When Clouds Attack: 5 Ways Providers Can Improve Security
Cloud computing service providers like Amazon need to worry about their massive compute power being used for illicit attacks, security researchers say. What security measures can stop the cloud from becoming a criminal's paradise?
Wed, September 08, 2010
CIO — Criminals intent on attacking others can lease networks of compromised computers, or botnets, from other criminals serving the underground community. These resources could be considered "clouds" in their own right, but researchers warn that that operators of legitimate clouds need to worry about being used for illicit attacks as well.
In a presentation at the DEFCON hacking conference in August, two researchers did just that. David Bryan of Trustwave and Michael Anderson of NetSPI created a handful of virtual servers to attack a small financial company—a client that wanted to test its security against just such an attack. Rather than renting a botnet from criminals, the researchers used Amazon's Elastic Computing Cloud (EC2) to rent less than a dozen virtual servers to overwhelm the target's network with traffic.
The researchers claimed there was no indication that Amazon detected the attack and called for all cloud providers to take more care in monitoring how their resources are used.
"Lets get ahead of this before it turns into the Wild West," says Trustwave's Bryan.
[In the cloud, what's the security responsibility of the customer, not the cloud service provider? See CIO.com's Cloud Computing's Top Security Risk: How One Company Got Burned. ]
While Amazon may not have caught these particular security researchers, the company asserts that catching the bad guys will be much easier in the cloud.
"Illegal activities across the Internet have been commonplace long before the cloud," Amazon said in a statement sent to CIO.com. "Abusers who choose to run their software in an environment like Amazon EC2, make it easier for us to access and disable their software. This is a significant improvement over the Internet as a whole where abusive hosts can be inaccessible and run unabated for long periods of time."
Yet, companies have to monitor their own cloud space for such usage.
Here's a look at some of the security strategies that Amazon and its peers are taking now to improve cloud security.
1. Easy for customers, easy for attackers
Making cloud resources easy to use for customers or internal clients is good business. Yet, those same benefits can easily extend to attackers, says Archie Reed, chief technologist for Secure Advantage and Cloud Security at Hewlett-Packard (HPQ).
"All the benefits that we subscribe to cloud, especially the public cloud services—the relatively low cost, instant provisioning, and the ability to access anywhere and any time—all of those benefits can be taken over by someone with the knowledge and the will," Reed says.