Why are hackers increasingly targeting cloud?

Danny Palmer investigates why cyber criminals see cloud as an increasingly lucrative target

It seems barely a day goes by without news of a large organisation suffering a data breach as a result of criminal activity.

Be it Hilton Hotels, the Office of Personnel Management or Ashley Madison, hackers have been able to break into their networks and steal the private information stored inside.

There has long been an argument over whether data stored in the cloud is more or less secure that that maintained behind the firewalls of the organisation. Cloud vendors unsurprisingly vouch for their services, but CIOs have expressed concerns that cloud computing is reducing their organisation's control over IT and creating long-term security risks.

While there have fewer cloud hacks have hit the headlines, the demise of Code Spaces, which was hacked through its AWS control panel in 2014, served as a wake-up call.

Meanwhile, a recent report by Alert Logic suggested that hackers are increasingly attacking cloud infrastructure, which they see as a "fruit-bearing jackpot" of data.

"Hackers, like everyone else, have a limited amount of time to complete their job," said the report.

"They want to invest their time and resources into attacks that will bear the most fruit: businesses using cloud environments are largely considered that fruit-bearing jackpot," it added.

Where the money is

Alert Logic's figures suggest cyber attacks against cloud deployments and applications have increased by almost half. Why has this happened? For the same reason the infamous American bank robber Willie Sutton gave for robbing banks: "Because that's where the money is".

According to Dr Kevin Curran, senior member of Institute of Electrical and Electronics Engineers (IEEE) and security lecturer at Ulster University, this is precisely the reason why attacks on cloud deployments are on the rise.

"Cloud attacks are going up simply because that is where the money is. More and more services and the accompanying data are being moved to the cloud because there are a number of advantages to using the cloud over on-premise servers," he told Computing.

These advantages include flexibility, potential cost-savings and the ability to easily scale services as and when required.

"Once you see the benefits of the cloud, you can see why most companies are moving there and hence why the hackers are targeting the cloud more and more," said Dr Curran.

But the rise in adoption isn't the only reason. The way cloud applications are deployed is also a factor.

Most SaaS customers receive the same technology and service as every other business which uses the same cloud-based application. That means any vulnerabilities in the application will be replicated across the various different enterprise customers using it.

"Attacks on cloud systems are increasing because many companies rely on a ‘standard' installation process, which is then replicated for different customers and largely left untouched," Chris Gould, EY's head of cyber for UK and Ireland, told Computing.

"Unfortunately some organisations take an ‘if it works don't touch it' approach to their cloud security systems, which means that updates and security patches are sometimes only installed when strictly needed," he explained.

This practice of applying just the "strictly needed" updates often only comes into question in the aftermath of a breach, and by then it can be too late.

"The time taken for security updates to be issued and installed can also contribute to a company's potential exposure," Gould said.

Under the mattress or in the bank?

Ultimately, when a user or organisation puts its trust in the likes of Google, Amazon or Microsoft to keep data safe in the cloud, it's expected that that these large corporations will have better security.

However, if cyber criminals manage to breach their perimeter, they've hit the jackpot, because that's where the payoff of data - the money - is.

Ben Johnson, chief security strategist for Bit9, CTO of Carbon Black and former computer network operations specialist at the NSA adapted th ebank analogy, telling Computing that trusting a cloud provider to protect your data is similar to trusting a bank to keep your money safe; you just expect them to have better resources than you do to do it.

"If we all just kept our money at home, it's up to us to protect it. But we don't want to worry about protecting money in our house, so we put it in a bank. That means it's the bank which has to worry about security, which is great, but if they get robbed, all of our money is in one place for them to take," he said.

That logic, Johnson explained, also applies to cloud.

"If we all use Gmail, we really just put our trust into Google and that they're going to focus on security more than any of us would.

"But if the bad guy gets in there, now they have millions of email accounts they can start getting data from," he said.

"They could break into your house and steal whatever money you have, or they could go to the bank and steal a lot more. The bank is a lot more secure, but the payoff is much higher; it's like that for cloud," said Johnson.

Johnson believes that cloud applications are still inherently more secure, so concerned parties have no reason to rush out and shove all their data back into on-premise servers. "Cloud in general is safer than your own company doing it," he said, adding that the ultimate responsibility still lies with the customer.

"You're going to have Amazon doing some things to increase your security, but you still have to go that final mile".

EY's Gould also warned against any rash decision to remove data from cloud.

"Any decision to take data out of the cloud should be based on a threat analysis and an assessment of whether it makes economic sense to do so. Few companies conduct even the most basic practical risk assessments around this, and so often don't fully assess the pros and cons before acting," he told Computing.

Public cloud, private key

How can an organisation ensure that the data it stores in the cloud is protected? According to Dr Curran, encryption is the key.

"Businesses should become more aware of only using proper cloud encryption techniques. In reality this means they use disk encryption everywhere possible," he explained.

"Of course pre-Internet encryption [PIE] should always be invoked in conjunction with whole disk encryption. This ensures that the cloud provider does not have the keys to a user's kingdom," Dr Curran said.

He told Computing that any organisation which looks to store data with an outside service provider should examine how their chosen cloud vendor deals with security.

"The fact that any company is allowing confidential datasets to reside outside the company network should lead them to examine how they can robustly protect that data and the answer can be simply a layered security strategy," he said, before once again stressing "the core principle to be followed here is the encryption of data".

However, users should be very wary about storing encryption keys in the cloud.

Security doesn't come for free

The key factor in keeping cloud applications secure and safe from cyber attacks is the customer and the cloud provider working together to ensure that this outcome happens.

"It's important to understand that security in the cloud is a shared responsibility. Know what your provider does for you, and what you must do for yourself," Matt Bishop, principal technologist in cloud, at QA told Computing.

"Cloud service providers take customer security extremely seriously, for obvious reasons, and many of them publish extensive security white papers, best practices and other advice," he added.

However, as simple as a partnership like that may sound, EY's Gould argued that there are more complicated questions to be considered.

"Securing the cloud is a complex matter. However, it's important to remember that cloud systems don't always result in financial savings. It often results in increased costs, in terms of monitoring risks," he said.

"If responsibility is placed on the cloud hosting company, inevitably costs will increase for all users. If security is outsourced to a third party, then there would need to be a stronger focus on auditing and monitoring of risks. There is no easy answer," Gould said.

Just because criminals are turning their attention to the cloud doesn't mean that enterprise data centres can drop their guard.

"While cyber-criminals are increasingly targeting cloud deployments, on-premises deployments are still being targeted at the same frequency as they always were," said Will Semple, vice president of security services for Alert Logic.

"The key to protecting your critical data is being knowledgeable about how and where along the 'cyber kill chain' attackers infiltrate systems and to employ the right security tools, practices and resource investment to combat them," he added.