Dark Cloud Rising: Cloud Services are Becoming the Attackers' Preferred Target
The largest Cloud providers today are Google, Microsoft, and Amazon; each offering multiple services and platforms for their respective customers. For example, Microsoft Azure, Google Apps, and Amazon EC2 are all hosting and development platforms. Google Docs, Acrobat.com, and Microsoft Office 365 all provide basic word processing, spreadsheets and other applications for individuals to use via the Web instead of on their individual desktop. Then of course there’s social networks, online gaming, video and music sharing services - all rely on a hosted environment that can accommodate millions of users interacting from anywhere on Earth yet all connected somewhere in cyberspace. While the benefits are many, both to individuals and to corporations, there are three distinct disadvantages from an individual and national security perspective:
- The cloud provider is not responsible for securing its customers’ data
- Attacking a cloud-based service provides an economy of scale to the attacker
- Mining the Cloud provides a treasure trove of information for domestic and foreign intelligence services.
No Security Provisions
A Ponemon Institute  study on Cloud Security revealed that 69% of Cloud users surveyed said that the providers are responsible, and the providers seemed to agree, however, when you review the terms of service for the world’s largest cloud providers, responsibility for a breach of customer data lies exclusively with the customer. For example:
- From Amazon : “Amazon has no liability for .... (D) any unauthorized access to, alteration of, or the deletion, destruction, damage, loss or failure to store any of your content or other data.”
- From Google : “Customer will indemnify, defend, and hold harmless Google from and against all liabilities, damages, and costs (including settlement costs and reasonable attorneys’ fees) arising out of a third party claim: (i) regarding Customer Data...”
- From Microsoft :“Microsoft will not be liable for any loss that you may incur as a result of someone else using your password or account, either with or without your knowledge. However, you could be held liable for losses incurred by Microsoft or another party due to someone else using your account or password.”
Not only do none of the three top cloud providers assume any responsibility for data security, Microsoft goes one step further and places a legal burden upon its customers that it refuses to accept for itself.
An Economy of Scale
NASDAQ’s Directors Desk is an electronic boardroom cloud service which stores critical information for over 10,000 board members of several hundred Fortune 500 corporations. In February, 2011 , an un-named federal official revealed to the Wall Street Journal’s Devlin Barrett that the system had been breached for more than a year. It’s unknown how much information was compromised as well as how or when it will be used. From an adversary’s perspective, this type of breach offers an economy of scale has never been seen before. In the past, several hundred Fortune 500 companies would have to be attacked, one company at a time, which costs the adversary time and money not to mention risk. Now one attack can yield the same amount of valuable data with a significant reduction in resources expended as well as risk of exposure.
An Open Source Intelligence Goldmine
China’s national champion firm Huawei is moving from selling telecommunications network equipment towards developing Infrastructure-as-a-Service software (the Cloud stack) needed to provide a highly scalable public cloud like Microsoft's Azure or Amazon's EC2. If it sells IaaS with the same strategy that it uses in selling routers and switches, Amazon, Google, and Microsoft can expect to begin losing a lot of enterprise business to Huawei who will cut pricing by 15% or more against its nearest competitor. Cloud customers can expect their data to reside in giant state-of-the-art server farms located in Beijing’s “Cloud Valley”; a dedicated 7800 square meter industrial area which is home to ten companies focusing on various aspects of Cloud technology such as distributed data centers, cloud servers, thin terminals, cloud storage, cloud operating systems, intelligent knowledge bases, data mining systems, and cloud system integration.
Cloud computing has been designated a strategic technology by the Peoples Republic of China’s State Council in its 12th Five Year plan and placed under the control of the Ministry of Industry and Information Technology (MIIT). MIIT will be funding research and development for SaaS (Software as a Service), PaaS (Platform as a Service), and IaaS (Infrastructure as a Service) models as well as virtualization technology, distributed storage technology, massive data management technology, and other unidentified core technologies. Orient Securities LLC has predicted that by 2015, cloud computing in China will be a 1 trillion yuan market.
According to the US-China Council website , MIIT was created in 2008 and absorbed some functions from other departments including COSTIND (Commission of Science, Technology, and Industry for National Defense):
“From COSTIND, MIIT will inherit functions relating to the management of the defense industry, with a scope that covers the national defense department, the China National Space Administration, and certain administrative responsibilities of other major defense-oriented state companies such as the China North Industries Co. and China State Shipbuilding Corp. MIIT will also control weapons research and production in both military establishments and dual-role corporations, as well as R&D and production relating to "defense conversion"--the conversion of military facilities to non-military use.”
Clearly, the PRC has made a serious commitment to Cloud Computing for the long term. This doesn't portend well for today's private cloud service providers like NetApp or public cloud providers like Amazon, Google, and Microsoft; especially if buying decisions are made on price.
The move to the Cloud is both inevitable and filled with risk for high value government employees, corporate executives, and companies engaged in key market sectors like energy, banking, defense, nanotechnology, advanced aircraft design, and mobile wireless communications, among others. To make matters more complicated, cloud providers may move data to different server farms around the world rather than keep it in the same country as the corporation or individual which owns it. That could potentially put the customer’s data at risk for being compromised legally under foreign laws which would apply to the host company doing business there. For example, Microsoft UK’s managing director Gordon Frazier was recently asked at the Office 365 launch: “Can Microsoft guarantee that EU-stored data, held in EU based datacenters, will not leave the European Economic Area under any circumstances - even under a request by the Patriot Act?” Frazier replied: “Microsoft cannot provide those guarantees. Neither can any other company.”
The best advice for individuals and companies at this time is to insist that cloud providers build a measurably secure infrastructure while providing legal guarantees and without the use of foreign data farms. Until that occurs, and it's highly unlikely to happen without strong consumer pressure, there are significant and escalating risks in hosting valuable data with any cloud provider.
1 The Ponemon Institute, “Security of Cloud Computing Providers Study” April 2011
2 The Amazon Web Services (AWS) agreement available on Amazon.com
3 Google Apps for Business Online Agreement
6 The US-China Business Council website, “12. Ministry of Industry and Information Technology (MIIT)”