We're heading fast into the cloud computing era, where we access our email on distant servers, store pictures on photo-sharing sites, and access our data from any location.
But cloud computing comes with a lot of security risks, and that was the topic of a talk today by by Andrew Becherer, Alex Stamos, and Nathan Wilcox of iSEC Partners at the Black Hat conference in Las Vegas.
Cloud computing means that lots of Internet host servers are being marshalled to deliver data to you in real time. That data is distributed across a lot of different commodity storage servers, all tied together through software. The apps are stored on servers and can be moved from machine to machine without impacting you.
The recent Twittergate break-in gives you an idea of the risks of having all of your data stored someplace that is accessible via the web. The hacking of a single Twitter employee's account led to the disclosure of the company's most sensitive data, including its licensing discussions with Google and Microsoft.
Most companies are in a similar position, where they store sensitive data online. Twitter stored its stuff at Google Apps for Your Domain. Nobody broke into Google. It was hacked simply via a clever password stealing trick.
"No matter how low an opinion you have of your users, they will figure out a way to disappoint you," Stamos said.
It means that if you really want to protect sensitive data in the cloud, you need a lot of rigorous barriers that, while not perfect, present obstacles to easy hacks. If you can detect real-time anomalies, like a user logging in from France when you have no employees there, that helps security. Your response time is critical in preventing break-ins, but response time is an issue if someone else is hosting your data. If you make the hurdles high for resetting a password, that helps. If someone is resetting their password, someone in information security should be alerted.
Using Linux software as a foundation for cloud computing has its own vulnerabilities. The researchers used their knowledge of a few things to attack Amazon's EC2 cloud computing platform. In a cloud computing platform, there are often copies of operating systems that are repeated across a bunch of servers. Doing this exposes some of things that should be unique to each computer -- such as cryptographic codes. with this kind of data accessible, the researchers said they would be able to compromise security functions in the servers, essentially taking them over. Cloud computing designers have to take bugs like this into account in order to make platforms more secure.
There are also non-technical issues to address. Who is to blame -- the company or its web host -- if there is a data breach, loss of data, a disaster, bankruptcy, or some other shock to the system? A company could also be vulnerable if it deploys an app on its company cloud that is vulnerable to attack. That means apps have to be tested in a cloud environment.
Data stored in somebody else's cloud doesn't have the same legal protections as data as does data you store on your own computers. That means that the bar is lower when federal agents come calling, asking you to disclose your data for some reason, Stamos said. So the physical location of where you put your data certainly matters.
Right now, there is no legal disclosure required when someone steals your company's data from a third-party hosting company. Google says that its own policy is to disclose to its customers if there is some legal attempt to obtain their data -- unless it is legally prevented from telling the customer.