It appears that concerns about the potential for lack of security in “cloud computing” have been confirmed already, with the Sydney Morning Herald journalist, Cynthia Karena, reporting on 8 December 2011 that “major security vulnerabilities” were found at a large cloud provider, meaning that attackers could possibly gain unrestricted access to all hosted systems within that cloud.
Allegedly, it took less than a day for security consultants to obtain “Domain Administrator” access over the cloud provider’s network.
I am happy to note that the access was gained by the specialist security hackers at the company’s request, but the result was that all administrator work stations were compromised, giving total access to all cloud hosted systems.
The security consultants identified what they considered to be “typical web application vulnerabilities” such as injecting malicious scripts into trusted websites, as well as what they believed to be much more critical cloud security flaws – lack of access controls giving a hacker opportunity to gain unauthorised access to other users’ accounts.
The hackers were also able to connect to other companies’ servers hosted in the cloud and could potentially have attacked those third party servers.
Effectively, there was a lack of network access controls within the cloud environment, allowing all internal employees to connect to all cloud systems.
Obviously, having identified these problems, the cloud provider then moved quickly to start fixing them, as that was the object of the exercise.
Presumably, they will now be able to offer better security to their clients, and that is where the message lies for anyone wishing to make use of the cloud environment.
It is clearly essential that everyone seek proof of independent security testing as a pre-condition for using any cloud service, and the more extensive that testing, the better.
Many questions should be put to the cloud provider and, from a legal point of view, the responses should be obtained in writing.
The Sy
dney Morning Herald article went on to refer to other cloud security tests conducted overseas, and difficulties with testing were raised due to the number of parties involved in testing – including third party suppliers of software and applications.
A source in one of the instances indicated one solution was to have a dedicated server just for that particular enterprise. That option has been taken by some security conscious companies.
Those companies can also elect to use a dedicated connection that is not shared, to provide further security, and may decide not to move all applications to the cloud, keeping core business applications in-house.
Therefore, anyone who wishes to retain maximum security over their data and systems whilst considering entering a cloud computing arrangements must conduct an extensive due diligence on the cloud provider to ensure they are able to deliver the security required.
On my reading of some cloud computing contracts, extensive amendment is required to the terms of agreement before anyone could consider them to provide either the security or appropriate compenation in the event of a breach.