menu
|
January 11, 2010

Cloud Computing Faces a New Security Challenge

Many commentators (including me) have called Cloud Computing the way of the future. Indeed, I still believe that is true; however, a new wrinkle has come up with regard to the cloud’s security.

The general security issues involved with cloud computing have been widely discussed. The cloud makes enormously lucrative targets for hackers, thieves and enemies. Cyber malefactors can easily see the potential in getting access to large centralized concentrations of data, often from multiple entities all in “one place.” Getting inside such a target has phenomenal incentives, and when they have sufficient incentives, the bad guys seem able to do almost anything.

Despite that, the huge benefits of cloud computing outweigh the dangers. It saves money; it simplifies each company or agency IT structure and personnel; heck, it’s even Green. It does this by taking large individual data centers out of population areas and puts them in places where energy is cheap and water for cooling is plentiful, which reduces the need for multiple centers. Then look at how the cloud can improve efficiency – keeping security upgrades current, giving access to the best apps, and making sure every customer has the computing power they need when they need it and not only when it is unused.

In these last few benefits are where the problem comes up. It seems hackers are using the computing power of the cloud to do bad things. Instead of laboriously working through passwords trying to crack them, hackers have used cloud providers’ linked virtual networks to apply enormous computing power to break the codes. The have also used cloud providers to form botnets for Distributed Denial of Service (DDoS) attacks and spam distribution.

The problem with freedom is that everyone gets to use the good stuff, both the good guys and the bad.  There are some who have called for shutting down clouds (such as Google’s) until we sort this out. That is absurd, and it will never happen. The key lies in securing the cloud.

I have said before that cloud provider companies are the main center of gravity. If they are strong, capable and vigilant, cloud computing will greatly enhance the cyber world. If they are weak, incompetent and lazy, the results will be disastrous. Some of my previous postings have called for cloud customers to be extra careful and ensure they check their provider’s capabilities, strengths and weaknesses. Today, I am calling for a preemptive effort by big provider companies to set standards so their clouds are not misused by bad guys. It will be a tough job policing customers, and it might even cost money. If they don’t do it independently, however, we’ll have legislation that will undoubtedly by more onerous and less effective.

Cloud customers, you still need to watch to whose cloud you entrust your data and application, but providers, you need to be sure of who you allow to join your cloud community. This is not a time to be greedy or competitive; early on, we must be cognizant of the cost we will pay if we allow the benefits of cloud computing to be hijacked by the bad guys.

Dr. Steven Bucci is director of the Allison Center for Foreign Policy Studies at The Heritage Foundation. He was previously a lead consultant to IBM on cyber security policy. Bucci’s military and government service make him a recognized expert in the interagency process and defense of U.S. interests, particularly with regard to critical infrastructure and what he calls the productive interplay of government and the private sector. Read More

  • Have you considered the solution to some of the key security problems – the Empty Client model of Visual WebGui…which proclaims itself to be un-hackable?

  • Excellent points. Having a more trusted community is a start, we'll also need smarter clouds that can detect this kind of behavior and immediately report who the bad guys are to other clouds to deny them service….like an instant Cloud Blacklist.