Cloud // Software as a Service
Commentary
10/2/2013
03:41 PM
Robert Malmrose
Robert Malmrose
Commentary
50%
50%

The New Bank Robbers: Emerging Cloud Threats

Today's outlaws target data, not cash. Here are some key considerations as you choose a cloud service provider for your enterprise.

Willie Sutton, the famous bank robber, is credited with robbing more than 100 banks between the late 1920s and the early 1950s, when he was arrested, convicted and imprisoned. Sutton stole more than $2 million during his prolific crime wave. In an article published in The Saturday Evening Post in January 1951, a reporter asked Sutton why he robbed banks, to which Sutton allegedly replied, "Because that's where the money is." In his autobiography, Sutton denied that he actually he used those exact words, but then wrote, "That's what almost anybody would say… it couldn't be more obvious."

Modern-day bank robbers aren't using masks and guns, but rather computers and social engineering. As businesses move their intellectual property and client data into cloud technologies, it's clear that the new bank robbers are going to be found in the cloud. Why? The worldwide public cloud services market is growing tremendously. And they're not just targeting banks anymore, but any company where they can find data to resell, disrupt or exploit.

Gartner predicts that from 2013 to 2016, $677 billion will be spent by cloud customers to create cloud advertising and other business services. This estimate does not even include the billions of dollars of private cloud infrastructure investment. So when the new bank robber is asked why he is targeting cloud services, he will most likely answer, "Because now that's where the data is" -- so that's where the money is. And now your data will be in an infrastructure under which you have less control than you've historically had.

What are today's bank robbers attempting to do? Some are using cloud services to run their Zeus botnets and other hacking infrastructures up close and personal -- perhaps even from the same provider you use to house your precious cloud services and servers. And they're unleashing the zombies back into these cloud environments, with their eyes on your data.

[ Want more advice on cloud architecture? Read Cloud Architecture: Get It Right The First Time. ]

You should also consider the risk of a compromise by a nefarious cloud service employee with a level of control or access into your servers or applications that you may have never considered in the past. And how certain are you that your cloud provider has sufficient controls to prevent inadvertent leakage or destruction of your data in virtualized environments shared with many customers?

Other risks include hacktivists who target your service provider with DDoS attacks, rendering your business service unavailable for hours or days because the cloud provider didn't have the bandwidth or controls in place to contend with the attack. The recent DDoS attacks in the banking industry should give pause to any business intending to move their business services into a resource shared with other companies that may be targets of these efforts.

If you're sharing a joint authentication mechanism with millions of customers in a SaaS environment, then be prepared for the possibility of falling victim to an authentication breach that affects all of your cloud provider's customers. This type of compromise recently occurred to the note-taking service Evernote, and it required the company to reset the passwords of 50 million customers as a precaution.

Willie Sutton's alleged quote has become a part of American legend. Known as Sutton's Law, it is even used in medical schools to illustrate the point that one should first consider the obvious when diagnosing an illness.

So what are obvious considerations to protect against these emerging threats?

1. Know what data your company is storing in the cloud.

-- Don't find out after someone else publishes it on the Web or sells it to a crime syndicate.

-- Be aware what types of data your business is producing or holding during the initial stages of the project.

2. If you are storing any confidential data in the cloud, encrypt it.

-- Assume the data is going to be attacked and potentially leaked in the future.

-- Encryption increases the costs for hackers to gain access to your data and may thwart their efforts.

-- The hacker may simply turn their efforts to competitors who decided encryption was an unnecessary effort.

3. Have a Plan B for critical business services.

-- Assume that your cloud provider is going to have a disruption in the future.

-- Determine how much downtime you can handle and still remain profitable.

-- If you have low tolerance for downtime, consider purchasing more redundant services or distributing critical applications between multiple cloud providers for failover in the event of an emergency.

4. Choose a cloud provider that is aligned with your risk tolerance.

-- Assess various cloud service providers and choose that one that best fits your budget and risk tolerance.

-- Don't bargain-hunt for a cloud provider -- you may one day wish you had chosen a provider with stronger security.

Moving to the cloud should not increase your vulnerability to robbery if you take precautions against these growing risks in the new cloud marketplace.

Robert Malmrose is a featured speaker at Cloud Connect Chicago, taking place Oct. 21-23, 2013.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Author
10/7/2013 | 2:22:49 PM
re: The New Bank Robbers: Emerging Cloud Threats
It's amazing to me that businesses still don't encrypt 100% of their sensitive data -- no matter where it is, not just with a cloud provider,
Laurianne
50%
50%
Laurianne,
User Rank: Author
10/7/2013 | 4:26:59 PM
re: The New Bank Robbers: Emerging Cloud Threats
Robert, re #3 and continuity, what lessons would you advise people take away from the Nirvanix incident?
David F. Carr
50%
50%
David F. Carr,
User Rank: Author
10/7/2013 | 4:47:56 PM
re: The New Bank Robbers: Emerging Cloud Threats
Encryption does add cost and complexity, so you do have to think twice about where it is appropriate.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Author
10/10/2013 | 12:38:12 PM
re: The New Bank Robbers: Emerging Cloud Threats
Robert, You make a great point about how important the issues of security and risk management are when choosing a cloud provider. The problem for many organizations, however is finding CSPs that are willing to "open up the kimono" about their security policies and share details on how they protect customer data from attacks and breaches. Do you have suggestions or best practices for evaluating CSPs. Also what are some terms you would recommend that enterprises include in SLAs to keep the Willie Suttons at bay?
8 Steps to Modern Service Management
8 Steps to Modern Service Management
ITSM as we know it is dead. SaaS helped kill it, and CIOs should be thankful. Hereís what comes next.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Nov. 10, 2014
Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 16, 2014.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.