Why the Cloud is a Security Nightmare

Thursday, January 27, 2011

Dan Dieterle

B64e021126c832bb29ec9fa988155eaf

Many large software companies are offering “Cloud” services now. Amazon, Google and Microsoft are just a few of the big name ones.

The benefits are obvious, lower IT costs, access to more apps, improved availability and disaster recovery. But just how secure is cloud computing?

When you host your own network, you know the security policies and procedures you use to protect your data.

But what about trusting someone else with your mission critical data? Is it a good idea?

A Harris Poll from last year showed that many Americans do not trust the Cloud:

“One of the main issues people have with cloud computing is security. Four in five online Americans (81 percent) agree that they are concerned about securing the service. Only one-quarter (25 percent) say they would trust this service for files with personal information, while three in five (62 percent) would not."

"Over half (58 perent) disagree with the concept that files stored online are safer than files stored locally on a hard drive and 57 percent of online Americans would not trust that their files are safe online.”

In a Poll of about 14,000 last month when asked “Would you trust an online hard drive?” over 88% said no.

And then there have been data breaches. The large software companies have been under constant barrage by hackers and the hackers have been successful. Google, Yahoo and many other companies were targeted in “Operation Aurora”.  

During the attack hackers stole a program from Google that controls access to most of their programs:

"The stolen password system was called Gaia, a reference to the Greek goddess of earth, according to the Times. Besides e-mail, Gaia also governed access to the online services that Google sells to businesses, government agencies and schools."

It just makes sense that with companies moving to the cloud, that hackers will focus more of their attention to attacking it.

And if they can compromise cloud based systems, chances are they will have access to the data of multiple corporations instead of just one.

And hackers will leverage the power of the cloud themselves to attack government and enterprise encrypted systems. Recently, it was shown that WPA encryption could be cracked using the computing power of the cloud.

Hackers have been successful in attacking the cloud. In May of last year, the Treasury Department shut down 4 cloud hosted sites, “The hosting company used by BEP had an intrusion and as a result of that intrusion, numerous websites (BEP and non-BEP) were affected.

And just recently a Chinese Trojan was detected that disables cloud based anti-virus.

With all of these concerns about the cloud, why would so many companies be moving to embrace it?

Speed and Price is the Answer

ccording to the recent IT World article titled “The straight talk on IT’s new directions”, the times are changing:

"The simple truth is that the focus on the back office — IT’s traditional domain — is over. Companies are tired of paying for what they view as plumbing. Any consideration in the executive suite about the back office and infrastructure is all about making do and cost-cutting. Virtualization and private clouds are investments meant to accomplish this reduction — they’re not new gold mines to enrich IT’s importance."

As a majority of manufacturing jobs have left American shores for cheaper labor costs in China, the same mentality is true with IT. We have seen continuous cut backs across the nation in IT staffing.

IT workers once considered mission critical are now considered to be overhead. The draw to the cloud is clear for executives, why keep full time hardware and staff onsite when you can just outsource for a fraction of the cost?

Also, with the cloud, you can have access to powerful systems that many companies could not afford otherwise. Scientists and engineers will enjoy the added power at their disposal. Last year a record was set in Mathematics by using the cloud. Even NASA has its own Cloud Computing platform.

There are great security risks in the cloud. But the speed and cost savings are just too tempting. Soon, cloud computing will be the norm and not the exception.

So to borrow a quote from Naval history, with cloud computing it seems to be “Damn the torpedoes, full speed ahead!”

Cross-posted from Cyber Arms

Possibly Related Articles:
13815
Cloud Security
Cloud Security malware SaaS Third Party hackers Operation Aurora
Post Rating I Like this!
Default-avatar
Patrick Sweeney Dan - Did you miss the "Cloud is good" Kool-Aid party, or what? Your comments reveal some very clear-thinking, of a sort that seems to be missing from the far too many discussions on the topic.

- Patrick
1296179633
B64e021126c832bb29ec9fa988155eaf
Dan Dieterle lol, thanks Patrick!
Security in the cloud seems to be an oxymoron. It does not seem to be the most secure choice for our businesses, but that has never stopped us before!
1296223113
Default-avatar
Paul Gillin We're in that typical early stage of adoption in which security is thrown to the wind in the name of everyone piling onto the hot new thing. Then the IT department gets handed a mess to straight now. Authentication really has to be rethought in light of these external services.

Interesting article: http://www.theinfoboom.com/articles/study-cloud-breaches-show-need-for-stronger-authentication/
1296255166
B64e021126c832bb29ec9fa988155eaf
Dan Dieterle Paul - Right on, and it's just not the cloud, you also have a large move for smart phone access too.

IT departments are going to have to leverage all of these new connectivity devices and services with fewer staff members.

Thanks for the link, excellent article!
1296660154
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.