Cloud Computing’s Top Security Risk: How One Company Got Burned

Virtualization and cloud computing haven’t eroded the online security of most companies, analysts say. But they may be contributing to situations in which IT-service customers leave themselves vulnerable to attack because they assume their cloud provider is taking care of security.

“Security and cloud hosting are two separate things, but the cost of entry is so low, and often so simple, that customers may not do as much due diligence as they should to find out who’s responsible for security,” says Ezra Gottheil, an analyst who covers server issues for Technology Business Research.

Placement of responsibility for security in cloud computing arrangements is so ill-defined that Gartner felt it was necessary to list access to information about how a cloud service works and a service level agreement spelling out customer expectations and requirements in a report released this week.

In March, research from the Cloud Security Alliance listed customer ignorance of security practices—and service providers’ refusal to give information to relieve it—among the seven top security risks in cloud computing. According to the Cloud Security Alliance’s research, cloud projects and the risks they entail may be “complicated by the fact that cloud deployments are driven by anticipated benefits, [and] by groups who may lose track of the security ramifications.”

The nature of the cloud computing business means many customers or potential customers have no idea how exposed they really are when they put a website or other corporate application on someone else’s hardware, says Josh Corman, analyst for The 451 Group.

Chris Drake, CEO of FireHost, a cloud services provider that hosts and secures customers’ applications, agrees that most cloud and website hosting customers assume their provider is responsible for keeping their site safe even though that’s not always the case.

How One Cloud Computing Customer Got Burned

One of FireHost’s recently acquired customers, LawLeaf, a web-based financial services company that finds loans for people trying to finance the cost of lawsuits they’re filing, left its previous web hosting vendor, BlueHost, after an attack that almost put LawLeaf out of business.

LawLeaf Managing Director Tim Burke says he started the company in 2007 “with nickels” as a sideline to his main job selling member-management software to non-profit companies. He originally chose BlueHost to house LawLeaf.com because of awards the hosting company had won and because of its flat $6.95/month service plan. Burke says that he had been “pretty happy” with BlueHost’s service until LawLeaf.com started to go down at the beginning of the year.

In January, LawLeaf.com was hit with a SQL injection attack that compromised the PHP code that generates many of its pages. The infection caused the site to crash frequently and, worse, force-downloaded malware on unsuspecting users. By February, the site was crashing twice a week. By March it crashed ever day, Burke says.

The malware downloads earned LawLeaf warnings from Google that the site would be banned from search results if LawLeaf didn’t fix the problem, says Burke.

Since most of LawLeaf’s leads come through its website—not to mention from ads and Google search terms Burke buys to promote LawLeaf—the frequent site crashes cut its flow of business and hurt its credibility.

“We were losing a lot of leads because the site was down, so that was thousands [of dollars lost] every day. But what I was most worried about was lawyers who refer people to our service,” Burke says. “People send confidential documents through us, and lawyers refer clients to us for funding, so if our site is getting hacked all the time, it doesn’t inspire confidence that we’re someone they can trust.”

Fortunately for LawLeaf, those documents travelled by e-mail, which was never compromised. Nevertheless, the company’s reputation took a major hit every time the site crashed, Burke says.

Burke notes that BlueHost notified him when the site went down and did some initial analysis to make sure the problem wasn’t in its servers. He says the provider never went any further to fix the problem.

“They just kept telling us to get rid of the virus or whatever and close our pages,” Burke says. “We did that, many times, but the site kept crashing.”

BlueHost, which focuses on low-cost hosting for consumers and small businesses and doesn’t offer services more sophisticated than its basic $6.95 per month service, did not respond to repeated requests for comment.

With LawLeaf.com’s problems unresolved, Burke switched to FireHost, which promised to prevent future attacks or clean up after them. Burke says he pays about $400 per month for the service. When FireHost took over LawLeaf.com, the web hosting company took apart LawLeaf’s PHP-based pages and cleaned out the problem code.

“LawLeaf had actually done a good job of closing up the PHP pages, but there was a ton of SQL injection code still in the database,” FireHost CEO Drake says.

Burke, who says he offered to pay BlueHost more for better service, still thinks BlueHost was responsible for his site’s security—and for fixing the malware problem.

Despite BlueHost’s promises of 99.5 percent uptime and round-the-clock reliability, the company may not have been as liable for LawLeaf.com’s security problems as it appeared to Burke. Says Technology Business Research analyst Gottheil, “I’m not sure [of] the mechanism in this case, but SQL injections often come in through Web pages themselves, which would be the customer’s responsibility, whether they knew that or not.”

The LawLeaf/BlueHost case exemplifies why cloud computing customers need to get clear on who’s responsible for security.