IT security problems shift as data moves to ‘cloud’
The Internet “cloud” has become the freshest topic in computing, however the trend has created a brand new range of security issues that should be addressed.
The cloud is related to such things as personal emails and music that are accessed on computers and a variety of mobile devices.
But the U.S. military and government agencies from the CIA to the Federal Aviation Administration also use cloud systems to permit data to be accessed anywhere on earth and save cash — and, ostensibly, to improve security.
Strategy Analytics forecasts U.S. spending on cloud services to grow from $31 billion in 2011 to $82 billion by 2016.
But some experts say security implications of the cloud haven’t been fully analyzed, and that the cloud may open up new vulnerabilities and problems.
“If past is prologue i don’t believe any system is de facto secure,” said Stelios Sidiroglou-Douskos, a research scientist on the Massachusetts Institute of Technology‘s Computer Science and synthetic Intelligence Laboratory.
“The analogy most people will give is having a lock in your door. It is not a guarantee nobody will break in, but it is a question of the way much time it’ll take, and in the event that your lock is healthier than your neighbor’s.”
In a cloud environment, “this makes the job of the attacker such a lot harder, that means the amateur hacker can be obsolete,” said Sidiroglou-Douskos, who’s engaged on a U.S. government-funded research project to develop “self-healing” clouds.
But if a system is breached, analysts say, the quantity of data lost can be far more than what’s in one computer or cluster.
“One can have better defenses” within the cloud, “but when an attack happens, it’s highly amplified,” says Sidiroglou-Douskos.
The four-year MIT project funded by the Defense Advanced Research Projects Agency seeks to develop systems that automatically fix data breaches in a fashion such as “human immunology,” says the researcher.
A choice of cloud security breaches have raised concerns, including attacks at the Sony PlayStation Network, LinkedIn and Google’s Gmail service. One hacker recently claimed to have stolen bank card numbers from 79 major banks.
“Crimes target sources of value. Large company networks offer more targets to hackers,” says Nir Kshetri, a professor of economics who studies cybercrime on the University of North Carolina at Greensboro.
“Information stored in clouds is a possible gold mine for cybercriminals.”
Kshetri said in a paper submitted to the journal Telecommunications Policy that after questions arise, “the cloud industry’s response was: Clouds are safer than whatever you’re using now. But many users don’t agree.”
Marcus Sachs, former director of the Sans Technology Institute‘s Internet Storm Center, said the cloud could be safer but additionally opens up new questions.
“Inside the cloud, you do not necessarily know where your data sits,” Sachs told AFP.
“That does not make it less prone to attack, but there are questions in relation to (an) audit, or so one can take the information back or destroy it, how are you aware you’ve erased it?”
Sachs said that analysts have also discovered “fake clouds” that are offered as low-cost alternatives but are in truth operated by “criminal groups which monitor and steal the information.”
“We’ve seen instances of this not within the U.S., but inside the former Soviet Union and in China,” he said.
Still, the cloud market is burgeoning, with companies and government agencies moving to either “public” clouds which are easily accessed or so-called “private clouds” which might be segregated from the net.
Some analysts say other issues must be resolved about cloud computing, including who’s liable if data is lost, and the way data may be accessed for presidency investigations.
Outages have recently affected Apple‘s and Amazon’s cloud services, causing some websites to be affected.
“Privacy, security and ownership issues inside the cloud fall into legally gray areas,” Kshetri says.
Sidiroglou-Douskos said there is not any single answer for folks or companies choosing between cloud systems and holding the information themselves.
“In case you are attempting to guard yourself from the govt. , then having it within the public cloud makes it easier for them to get it,” he said.
“In case your main worry is a hacker in Russia, maybe (cloud) infrastructure is healthier in your own security.”