1300 222 547
Security of Cloud Services Challenged
Security researchers have recently thrown up new ways of attacking corporate data stored with the increasingly popular “cloud” services. This will undoubtedly add to concerns about the much-vaunted technology and deter many major enterprises from adopting it. If your company is already using these services, or is contemplating doing so, it would pay to consult professionals in Internet security and computer forensics who can map out your firm’s vulnerabilities for you. How susceptible are your operations to cyber hacking and unauthorised access? Are your encrypted files and passwords really safe? What should you do to stay ahead of the game?
The Financial Times (August 3) highlighted how a presentation at the Black Hat USA security conference in Las Vegas at the end of July showed how users of Amazon’s Elastic Compute Cloud (EC2) services were tricked into utilising virtual machines that could have included “back doors” for snooping. Another criticised Amazon and Microsoft for relying on insecure methods for granting access to their sites after users claimed to have forgotten their passwords.
These sorts of developments help illustrate why off-site computing power, data storage and software have not matured to the level that the largest potential clients would require. Gartner security analyst, John Pescatore, has pointed out that the security of these cloud-based infrastructure services is like Windows in 1999: “It’s being widely used and nothing tremendously bad has happened yet. But it’s just in the early stages of getting exposed to the Internet, and you know bad things are coming.”
Pescatore predicts that at least until 2013, companies will spend more money on in-house virtualisation, in which software can run several times on the same machines, than on outsourcing their computing functions. By then, cloud computing companies will have to not only be more secure, but prove that they are.
One big problem is that many of the companies offering to host, analyse and process information remotely have business models developed to deal with consumers, not businesses. Most either cannot or will not make millions of users jump through hoops, for example when they have lost their passwords. Some free email services or social networking sites just send passwords to an alternate electronic address, which could be hacked, or ask security questions the answers for which are on the victim’s Facebook or MySpace pages.
As smartphones proliferate, hackers too are investing more time in devising methods for breaking into them. A number of new techniques were detailed at the Black Hat conference. One would have allowed outsiders to take control of Apple’s iPhone through a series of SMS messages containing binary code.
The broader issue is that people trust communications to their phones more than emails to their computers, and that trust is now being exploited to an increasing degree.
Make sure that in your company you know what your staff is doing. If you call in an expert forensic team you’ll not only find out what’s going on but can have your employees briefed at the same time.
The Black Hat talk was entitled, “Cloud Computing Models and Vulnerabilities: Raining on the Trendy Parade”, by Alex Stamos, Andrew Becherer and Nathan Wilcox.
