All new technologies introduce security concerns, from faulty applications, to faulty configurations, to users who are simply dangerous in the new environment. A cloud computing infrastructure is no different from the basic idea of being misused, by anyone for any reason. Not generally as well known though is that a cloud computing infrastructure can become a tool for terrorism as much as it can become a tool for intellectual property theft. This is just like any other system you have in your own data center and finding that there are bad things happening on your network. The bad part is that there is surprisingly there is little information available on how to spot and correct the misuse of your cloud computing infrastructure in relationship to a company being used for illegal operations.
Any cloud computing infrastructure can be misused, if not by employees, by hackers and others who get in to the system by any number of hacking methods. Cyberspace itself is nearly unpatrollable; tools for cloud computing security are starting to catch up – but still lack significant correlation and response processes. There is also a desire for some companies to be on the bleeding edge of technology implementing anything that is new and shiny without seriously reviewing the security implications of that new technology. There are also issues with law enforcement, data sharing with law enforcement, privacy, and a host of other legal issues that can creep in when any computer system is misused from a corporate environment. There are also international agreements on data monitoring, as well as more mundane privacy issues to contend with. All of these can lead to some very interesting events of actual detrimental misuse of a cloud computing system. The bad part is that we are not talking about it publicly, and we need to in the security field.
What is surprising though is that there is very little hard data about how cloud computing structures and services have been misused. There is little data that discusses hacking and discovery of cloud computing systems by hackers, or by criminals, or by terrorists, or insiders, or any of the other risks that are a general known in the computer security industry. There are only a small handful of articles on major breeches of cloud infrastructure (not the twitter hack, or other misnamed “cloud security” issues) that can send a false message of security. Making this more complex is that most of the global base of police forces are still technologically backwards (but catching up slowly) with the pace of technology. There is no one who at this point who has been certified as a cloud computing forensic specialist (that title doesn’t even exist). Trying to work out who is misusing the system, much like finding out if someone has left an open FTP system is going to rely on a series of archaic tools, security and systems administrators who are still unsure of the cloud, along with government, policing, and company resources that are still trying to catch up.
Crime has yet to make a major foray into cloud computing (although I do know for a fact that it is happening), nor has terrorism made it into the systems yet. This will change depending on how financing happens, and what kind of security is put in place to make sure that the crime is not easily uncovered. Dick Weisinger over at Formtek points out:
Security usually tops the lists of concerns that people have about the cloud. And now it seems like there is good reason. On a recent survey of 100 “elite” hackers at the 2010 Defcon conference, 96 of them said that the cloud offered up more opportunity for them to hack. 89 of them said that they thought that cloud providers weren’t being proactive enough in beefing up their security, and 45 of them admitted to already have engaged in cloud hacking, and 12 of them said that they hack for financial gain. Source: Formtek
Data sharing on how often and what severity of hacking activity is lacking because we do not truly differentiate between what was based in the cloud and what was not based in the cloud. The OSF Data loss repository nor Zone-H differentiates between a cloud hack, and just a normal hack. Although it is interesting to note that according to OSF – year to date only 29% of all data breaches were caused via electronic means. We are still our own worst enemy when it comes to document disposal, stolen laptops, and insider fraud.
Until we get a better idea of what is actually happening in cloud space (and the reason for doing my threat level presentation) was to determine exactly what the risks are. Criminals and Terrorists could technically use cloud space for a great many ways of sharing data or storing data. Including ensuring that only the right people have the right keys to the cloud system. Cloud hacking is a lucrative process, and there are many different ways of hacking a system into cloud space through the application layer. We need to start sharing more data with each other via any number of channels so that we can adequately address how these systems could be misused. Without data sharing, we are left with incomplete data, few if any reports on the use of cloud computing to support terrorism or crime. We are left with tantalizing snippets like from Defcon that sure it is happening, but we don’t know where it is happening. People working on a cloud deployment need to learn from people who have been there already and have been hacked to make sure that it does not happen to them.
(Cross-posted @ Managing Intellectual Property & IT Security)