5 lessons from dark side of cloud computing

Companies tapping into virtual infrastructure through cloud computing should take another look at their security plans, say experts at the Black Hat Security Conference. From legal protection to phishing, here are five cloud security issues to consider.

While many companies are considering moving applications to the cloud, the security of the third-party services still leaves much to be desired, security experts warned attendees at last week's Black Hat Security Conference.

The current economic downturn has made cloud computing a hot issue, with startups and smaller firms rushing to save money using virtual machines on the Internet and larger firms pushing applications such as customer relationship management to the likes of Salesforce.com. Yet, companies need to be more wary of the security pitfalls in moving their infrastructure to the cloud, experts say.

"Guys at the low end are using (cloud infrastructure) to save money, but the danger is that the guys at the top end start to use it without any auditing," says Haroon Meer, technical director at security firm SensePost, who discussed his team's research into some aspects of Amazon's Elastic Compute Cloud (EC2) at the Black Hat security conference.

[ For timely data center news and expert advice on data center strategy, see CIO.com's Data Center Drilldown section. ]

Their experiments showed that companies frequently do not scan the third-party machine instances available from some providers. A malicious instance could easily be created as a Trojan horse to gain access to a company's internal network, Meer said.

With those pitfalls in mind, here are five lessons from the presentations at Black Hat.

1. Cloud offers less legal protection

Companies need to realize that data in the cloud is subject to a lower legal standard in terms of search and seizure. The government, or an attorney focused on discovery, may be able to subpoena the data without a search warrant.

Cloud providers are more concerned with protecting themselves and not the client, says Alex Stamos, a principal security consultant at iSec Partners, so don't expect the legalese in service agreements to favor your company.

"All of these (cloud-services) companies have very active and very well-trained legal departments," Stamos said. "And as a result, the agreements you agree to when you sign up for these services, basically promise you absolutely nothing."

If someone breaks in because of the provider's mistake, the client agrees not to hold the firm responsible. If there is a data loss because of a data center failure, the provider are not obligated to do anything for you, Stamos says.

It would be nice, he adds, if there were language that said they will attempt to help you.

"It would be nice if they had language in there that said if there is a security breach, we will try to give you a hand up," he says. "This seems to be where there is a disconnect between the cold heartless world of the lawyers, and the nice warm security (ethics) of the company."

2. You don't own the hardware

Companies who want to audit their providers and do their own testing need to remember that they don't own the hardware. Conducting a vulnerability scan or a penetration test requires the explicit permission of the cloud-service provider, Stamos warns. Otherwise, the client is hacking the providers' systems.

While some service agreements, such as Amazon's, specify that the client can conduct testing of their software running on the provider's systems, getting explicit permission is key, he says.

"The recommendation ... is that, if you are asked to pen-test applications in the cloud, they (the legal experts) recommend that you get permission from someone at the company," he said. "Because certainly, by the letter of the law the legal ownership of those machines is very important."

3. Strong policies and user education required

While cloud computing offers companies immense benefits, such as allow access to data from anywhere and removing maintenance headaches from the IT staff, the always-on service also means that phishing attacks that hit workers at home could threaten the company.

Thus, educating users about the dangers, not only to themselves but to their company, is key, said iSEC's Stamos.

"It is very difficult to teach all the non-technical users in your company about how to not be phished, but the fact of the matter is, with software-as-a-service, phishing attacks are going to be something that stops being a personal issue and starts becoming a enterprise-wide security issues," he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitycloud computing

More about Amazon Web ServicesC2etworkSalesforce.comSEC

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Robert Lemos

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place