Shouldn’t you be worried about cyberterrorism in the cloud?


Updated. The events of Sept. 11, 2001 opened the minds of CIOs to a Pandora’s box of possibilities.

A decade ago, tech executives had no concept of the magnitude of attacks that could take place on our own soil. For the first time, we became more aware of our vulnerabilities — at our homes, in our country and within our IT infrastructure.

After 9/11, businesses grew concerned about protecting both their data and their entire organization. The government reacted by implementing new, improved security and compliance standards. Over time, businesses’ data became safer. Before 9/11, hackers would have to climb over a ten-foot wall to access company data. These days, it’s more like a 100-foot wall.

But in my opinion, we’re not out of the woods yet. Just ask Sony (s SNE), who hired a former Homeland Security official as chief data safety officer when more than 100 million accounts were breached. Or look at Dutch security certificate provider DigiNotar, from which hackers stole certificates for the purpose of spying on Iraqi Iranian citizens. Then there was the 2010 Stuxnet worm, which was “so skillfully designed that computer security specialists … were almost certain it had been created by a government and is a prime example of clandestine digital warfare,” according to the New York Times.

“Cyber and economic means are edging toward the place where they truly are weapons of mass destruction,” writes former Assistant Secretary for Homeland Defense Steven Bucci. Cyberterrorism has yet to be fully quantified, but the incidents speak for themselves: The trajectory of warfare is headed to cyberspace, and where there is war, there are terrorists.

Should businesses be worried about cyberterrorist attacks? The answer is that they should be worried enough to stay proactive about security. For one, cybercriminals are more interested than ever in siphoning finances from businesses — even small- and medium-sized ones that often don’t have the elaborate security of their corporate counterparts. Looking forward, CIOs and IT managers need to think about who suffers most in today’s form of warfare — civilians. Now upload that to the cloud. That’s reason enough to be prepared.

The widespread adoption of cloud computing means that businesses need to be aware of how their service providers are protecting data in the cloud. Some people assume the cloud provides built-in immunity from attacks. It doesn’t. But with the right protections, cloud service providers can provide solid defenses.

All cybermisfits, from small-time pilferers to organized radical extremists, sneak into networks by exploiting weaknesses. A cloud service provider needs to protect those potential entry points. It should protect data in transmission and data at rest through encryption. Multifactor authentication will stop unauthorized users from breaking in via the username/password channel. The cloud provider should also scramble passwords, blocking wannabe cross-site request forgers and scripters. On the hardware side, CIOs should select providers with high-quality firewalls and routers, as well as first-class physical data center security.

Finally, a cloud provider needs to offer good detection and logging. All unsuccessful login attempts should be detected and logged for review by the administrator. The cloud provider should retain log files and analyze them in real time. IT teams need to be given enough granularity in their administrative controls that they can proactively prevent unauthorized activity in the cloud. When administrators have the ability to choose who accesses the cloud, what they download, how often they change their passwords and so forth, they can look for patterns that indicate a breach.

Let’s say that despite a bulletproof cloud, an IT administrator forgets to update local software and an infection breaks in. If their organization adopted a hybrid cloud solution, this won’t necessarily be cause for panic. With the hybrid cloud, IT teams can backup and synch files stored locally, meaning they already have a redundant storage system. When something breaks locally, it can easily be restored from the cloud.

Cloud computing and potential disasters — whether natural or terrorist-made — are in the same circle of synergy. With a properly designed hybrid cloud that incorporates robust multilayer security, a single point of attack will not kill a business. When CIOs scrutinize the security of their cloud service provider in the same way they monitor internal security measures, they can feel confident they are truly being proactive about protecting their data.

Vineet Jain is the CEO and co-founder of Egnyte.

Image courtesy of Flickr user TechShowNetwork.


Joe Moriarty

I would also argue that large enterprises do not secure the majority of their sensitive data that leaves their network whether it’s in the Cloud or traditional infrastructure.

David Taylor

ISP’s do nothing to ensure that the Internet is secure. Giving your data to The Cloud means that you are handing control and access rights off to a third party over whom you have not only no control but no come back in the event of your data being breached.

There is no control over who has your data, where it is stored etc. This could be in the UK, USA, India, China, Taiwan or even Vietnam.

The Cloud is insecure, you have no control and there is no Policing of poor performance by either the ISP’s or the Data Holder whoever and wherever that may be.


Every infrastructure is controlled by somebody. “The Cloud” is such a loose term, the way you use it here. Amazon’s Elastic Cloud is used by Netflix and other companies that do take a dump whenever a datacenter has an issue. Companies do lease infrastructure and then run their own service on it. Many dedicated hosters have resellers using their infrastructure to sell domains and host websites. It is not some big black abyss when somebody drops a rock and it just falls down. You can find out who hosts what with just a little bit of digging. Your voicemail and email are probably in some cloud right now that somebody thinks is secure.

Matthew Loxton

Stuxnet broke a prime principle of warfare as embodied in the Roman pilum – don’t throw a weapon that can be thrown back.

Every would-be cyber-guerrilla now has a reusable weapon platform.


I don’t think the danger to the public cloud is that much bigger than what a company’s own infrastructure is today. In fact, I think in time it will be more secure than what a company can do on its own. The examples you sited, Sony etc. were all private implementations.

Floris van Altena

edit: Irani citizens, not Iraqi… Sorry after this mistake, stopped reading.

“Or look at Dutch security certificate provider DigiNotar, from which hackers stole certificates for the purpose of spying on Iraqi citizens.”

Casual Reader

It was Iranian citizens, not Iraqi. You should get your facts straight. I also don’t see what this article has to do with cyberterrorism.

Aleksander Adamowski

Aren’t you confusing cyberterrorism with cyber espionage, cyber vandalism and ordinary organized cyber crime? What does 9/11 have to do with it?

It’s completely unrelated, but I suppose that you wanted to somehow monetize the anniversary of the event.

Still, your confusion between basic terms of cyber crime leaves much doubt about your competence in the area of IT security.

What good can be your solutions if you cannot properly distinguish distinct types of threats?


Technology is like a double edged sword. When we design a system we should built into the required failover mechanisms to ensure that the data misuse is minimised if not blocked.


Ironically – one of the first things that a company does when testing out a cloud is implimenting its infrstructure and backups to it. Then they push their failover to it. This is in case is own network gos down. In the end, a company moves most or all of its data/network to the cloud (Desktops will be the last to follow).

The ironic bit is the reversal of company anxiety. once everything is in the cloud, companies will be downloading a copy locally for failover. ( Not even mentioning downloading data to record for archival purposes).

Comments are closed.