It very rarely happens to the computers I use every day. I’ve equipped them with so much defensive technology that if a magic spell transformed them into living creatures, those computers would look like ablative armor-plated armadillos. Very seldom do I get a message signaling an attempt by some Trojan program to infiltrate my system, and when I do, I can plainly see the infiltrator has already been quarantined. It always gives me a bit of a proud smirk, and for some reason, it makes me talk with a really bad Russian accent.

No, it’s not me. It’s my teenage daughter, the one whose computer still runs Windows XP, who plays Flash games online, who has just this year discovered Doctor Who, and who collects pictures of cats with funny captions that, for some reason, are best read with a really bad Russian accent. It’s my fault that I only get a chance to run a security scan on her machine every few weeks or so. She’s not a Facebook member, has never played or is even interested in Farmville, and like her father, never abbreviates a phrase willingly. Compared to her friends, she’s a Luddite. And last week, her system was plagued with no fewer than 12 severe-level malware incursions.

Not one of these malware packages was designed to capture keystrokes or ferret out her credit card numbers or lay waste to the hard drive. They weren’t interested in her at all. In fact, as my research uncovered, they all had the exact same purpose: to serve as stealth middlemen for malware intended for cloud service providers — most prominently for Amazon, but also Rackspace and some others. As my daughter relates it, she stumbled onto one website purporting to be an antivirus service. Skeptical, she tried to exit, but was met with one of those unfathomable dialogs — something like, “Do you know what you are meaning? Yes if so, No if continue.” She clicked something at random, then tried to abort by powering down the system, but by then it was too late.

All security experts with whom I’ve spoken in the past four months have confirmed this mind-racking statistic: More unique instances of malware incursions have been tracked by security software in the past 18 months than in all the preceding 18 years. Put another way: If you’re truly serious about the safety of your business’ intellectual assets, how long as it been since you ran a scan on your kids’ PC?

“The volumes have gone up tremendously; antivirus test labs show this in their trend graphs. It’s phenomenal growth of volume of malware,” reports Ian Moyse, EMEA channel director for cloud-based security company Webroot. “We’ve seen over 2,500 Web sites go online, on average, per day that are malware-infected. If you add phishing attacks... anywhere between 60% and 70% of reported customers are still getting infected by viruses, and a Gartner stat says over 80% of corporations are already infected by spyware and do not know it’s there.”

Researchers believe most of these 2,500 sites per day are designed to look like security software (the preceding hyperlink is safe and shows legitimate examples). Encountering one of these pages is as simple as trusting the results of a Google search for the name of a Trojan (for example, Trojan-Downloader.Win32.Murlo.lib) that was uncovered and reported to you by a real antivirus program. So you run the risk of infection simply by researching the thing that tried to infect your system the first time. Many of these sites are disguised as blogs from security software providers, some of whose articles pretend to focus on the very subject of fake antivirus sites.

The long and short of it is this: Were it not for my personal vigilance, your business’s cloud applications or databases or virtual desktop infrastructure may have been the target of an unwitting attack by tens of thousands of PCs operated by folks as innocent as my daughter. When your enterprise’s digital assets are hosted in the cloud, whose responsibility is it to protect them?

Cloud Wash

It’s a more nuanced question than you may think. In a survey conducted in the first two months of 2011 by the UK-based Cloud Industry Forum (of which Webroot is a member), 450 businesses worldwide that are either currently cloud customers or plan to be customers soon, were asked about their feelings and motivations.

In their responses, 64% of businesses believed security to be a significant worry. Some 62% said privacy was a chief concern. Elsewhere in the survey, 53% of respondents (including 49% of companies with over 200 employees) said their main reasons for wanting to adopt the cloud fall under the category of flexibility, which the survey defined as the ability to adapt to changing business circumstances. The cloud itself is a changing business circumstance, and part of the flexibility it enables for customers is to outsource some degree, if not all, of their administrative tasks to cloud providers.

So while customers’ main motivation may be to offload the burden of security administration to someone else’s shoulders, and emerging more “flexible” in the process, at the same time they’re concerned those shoulders might not be strong enough.

