Last Updated on November 22, 2011

Update November 24: New EU directive to feature cloud ‘bridge’. The Binding Safe Processor Rules (BSPR) will ask cloud service providers to prove their security and agree to become legally liable for any data offences.

In my humble opinion there is strange misconception regarding cloud security. For sure cloud security is one of the main trends for 2011 a trend, likely destined to be confirmed during 2012 in parallel with the growing diffusion of cloud based services, nevertheless, I cannot help but notice that when talking about cloud security, the attention is focused solely on attacks towards cloud resources. Although this is an important side of the problem, it is not the only.

If you were on a cybercrook’s shoes eager to spread havoc on the Internet (unfortunately this hobby seems to be very common recent times), would you choose static discrete resources weapons to carry on your attacks or rather would you prefer dynamic, continuous, always-on and practically unlimited resources to reach your malicious goals?

An unlimited cyberwarfare ready to fire at simple click of your fingers? The answer seems pretty obvious!

Swap your perspective, move on the other side of the cloud, and you will discover that Security from the cloud is a multidimensional issue, which embraces legal and technological aspects: not only for cloud service providers but also for cloud service subscribers eager to move there platforms, infrastructures and applications.

In fact, if a cloud service provider must grant the needed security to all of its customers (but what does it means the adjective “needed” if there is not a related Service Level Agreement on the contract?) in terms of (logical) separation, analogously cloud service subscribers must also ensure that their applications do not offer welcomed doors to cybercrooks because of vulnerabilities due to weak patching or code flaws.

In this scenario in which way the two parties are responsible each other? Simply said, could a cloud service provider be charged in case an attacker is able to illegitimately enter the cloud and carry on attack exploiting infrastructure vulnerabilities and leveraging resources of the other cloud service subscribers? Or also could an organization be charged in case an attacker, exploiting an application vulnerability, is capable to (once again) illegitimately enter the cloud and use its resources to carry on malicious attacks, eventually leveraging (and compromising) also resources from other customers? And again, in this latter case, could a cloud service provider be somehow responsible since it did not perform enough controls or also he was not able to detect the malicious activity from its resources? And how should he behave in case of events such as seizures.

Unfortunately it looks like these answers are waiting for a resolutive answer from Cloud Service Providers. As far as I know there are no clauses covering this kind of events in cloud service contracts, creating a dangerous gap between technology and regulations: on the other hands several examples show that similar events are not so far from reality:

• On June 2, 2011, during the peak of the LulzSec saga, CloudFlare, the (network and cloud) service provider hosting the web server of the infamous hacking group, was targeted with DDoS attacks, after the group decided to publish information obtained from the Sony Pictures’ website;
• On June 22, 2011, FBI seized some servers from DigitalOne as Ryan Cleary, a 19-year-old suspected of involvement in LulzSec, was arrested. In this circumstance several popular, legitimate websites including Pinboard, a bookmarking service, and Instapaper, a tool for saving web articles, were affected. Moreover the CEO of tje Company declared that, although interested in one of the company’s clients, F.B.I. took servers used by tens of clients;
• On August, the 29th 2011, an Italian security penetration tester discovered some flaws in Google’s servers allowing malicious attackers to launch a distributed denial-of-service attack on a server of their choosing;
• On October, the 12nd 2011, Defence Contractor Raytheon revealed it was the victim of a spear phishing cloud-based attack;
• On October, the 28th 2011, Indian authorities seized computer equipment from a data center in Mumbai as part of an investigation into the Duqu malicious software that some security experts warned could be the next big cyber threat.

Is it a coincidence the fact that today TOR turned to Amazon’s EC2 cloud service to make it easier for volunteers to donate bandwidth to the anonymity network (and, according to Imperva, to make easier to create more places and better places to hide.)

I do believe that cloud security perspective will need to be moved on the other side of the cloud during 2012.