Castles in the Cloud: Securing your Data
Wed, Aug 01, 2012 by Andrew Conway
When I go to a convention like Black Hat and tell people I work for Cloudmark, the usual response is, “So you do cloud computing?” Well, sort of. The company was founded back in 2001 when cloud computing was less well defined – it originally meant any set of resources you could draw a cloud shaped bubble around on a white board. Now it seems to mean any computing tasks that used to happen on a local workstation, but now you don’t know where they are happening, so it might as well be up in the clouds. By that definition, spam filtering was one of the first services to move into the cloud, freeing email administrators from setting up their own filters and users from deleting spam by hand. This makes spam filtering one of cloud computing’s greatest success stories. (Thanks, Bruce, I’m going to keep using that line.)
Back in the day I used to run DNS, SMTP, POP, FTP and Web servers for one of my personal domains on a top of the line 386 computer attached to a DSL line in my basement. The server regularly got hacked one way or another, and I eventually gave up and moved the domain to a hosting service. I used to host heavily compressed postage stamp sized quick time movies (optimized for 2400 baud dial up) on the web site. Now I just embed YouTube videos. My domain has moved into the cloud, I outsourced the design to a WordPress template and I can focus on content without having to worry about my mail server being taken over by spammers.
This is fine for a hobby web site, but there was a trade off. When you move your data or services to the cloud, you are giving up control over security and backup. If the cloud service provider screws up and your data is hacked or lost, you have no recourse. (Seriously, read the fine print in the terms of service for your cloud provider. You have no recourse.) Now I certainly trust Hostgator or YouTube to do a better job of looking after my data than that long departed 386 in my basement did, but none of my data is mission critical. Before you move your unpublished novel, intimate photographs, or stock portfolio password into the cloud, maybe you should ask a few questions about the security of your cloud service provider.
Good luck with that. The answer you get may well boil down to, “Our security is so good that we don’t talk about our security.” OK, so then maybe if you are a real security guru you run some tests against the cloud provider to see if they are vulnerable to any of the common exploits. Fail! You have just violated those terms of service and your data will have to find somewhere else to live.
So if a cloud service provider won’t tell you about their security and you can’t test it yourself, what can you do? For those providers who allow outgoing mail from their cloud resources, you can see how much they are abused by spammers. It’s possible that they might have great backups and intrusion control and lousy spam filtering or vice versa, but in my experience companies that are good at security are good at all aspects of security.
I checked one of the leading cloud computing service providers to see how they were doing at preventing their clients from using their services to originate spam. The answer is that they are not in our top hundred spam sources by ISP, but often in the top two hundred. There is some spam being output, but as a percentage of total email it is comparable with large ISPs. For spam prevention, I would give them a B. It’s up to you to decide if that is good enough for your data. You’re certainly less likely to lose your data in the cloud than if you leave it on a hard disk without a back up.
A different cloud service provider has found another way to contribute to the spam problem. As Dropbox explained in a blog post yesterday, an employee had their login password stolen, and this resulted in a spammer obtaining a list of Dropbox users’ email addresses. However, this is not Dropbox’s worst security snafu. Last year they accidentally turned off password authentication for a period of four hours, allowing anyone to log in to any account with a random password.
Aside from the risk that a cloud provider may accidentally publish your private data, there is also the risk that you may make a mistake and accidentally publish it yourself. Click the wrong box on that app that uploads all the photos from your phone to the cloud, and you may find them turning up in Google Image Search. Hire a careless developer to work on your application and he or she may include the keys to your cloud account in source code in a publicly searchable repository. One wrong click when you share your bank account password with your spouse, and it is visible to the entire world.
If this happens, you can’t trust in security by obscurity. One of the presentations at Def Con featured a set of free tools for finding sensitive data that had accidentally been published in the cloud. Francis Brown and Rob Ragan of Stach & Liu demonstrated tools to scan for Amazon EC2 keys from public code repositories, and passwords and SSNs from Dropbox and Google Drive. Since the tools are based on Google and Bing searches they are extremely fast, as the search engines have already done all the web crawling.
The bottom line is that cloud computing makes life a lot easier, but if you are going to put sensitive data out there it is a good idea to encrypt it first, and when you hand out EC2 keys or passwords to anyone, make sure they are as limited in scope as possible.