth.

"We are working with customers to detect suspicious behavior and perhaps slow things down so the customer can react faster," Reed says. "You don't want to shut your customers down, but you don't want to be the host for bad behavior either."

2. Design security in from day one

The denial-of-service attack leveled by Trustwave and NetSPI researchers peaked at a modest 150 megabits per second. Over two hours, the duo sent about 10 gigabits of data, which cost them less than six dollars.

Such abuse should have been detected, they maintain.

While Amazon could not comment about the specific incident, the company did say that it's important to design security into the cloud--something that its engineers continue to do.

"There is nothing inherently at odds about providing on-demand infrastructure while also providing the security isolation that companies have become accustomed to in their existing privately-owned environments," the company says in its statement.

3. It's all in the logs

One technology that all companies should have invested in by now is log management. In a recent Data Breach Investigations Report, Verizon Business found that attacks on businesses are reflected in log data more than 90 percent of the time, but less than 5 percent of companies monitor their data often enough to detect the attacks.

"Implementing log management is important of everyone, especially in your data centers," says Raffael Marty, founder and chief operating officer of cloud-based log-management firm Loggly. "You have to have a handle on what's happening, not just for your SLA (service level agreement) but for security as well."

Cloud providers, such as Amazon, should also develop technologies to quickly act on information gleaned from their logs, he says.

4. Scale security, not just computation

A major benefit of cloud computing is that large operators can provide virtual systems at a low cost, taking advantage of economies of scale. However, providers also have to use that same scalability to better protect their resources, says Amazon.

"The same economies of scale that enable us to provide elastic capacity at low cost enable us to build effective, scalable protection," the company says.

Amazon is able to invest significantly more money in security than other companies who might not have the same economies of scale. Using the company's APIs, a security or operations officer can identify every machine instance running in the cloud.

5. Watch for good customers turned bad

One of the most common attacks on cloud systems is account hijacking, according to Cloud Security Alliance. In its March, 2010 report on the top threats to cloud computing, nefarious use of cloud resources was the No. 1 danger. Rounding out the six listed threats, however, was misuse of accounts by attackers.

HP's Reed recommends that all cloud providers use two-factor authentication to limit the success of account hijacking attempts.

"There is a general level of protection that cloud providers need to put in place to protect their own infrastructure and brand," Reed says. "Now that attackers know that you can get, not just a book from Amazon, for instance, but a whole computing environment, those accounts become a target."

Follow everything from CIO.com on Twitter @CIOonline.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securitycloud computinginternet

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert Lemos

CIO (US)
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?