Cloud computing is one of the biggest trends in the computing world today. However, security concerns about the cloud make up one of the major reasons why companies are hesitant to migrate their operations to the cloud. Let’s discuss an important puzzle in cloud computing, that is, the problem of authentication.
Many authentication schemes are done via the traditional user name-password combination. Problems with relying on these are well-known but, as companies move to the cloud, these become even more important.
Cybercriminals have known the importance of user credentials for a long time now and have worked hard to develop techniques to steal them. The top 2 online banking Trojan families in recent history—ZeuS and SpyEye—both employ a wide range of techniques to steal user credentials. One of the most ingenious of these is the use of screenshots to counter on-screen keyboard safety measures online banks use as an anti-keylogging mechanism.
Saying that ZeuS and SpyEye are scary would be an understatement. Corporations should worry about two particular things—first, any website can be targeted, including those that provide confidential services in the cloud and second, even login pages protected by SSL are not safe.
To make matters worse, account-stealing Trojans account for the majority of malware types Trend Micro has discovered so far, as documented in our first half report. We can only see this trend continuing in the foreseeable future.
Aside from malware, however, employees themselves are also part of the problem. They may unwittingly give out critical information on social networking and social media sites. Answering quizzes that virally spread on social networks may reveal information that an attacker may find useful when answering security questions on password-recovery features or when impersonating legitimate personnel.
One of the appeals of cloud computing is that users can access services in the cloud from anywhere in the world, even when out of the office. This, however, presents new risks for corporations that use cloud services. Users may be tempted to use unsecure access points such as free Wi-Fi.
Everyone loves free Wi-Fi but unsecure wireless networks are prone to sniffing and sidejacking, which are made trivial through the release of tools like Firesheep. Don’t limit the definition of “unsecure wireless networks” to airports or coffee shops. Many wireless home networks are also not securely configured. These are vulnerable to war driving and, consequently, sniffing and sidejacking.
Cloud security is a complex problem that has multiple facets. Each aspect—from devices to users and access points—must be protected and secured. Only if all three are secure can an IT administrator answer the question with, “Yes, my organization is ready for the cloud.”
To keep abreast of cloud-related news and information read our Cloud Security Blog.