In the aftermath of the recent Sony PlayStation data breach, which is considered to be in the top 5 data breaches ever, the cloud is once again at the forefront of discussion. What is becoming clear is that hackers used servers provisioned on Amazon EC2 to launch the attack against Sony. Some are taking this opportunity to criticize security in the cloud.
While I am all in favor of proceeding cautiously and for continually re-examining and improving security implementation, if you really look at it the Sony incident has almost nothing to do with “security in the cloud”. The fact of the matter is that Sony’s own private network was hacked. The tie-in to cloud is that the hackers were able to provision servers anonymously and utilize Amazon’s public cloud to leverage their attack with very little up-front investment.
But, isn’t this exactly what the public cloud offers as a benefit? The answer, of course, is yes. Although this attack against Sony was, from the hacker’s viewpoint, particularly successful, using cloud technology in a malicious manner is not new. There have been several reported incidents of Denial of Service attacks launched from EC2 servers. Why not? If you are inclined that way anyway it is very cost effective.
Should Amazon be held responsible for this? That is an interesting question. Amazon has been criticized, in some cases, for being slow to respond. In my opinion, though, it is not necessarily their job to respond. Why should Amazon be placed in a position of deciding what is a “good” and what is a “bad” use of their service? Those are ethical, not technological, questions. To be fair, though, Amazon actually does respond to these types of incidents in a reasonable manner.
What is clear is that whether or not your organization does choose to adopt cloud computing, the ante has been raised as far as security is concerned. Attackers now have available, at their disposal, a seemingly infinite pool of computing resources for pennies per hour. This, by the way, is the same pool that the good guys have access to as well. What this means is that cloud-based hackers can attack your non-cloud datacenter for the cost of just a few dollars. It matters little that you have carefully chosen to avoid using cloud computing in your organization. Security provisions at all sites be they public or private, will have to up their game. This is the new reality.
For a comprehensive treatment of security fundamentals and in particular how they relate to cloud computing, you may want to consider attending Learning Tree’s Course 1220, Securing the Cloud: Hands-On. This course discusses security in a cloud-based environment. It is a security course that happens to be set in a cloud environment; it is not a cloud course that happens to address security issues.
I hope to see you at a Learning Tree Education Center soon!