As part of our 2013 predictions, we predicted that legitimate cloud services would be abused by cybercriminals. Unfortunately, that has proven to be the case – and in today’s current climate, it is unlikely to get any better.
For example, last week we saw a spam run that used Dropbox to host its malicious payload. It’s not the only case we’ve seen where legitimate cloud services have been utilized for malicious purposes – only the most recent noteworthy one.
The issue is bigger than just one popular service – others like Evernote and Sendspace have been abused as well. It’s natural to ask if these services can prevent such cases from happening again. However, a competing demand has also been heard from the public: privacy.
Today, people are much more concerned about whether their data is being read by governments or monetized by service providers themselves. They are likely to demand more privacy. For example, in the case of a cloud storage provider, the demand might be that the cloud provider not know anything about what files are being stored on their servers. To the provider, the customer’s data would merely be a blob of indecipherable bits that means nothing to them.
Fundamentally, there is a clash between the demands of privacy and the demands of security. Say, for example, a storage provider wanted to ensure that their service wasn’t being used to host malware. They could, for example, use very powerful solutions – file scanning, sandbox testing, etcetera – to test all uploaded files. Notwithstanding the obvious effects on costs and server requirements, this would also be perceived as spying by many users. (In today’s climate, that accusation can quite easily destroy a company.)
The converse is also true: they could provide completely private storage, where all encryption is performed on user devices, and they have no idea what’s being stored on their sites. A service like that would certainly be abused by criminals. Because cloud providers have to meet legitimate customer demands for secure, private services, this creates a system that also shields illegitimate users’ activities from detection”.
Both examples above, of course, are at extremes – but they illustrate the tradeoff any cloud provider must make. They must strike a balance that suits their strategy and business model. However, this means that some level of abuse will be inevitable – and might even be viewed as an inevitable cost of doing business.
What should users take away from this? As we said above, some abuse will be inevitable. It doesn’t even have to be a vendor you chose; it can be a vendor that either another user or a cybercriminal chose. Some writers have implied that as computing moves to the cloud, users can abdicate some responsibility for their security to other parties (like, say, cloud services of one kind or another.)
Nothing could be further from the truth. Users must still take responsibility for their own security and adopt security solutions that work for them and put them in control. Obviously, this means different things for a family at home and a corporation with thousands of seats – but the principle remains the same. The user, and not the “cloud”, has ultimate responsibility for keeping themselves safe.