“Adding fuel to the fire has been the recently publicized leaks by Nintendo, Sony, and Epsilon, and some smaller localized ones, which rightly or wrongly, a lot of the press has reported using the word ‘cloud,’” notes Webroot’s Moyse. “So it is giving customers the impression of, ‘Well, hang on a second, these leaks are only happening because they’re in this wondrous, theoretical substance called ‘the cloud.’” For many, the term “cloud” has come to mean the undisclosed location for all the world’s Internet-accessible databases, or any indeterminate technology used to access those databases.

Epsilon is the e-mail service provider for corporations such as Walgreen’s drug stores, Marriott hotels, and TiVo. It suffered a security breach last March, which one security firm reported as a “cloud provider” breach — quotation marks included. That led to reports characterizing the breach as a fault of the cloud, even at the expense of framing it as a fault of Epsilon.

“The cloud is really outsourcing,” says Chet Wisniewski, security analyst for Sophos, which was one of the security companies that drew that connection. “Having somebody else take some burden of infrastructure, services that you could provide in-house and instead choosing to have someone else do it. Yes, you could call the lunch I had at the hotel ‘cloud catering,’ because a company that wasn’t owned by the hotel came in and prepared the food. But if I was poisoned by that food, I’d still hold the hotel liable.”

The indeterminacy around who’s responsible for cloud security breaches could, in itself, be considered a security vulnerability.

The Cloud Security Alliance is a worldwide consortium of cloud providers and corporations with significant interests in cloud services. In drafting the most extensive best practices documentation to date from any cloud-related group, the CSA proposed a single, unifying principle that would compartmentalize security responsibility in accordance with class of service.

“In an IaaS [Infrastructure as a Service] deployment scenario,” the CSA recommends, “the customer has a greater degree of control and responsibility than in a SaaS [Software as a Service] scenario. From a security control standpoint, this means that IaaS customers will have to deploy many of the security controls for regulatory compliance. In a SaaS scenario, the cloud service provider must provide the necessary controls. From a contractual perspective, understanding the specific requirements, and ensuring that the cloud services contract and service level agreements adequately address them, are key.”

Applications hosted in the cloud, such as the Web apps featured in Microsoft Office 365, are generally perceived as software installed on and hosted from someone else’s system rather than yours. From that perspective, the warranties of merchantability and security from the SaaS provider should be no different than for any other software vendor, when you take the CSA’s recommendation into account. By contrast, virtual desktop infrastructures — where entire data centers are moved to cloud providers, and delivered to customers often via thin clients — are technically mirror images of the same data centers that enterprises were managing for themselves. And since those same enterprises would continue managing them, technically speaking, they would remain responsible for the security of IaaS systems, both physical and virtual.

Alas, nothing in the real world (except this sentence) is in black-and-white. In dissecting the mixture of services to which cloud customers subscribe, and then accounting for the collections of cloud resources which they must share, this simple “line-in-the-sand” delineation of responsibility falls apart.

No one makes that fact any plainer than the CSA itself, which in a July 2010 re-examination of its own recommendations (PDF available here) made this pronouncement: “The multi-tenant architecture of the cloud means that many of the infrastructure services, such as the network and data storage technologies, are shared with other applications. Since these applications will often be from different organizations, the relationship between application and underlying infrastructure changes, especially the assumption of being contained in a private environment. These changes should be reflected in a corresponding modification to the application’s threat model.”

The implication here is that every cloud deployment should have a unique threat model assessed for it. After all, the proliferation of “hybrid clouds” that are private here but public there, should by definition render security a variable. A unique threat model may seem reasonable and even prudent on the surface, but in light of all the factors involved today, it may be impractical.

For one thing, a great many cloud customers are, in themselves, service providers — companies providing accounting, data management, recordkeeping, and other services on behalf of their own customers. They’ve already warranted to those customers that they’re responsible (to some degree) for data security. They are not in a position to sign away that responsibility to a SaaS provider such as Salesforce.com, NetSuite, or Riptide.

