Providers shouldn’t promote the cloud as infallible, but their customers shouldn’t shirk all responsibility for protecting their own data once they enter the cloud either, a senior Microsoft Corp. security executive told the 2011 SecTorSecurity Conference on Tuesday.
“I don’t think cloud providers in general do a really good job of communicating what cloud computing will provide, as well as what it won’t,” said Bruce Cowper, senior security strategist in the Trustworthy Computing division at Microsoft Corp., in an interview following his keynote address at the annual event in Toronto.
After a lot of hype about the cloud being an uber secure, ultra efficient solution, various cloud outages in the past year – including one at Amazon in April and another last month at Microsoft Corp. that disrupted its Hotmail, Office 365, SkyDrive and Windows Live services for more than three hours — have grabbed major headlines and raised doubts about how reliable and secure the cloud really is. Those incidents have taught cloud vendors how important it is to communicate with customers quickly during an outage, and also to present a realistic view of what the cloud can deliver, Cowper said.
“Companies are being remembered for how they handled an incident, not what the incident was,” Cowper told the SecTor audience.
But the industry is getting better at keeping customers informed, he said, noting that Microsoft regularly updated customers about how the March earthquake and tsunami in Japan were affecting its cloud service in certain parts of the world as the disaster unfolded. That type of improved communication from vendors is helping to educate customers about the cloud overall, Cowper said.
“We’re slowly starting to set customer expectations around what cloud service is capable of,” Cowper said in his interview. “The challenge is that dealing with unreliability is often why people adopt cloud service in the first place.”
Cloud computing is still at a relatively early stage in the hype cycle, but some vendor claims are actually being challenged now. The Advertising Standards Agency in the U.S. said last month it was investigating a complaint over the accuracy of Microsoft ads guaranteeing 99.9 per cent uptime for the company’s cloud-based Office 365.
While providers have a responsibility to educate their clients and not oversell the cloud, customers must realize that their own responsibility for protecting their data doesn’t end the moment they sign up for cloud service, Cowper said.
In its latest security report analyzing data from 600 million systems worldwide, Microsoft found that less than one per cent of successful attacks during the first half of 2011 came from so-called ‘zero day’ threats ( vulnerabilities with no available security patches at the time of the attacks). That means over 99 per cent of the incidents could have been prevented if users had just applied patches that were easily obtainable fixes.
A new trend is that attackers are also moving to the cloud, hijacking valid Yahoo! and Hotmail email accounts following takedowns of their more traditional weapons like the Rustock botnet.
“The bad guys are starting to use cloud services to sort of achieve scalability on their side,” Cowper said, because email can be a cheaper, more efficient way to spread spam and other security threats.
Cowper presented plenty of proof that Canadians should be especially vigilant about such security threats. According to the Microsoft report, Canada is a hotspot for breaches, with three times more drive-by malware incidents than the rest of the world, and 47 per cent of all worldwide adware volume versus the global average of 25 per cent.
Why are attackers having so much success in Canada? Canada is a relatively wealthy nation with a respected financial system, he suggested, so many of the scams here tend to be fake banking emails that hook victims in because we trust our banks more than other nationalities do. Another possible factor is simply that “Canadians still have a long way to go to protect themselves,” he said.
Canadian SMBs who are in the cloud or still just considering it can protect themselves by asking cloud providers a checklist of questions, Cowper said. Those include queries about what type of certifications and audit procedures vendors have in place, what would happen in case of a security breach or service outage, and even very basic information about how data is stored and protected, he said.
“If you’re hosting in the cloud, how often do YOU patch?” he suggested as one question customers should ask their cloud providers.
“(But) don’t be surprised right now if you don’t get the answers,” Cowper added, since the cloud vendor channel is “still figuring it out too” as the entire sector matures.