IT security problems shift as data moves to 'cloud'

Jun 24, 2012 by Rob Lever
A "Secure Cloud Storage" drive is pictured at the CeBIT, the world's biggest IT fair, in 2011 in Hanover, central Germany. The Internet "cloud" has become the hottest topic in computing, but the trend has created a new range of security issues that need to be addressed.

The Internet "cloud" has become the hottest topic in computing, but the trend has created a new range of security issues that need to be addressed.

The cloud is associated with things like personal emails and music which can be accessed on computers and a range of mobile devices.

But the US military and government agencies from the CIA to the Federal Aviation Administration also use cloud systems to allow data to be accessed anywhere in the world and save money -- and, ostensibly, to enhance security.

Microsoft, Google, Amazon and others are major players in the cloud, which seeks to transfer some of the data storage issues to more sophisticated data centers. Firms like Oracle, SAP and Salesforce.com offer cloud services for business.

Strategy Analytics forecasts US spending on cloud services to grow from $31 billion in 2011 to $82 billion by 2016.

But some experts say security implications of the cloud have not been fully analyzed, and that the cloud may open up new vulnerabilities and problems.

"If past is prologue I don't think any system is absolutely secure," said Stelios Sidiroglou-Douskos, a research scientist at the Massachusetts Institute of Technology's Computer Science and Artificial Intelligence Laboratory.

"The analogy most people give is having a lock on your door. It's not a guarantee no one will break in, but it's a question of how much time it will take, and if your lock is better than your neighbor's."

In a cloud environment, "this makes the job of the attacker so much harder, which means the amateur hacker might be obsolete," said Sidiroglou-Douskos, who is working on a US government-funded research project to develop "self-healing" clouds.

POTENTIAL GOLD MINE FOR CYBERCRIMINALS

But if a system is breached, analysts say, the amount of information lost could be far greater than what is in a single computer or cluster.

"You can have better defenses" in the cloud, "but if an attack happens, it's highly amplified," says Sidiroglou-Douskos.

The four-year MIT project funded by the Defense Advanced Research Projects Agency seeks to develop systems that automatically fix data breaches in a manner similar to "human immunology," says the researcher.

A number of cloud security breaches have raised concerns, including attacks on the Sony PlayStation Network, LinkedIn and Google's Gmail service. One hacker recently claimed to have stolen credit card numbers from 79 major banks.

"Crimes target sources of value. Large company networks offer more targets to hackers," says Nir Kshetri, a professor of economics who studies cybercrime at the University of North Carolina at Greensboro.

"Information stored in clouds is a potential gold mine for cybercriminals."

Kshetri said in a paper submitted to the journal Telecommunications Policy that when questions come up, "the cloud industry's response has been: Clouds are more secure than whatever you're using now. But many users do not agree."

'FAKE CLOUDS'

Marcus Sachs, former director of the Sans Technology Institute's Internet Storm Center, said the cloud may be more secure but also opens up new questions.

"In the cloud, you don't necessarily know where your data sits," Sachs told AFP.

"That doesn't make it less vulnerable to attack, but there are questions when it comes to (an) audit, or if you want to take the data back or destroy it, how do you know you've erased it?"

Sachs said that analysts have also discovered "fake clouds" which are offered as low-cost alternatives but are in fact operated by "criminal groups which monitor and steal the data."

"We have seen instances of this not in the US, but in the former Soviet Union and in China," he said.

Still, the cloud market is burgeoning, with companies and government agencies moving to either "public" clouds that are easily accessed or so-called "private clouds" that are segregated from the Internet.

Some analysts say other issues need to be resolved about cloud computing, such as who is liable if data is lost, and how data can be accessed for government investigations.

Outages have recently affected Apple's and Amazon's cloud services, causing some websites to be affected.

"Privacy, security and ownership issues in the cloud fall into legally gray areas," Kshetri says.

Sidiroglou-Douskos said there is no single answer for people or companies choosing between cloud systems and holding the data themselves.

"If you are trying to protect yourself from the government, then having it in the public cloud makes it easier for them to get it," he said.

"If your main worry is a hacker in Russia, maybe (cloud) infrastructure is better for your own security."

Explore further: 'Halo' makers shed light on live-action series

add to favorites email to friend print save as pdf

Related Stories

Head for the clouds, feet firmly on the ground

Mar 05, 2012

Computer engineers in the US writing in the International Journal of Communication Networks and Distributed Systems have reviewed the research literature to get a clear picture of cloud computing, its adoption, use and th ...

The trustworthy cloud

Mar 07, 2012

Not a week goes by without reports on security gaps, data theft or hacker attacks. Both businesses and private users are becoming increasingly uneasy. However, when it comes to technologies like cloud computing, trust and ...

Study on the Security of Cloud Computing

Feb 26, 2010

Not only does cloud computing help to save money, it also helps to increase IT security: Small and medium sized companies especially can profit from special cloud security solutions and the knowledge advantage of experienced ...

Microsoft-Amazon.com pressed for clean 'cloud'

Apr 19, 2012

Activists rappelled down a Seattle office building Thursday to get Microsoft and Amazon.com to use clean energy to power datacenters running services based in the Internet "cloud."

Cloud computing: Gaps in the 'cloud'

Oct 24, 2011

Researchers from Ruhr-University Bochum have found a massive security gap at Amazon Cloud Services. Using different methods of attack (signature wrapping and cross site scripting) they tested the system which was deemed "safe". ...

Recommended for you

Watching others play video games is the new spectator sport

Aug 29, 2014

As the UK's largest gaming festival, Insomnia, wrapped up its latest event on August 25, I watched a short piece of BBC Breakfast news reporting from the festival. The reporter and some of the interviewees appeared baff ...

SHORE facial analysis spots emotions on Google Glass

Aug 28, 2014

One of the key concerns about facial recognition software has been over privacy. The very idea of having tracking mechanisms as part of an Internet-connected wearable would be likely to upset many privacy ...

User comments : 2

Adjust slider to filter visible comments by rank

Display comments: newest first

Kedas
not rated yet Jun 24, 2012
"You can have better defences" in the cloud, "but if an attack happens, it's highly amplified,"
What they forget is that clouds are attacked much more often
because they advertise how much data that they store behind one firewall.
If they steal 100 times the amount of data then putting 10 times more effort in it to hack it, it is still a win for them.

If you want it secure have your own place (not shared), and don't tell anyone about it's existence.
Eikka
4 / 5 (1) Jun 24, 2012
and how data can be accessed for government investigations.


And how can data be protected from government investigations, or any other authority for that matter. A hostile regime has a much easier time targetting and taking down the public company that hosts your data, than busting in your door and taking your servers for no good reason.

Like in the case of Megaupload, someone can abuse judicial power to essentially prevent you from accessing your own data and ever getting it back.