“If you have sensitive customer information and you put it out in the cloud,” Sophos’ Wisniewski points out, “the only person who has legal responsibility for that data is you. So if your cloud provider screws up and that data is released, you’re on the hook. You’re responsible for protecting your customer information, and doing due diligence to ensure it’s protected.”

Doesn’t that make it not only more important, but more difficult, for cloud customers to take charge of their own deployments? “Absolutely,” responds Wisniewski. “And the problem is that it’s damn near impossible to do. It gets really sticky when you start looking at regulatory situations. If I outsource something to Rackspace’s cloud service, for example, it could be running for one minute on a server in China, the next minute in Russia, and the next minute in London — or all at the same time if I’m representing three different customers. If they access their servers from one region, they may each be located in another region.”

Here is where the issue of geography destroys altogether the CSA’s perfect dream of simple polarity. Countries and continental governments such as the EU have wildly varying regulations with respect not only to the protections that any Internet service provider must give to customers, but also the exceptions that enable the governments themselves to bypass those protections for investigative purposes. Almost none of these laws were passed in the cloud services era — they mainly pertain to the period where dial-up customers logged on and used Netscape (or Mosaic) to download songs and post family pictures to GeoCities. So while one territory may hold an ISP (and thus, by extension, a CSP) completely responsible for every bit of data entrusted to it by its customer, another one just over the river may absolve an ISP from that same responsibility, providing it “safe harbor” from any legal incursion (such as a security breach) perpetrated by its customer, including on account of negligence. In the United States, questions of legal responsibility are resolved on a case-by-case basis, and may vary dramatically across states’ boundaries.

As if the rubble weren’t fine-grained enough, there’s yet one more layer of diffusion, which Webroot’s Ian Moyse perceives as being generated by the cloud market. Customers are being misinformed by various competitors, he says, using language that’s cloudier than their own services. As a result, it becomes impossible for customers to determine legally who’s responsible for technology they don’t understand practically.

“I think the industry and vendors ought to step back and understand, how does it feel to be a customer right now?” states Moyse. “We’re all assuming the end customer understands all this technology.” Some CSPs such as Salesforce.com provide all-in-the-cloud solutions, Moyse points out. But an abundance of competitors try to be sound-alikes, some of whom are about as legitimate as those fake security companies my daughter encountered. In-between are other vendors that use a technique called cloud-washing — repackaging older services such as e-mail, auctioneering, and accounting as though they were cloud-based. The result for customers is not only confusion about what to purchase, but also their final degree of responsibility for what they finally do purchase.

“We have private cloud, public cloud. We have SaaS, PaaS, CaaS, and there are a lot more. I live and breathe the cloud, so I know what those terms mean,” continues Moyse. “So I could take it for granted and say, ‘I’m a SECaaS solution (Security as a Service), whereas they’re just a PaaS...’ The average customer, where do they stand? We’ve done an incredible job in bringing a new form factor to market. It’s not a new technology, but a new way of delivering that technology. There’s nothing fundamentally invented or mind-shatteringly new. It’s utilizing technologies that already existed. Small businesses can now access more powerful applications, more computing power, at a price they can afford. But we’ve acronyzed the whole thing. We’ve made it sound so complex, and everyone has thrown their name into the pot to say, ‘We deliver these solutions!’ So what we’re experiencing is, customers are turning their back on it. It’s just too much.”

First Admit Your Fear

An April 2011 study of 127 cloud service providers worldwide (103 in the US) conducted by the Ponemon Institute on behalf of CA Technologies (PDF available here) revealed data points that, on the surface, contrast as starkly with the perspective of cloud customers as good with evil in a manga movie: Only about one-fourth of cloud providers surveyed in the US, and three of ten in the EU, believe they have a principal responsibility to the security of their customers’ data. Only about 19% of providers said their security services give them a competitive advantage, and about 23% of US providers (35% in the EU) believe their own IT departments are strongly concerned about the security of their cloud computing resources.

Why do cloud providers believe their customers choose them? To reduce their own costs, of course.

The take-away from this survey was inevitable, essentially boiling down to “Cloud Providers Don’t Care About Security.” Wrote noted IP attorney Rich Santalesa, “If accurate overall in the industry, the cloud provider landscape is in need of serious change.”

