Executives unsure of the viability of cloud computing need look no further than the criminal fraternity for a ringing endorsement of the technology, according to a security expert.
Cloud computing has been enthusiastically taken up by criminals for a range of activities, Rik Ferguson, senior security adviser at security firm Trend Micro, told delegates at a Westminster eForum on Wednesday.
"One of the things that persuades me personally that the cloud is absolutely a viable model and has longevity is that it has already been adopted by criminals," Ferguson said. "They are the people who are leading-edge adopters of technology that is going to work and going to stick around for a long time.
"We already see customers of Google, customers of Amazon, who are criminals and who use those services, among others, to run command-and-control services for botnets, to launch spam campaigns and to host phishing websites. They see the power, the scalability, the availability and, for them, the anonymity that is possible through cloud services and they are using it to its fullest extent."
Ferguson told ZDNet UK that this development was part of a shift in the criminal methodology. "Even 12 months ago it was true to say that, if you had a number of PCs in your organisation going to twitter.com/profilename several times a day, that was not a security concern unless you were blocking social networks. But that kind of stuff is now no longer necessarily normal. It could be an indicator of malicious behaviour," he said.
This change in approach must be met with an alteration in the way organisations detect suspicious activities, according to Ferguson. "We have to change our security policies to take account of the fact that criminals are trying very hard to lose themselves and their activities in the general white noise of the internet," he said.
Read this
Cloud Watch Special Report
Untangle the hype and the promise, the good and the bad, the risks and the benefits of cloud computing
"You used to say, 'Right, I'm going to look for IRC [internet relay chat] outbound from my network because that's definitely suspicious. I'm going to block access to all the known command-and-control IP addresses for botnets because I don't want them to be able to phone home'," Ferguson added.
"But now that criminals are moving into cloud services, what are you going to do? Block EC2 [Amazon Elastic Compute Cloud]? It becomes very much more difficult and I think that is an area that security companies and security professionals need to focus on."
He said organisations need to rethink their security models, which have traditionally been "outside-in" and focused on stopping intruders entering networks. "When we become consumers of cloud we have to change the way we think and focus on inside-out security," he said.
Ferguson recommended that in an age of mobility, virtualisation and cloud, firms should focus on the core. "Start with your data and make sure your data is secure, wherever it is, and then make sure the systems handling the data are self-defending wherever they are," he said.
Talkback
"But now that criminals are moving into cloud services, what are you going to do? Block EC2 [Amazon Elastic Compute Cloud]?
Yes
If the Wild West is full of outlaws, you don't move there until it has been cleaned up - or make sure the reward is worth the risk
If the given service provider isn't doing enough or has taking the stand that its going to remain totally impartial to it's customer's doing's, then yes I haft to agree go else where.
But having said that the cloud providers probably see it as not so much endorsing it, but rather not wanting to be seen as snooping/meddling on early adopter's of their technology business.
There's a fine line here between good take up or bad take up of cloud services, no ones going to want to join a service provider known to be supplying bad customer's, but equally so no one's going to want to join a provider known to snoop to deeply.
It's almost sounds like they is going to be a battle between good/evil on the take up front for cloud services as a whole, which one will win is anybody's guess.
I am Tushar Khera, MBA student from the University of Leicester, UK. I am doing my dissertation on "Cloud computing: Its effects on organisation's strategies".
I plan to use qualitative research method which will include interviews, to gather information on my research topic.I wished to interview members to get information on this research topic. It would be good if I could get contacts in other organisations whom I could interview.
Awaiting a positive reply.
-------------------------------------------------------------
Thanks and Regards
--Tushar Khera
email id: tkhera_15@yahoo.com