Blog Post

Why Cloud Computing Needs Security

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

Bribery, extortion and other con games have found new life online. Today, botnets threaten to take vendors down; scammers seduce the unsuspecting on dating sites; and new viruses encrypt your hard drive’s contents, then demand money in return for the keys.

Startups, unable to bear the brunt of criminal activity, might look to the clouds for salvation: After all, big cloud computing providers have the capacity and infrastructure to survive an attack. But the clouds need to step it up; otherwise, their single points of failure simply provide more appealing targets for the bad guys, letting them take out hundreds of sites at once.

Last Friday, Amazon’s U.S. site went off the air, and later some of its other properties were unavailable. Lots of folks who wouldn’t let me quote them, but should know, said that this was a denial-of-service attack aimed at the company’s load-balancing infrastructure. Amazon is designed to weather huge amounts of traffic, but it was no match for the onslaught.

When it comes to online crime, the hackers have the advantage. A simple Flash vulnerability nets them thousands of additional zombies, meaning attacks can come from anywhere. During Amazon’s attack, legitimate visitors were greeted with a message saying they were abusing Amazon’s terms of service, which could mean that those visitors were either using PCs that were part of the attack, or were on the same networks as infected attackers. The botnets are widespread, and you can’t block them without blocking your customers as well.

Other rackets give the attacker an unfair edge, too: It takes an army of machines to crack the 1024-bit encryption on a ransom virus, but only one developer to write it.

A brand like Amazon can weather a storm, because people will return once the storm has passed. But just look at the Twitter exodus to see how downtime from high traffic loads can tarnish a fledgling brand. Slideshare survived such an attack in April, and while many other sites admit to being threatened, they won’t go on the record as saying so.

Up-and-coming web sites are often great targets, as they often lack the firewalls, load-balancers and other infrastructure needed to fight back. And it’s not just criminals: In some cases, the attacker is a competitor; in others, it’s someone who just doesn’t like what you’re doing.

Fighting off hackers is expensive. Auren Hoffman calls this the Black Hat Tax, and points out that many top-tier Internet companies spend a quarter of their resources on security. No brick-and-mortar company devotes this much attention to battling fraud.

Wanting to survive an attack is yet another reason for startups to deploy atop cloud computing offerings from the likes of Amazon, Google, Joyent, XCalibre, Bungee, Enki and Heroku. But consolidation of the entire Internet onto only a few clouds may be its Achilles’ heel: Take down the cloud, and you take down all its sites. That’s one reason carriers like AT&T and CDNs like Akamai are betting that a distributed cloud will win out in the end.

Cloud operators need to find economies of scale in their security models that rival the efficiencies of hackers. Call it building a moat for the villagers to protect them from the barbarians at the gate. Otherwise, this will remain a one-sided battle that just gives hackers more appealing targets.

8 Responses to “Why Cloud Computing Needs Security”

  1. Cory K.

    Heck right now we’d just settle for a the basics right now. Alister hits the nail on the head with a distributed cloud. We’re on Mosso right now and the idea of Mosso’s model is stellar. They make it easier for anyone to develop in the cloud. However, where the rubber meets the road, Mosso like all other cloud providers are stuck in a cruel irony. Unlike the cloud model the company itself can not throttle up as quickly as the cloud can. Right now their admin panel looks great to set up a new web site, and performed perfectly just a few months ago. As of the last 4-6 weeks, we’re yet to get a web site provisioned without having to call Mosso. If it were a quick fix while in a chat session or phone call, I’d be happy to chalk that up to a bump in the road. But right now it takes a CSR to escalate the issue to an admin. That process takes no less than 24 hours. The last time I had to call, beg and plead to get moved up the que. Even though the CSR’s are great that one web site took, over 72 hours to set up, then another 3-4 days to tweak it to work. We’re not talking anything fancy here. It was a PHP/MySQl set up. As vanilla as it gets. They say that they are working on the problem, and hope to have it remedied soon, but the amount of time and money we have lost having development teams sitting and waiting because the clouds could clear at any second is not worth it for most smaller firms…the very ones that Mosso is targeting. Alister is right that we do need to distribute the cloud, and hopefully that the distribution will allow for the small guys to come out and enjoy the sun for a little while. But for us, those 72 hours cost us almost as much as it would have cost us to use Rackspace…Mosso’s upstream. At least we’d have control over provisioning a simple web site.

  2. The combination of monoculture (literally planting only one kind of crop) in the cloud computing provider world with the faceless automated customer service of large corporations that think a self-service website can substitute for a real human answering the phone is a recipe for a security disaster. Cloud computing, with its low barriers to entry, attracts an increasing number of security-illiterate customers who depend on the cloud provider to provide security for them. However, not all providers offer such a plan, often assuming that the client has built security into their application, or thinking that the increased cost of security measures will make their cloud offering too expensive We have clients who have come to us after having their applications hacked inside Amazon EC2, with nobody to call for help and no internal expertise in security. If your provider has a detailed security plan in place, this can potentially improve your chances against hackers (especially the ones who just run bots to search for common exploits) but there’s still nothing like designing your application from the ground up to be as secure as possible. We provide our clients with IDS/IPS hardware firewalls protecting their cloud-deployed applications, but the next exploit that the firewall vendor hasn’t found yet is just around the corner waiting to take down applications written without consideration for security.

  3. Definitely need a whole bunch of clouds to render such attacks less significant and non-appealing. Call it ‘overcast’, Alistair.

    Moat. I like as a form of delaying strategy and deterrent but as far as persistent hackers go, it will prove to be more of a challenge that it could still be breached.