There are probably less than 5 persons on this planet who know what cloud computing really means. The figure might be exaggerated, but while enterprises, consultants and vendors try to figure out the best cloud for their business model the attackers already take advantage of cloud infrastructure. Let’s disregard climate dependencies and extraordinary political environments for a moment (if you say yes to cloud computing, then you have this already taken into account and under control, right?). Let’s focus on on the security implications for the moment.
There’s an example of a string of unintended consequences by a successful social engineering attack. The target was a „cloud account“ linked to storage and three personal devices (a phone, a tablet and a laptop). The attacker gained access by means of tech support and bypassing security questions. Since we live in the age of Bring Your Own Little Devices™ and we all Take Security Seriously™ the devices were configured with a remote wipe option – which the attacker used successfully, too. The case is now in data rescue stage. Family and friends wait near the operating room for good news.
It really doesn’t matter what kind of cloud service this was. The promises are very similar, the reality widely differs. However the threat is real. There is no surprise, too. Essentially we are talking about outsourcing in „cloudy clothes“. Once you extend your infrastructure and mingle it with other companies, you will always create more ways for attackers and catastophes to affect you, even legal ones. Effectively you can control the risks by evaluating and selecting your mixture of outsourced infrastructure.
DeepSec 2012 has infrastructure as one of the focus topics. If you think of clouds and want to base your corporate future on them, you might want to take a look at our preliminary schedule next week.