As an artist will tell you, most landscapes are comprised of points of color which, when viewed up close, may not resemble any part of the land whatsoever. While Ponemon was conducting its research, the Cloud Security Alliance was refining its recommendations to member CSPs. Among these recommendations is this revealing declaration: “The cost reductions need to be balanced against any vulnerability increases with respect to security and availability. The risks may be mitigated by increasing security measures, but the costs of doing so must be deducted from processing cost savings. Cloud service providers offer security services, such as access management, multiple copies of systems and data, and encryption, which the customer can invoke in order to raise the security level and reduce risks of data compromises and exploitation for fraudulent purposes. There are additional costs related to invoking these services and the customer has to determine whether any particular security measure is worthwhile or whether the cost of increased security outweighs the economic benefits of cloud computing.”

Or, to put the picture in Living Color, if a cloud provider were up-front about the fact that security costs money — including to a certain research firm — it might drive the customer away. Maybe it’s not so much that cloud providers don’t care about security. They don’t want to scare their clientele.

BlueLock is an Indianapolis-based private cloud services provider whose marketing strategy begins, quite literally, by explaining to prospective clients what it does not do. The first sentence of explanation on its Web site reads, “So much about cloud computing is hyped up and irrelevant to the enterprise.” Obviously, BlueLock has been combatting the very trend Webroot’s Ian Moyse so bluntly identified.

In negotiating service deals with clients, says BlueLock CTO Pat O’Day, the company is very explicit about the definitions and extent of its services, some of which include security. In so doing, O’Day tells us, some customers actually discover terms of their own service with which they were completely unfamiliar — how their data centers work today.

“When we ask the question, ‘How are you going to do intrusion prevention?’ and they say, ‘Well, we don’t know,’ we can offer our service. If they’ve already got that covered because, say, they’ve got a contract with IBM, then we know that’s under control... Most clients today already understand firewall technology and its importance. So they’re really looking at, do they have their own staff who are comfortable running firewall technology, or are they looking for the provider (us) to take care of that for them? That’s a pretty easy conversation; 95% or more are ready to talk about firewalls. It’s when you get into a conversation around pro-active scanning or data leakage that the conversation gets a little more educational, unless they’re already required to comply with a specific standard that covers that.”

All online merchants that accept credit card payments must comply with the standards of the PCI Security Standards Council, one of which is enabling servers to be periodically scanned for vulnerabilities. Simply because those servers are moved to the cloud does not change this mandate. However, O’Day says, BlueLock does facilitate PCI security scans for some of its clients, providing security even in situations where it’s not BlueLock that’s legally mandated to do so.

Meanwhile, clients that are not bound by a mandate like PCI may not even know what periodic security scans are, says O’Day, and therefore, they’ve never happened before. Moreover, they’re skeptical about paying someone else to do these scans, often because they’re not comfortable with the idea of exposing their own weaknesses. “That’s where things start to get a little scary, in terms of how you set these questions up.

“I think in terms of the day-to-day, month-to-month operations, when we get into that detail, that’s where a lot of people become uncomfortable. But it’s when we talk about the business problem that we solve, that it becomes uncomfortable in a different way,” O’Day continues. For instance, BlueLock may lay out a plan for how a client’s cloud service will be regularly administered. Just seeing the details of that process spelled out on a chart can be bewildering, and even scary, for some clients, says O’Day. Many are introduced to new categories of administrative, legal, and structural risks which they face right now, in or out of the cloud, that they’ve never even heard of.

Then when the press covers a massive breach event, such as the Spring 2011 series of hacks into Sony’s PlayStation customer database, “the idea of data leakage all of a sudden comes to the forefront,” he continues. “They can understand the technological concept; they don’t understand the scope of what the damage could be. ‘Are my competitors really going to come in and take my data?’ They don’t understand what the impact is, and they really don’t understand the likelihood. Until some of these stories came out recently, I think anybody in the defense industry or who has strong intellectual property [such as a publisher] was already worried about data leakage, because there were real, financially-impacting incidents. But from a mid-sized enterprise perspective, it wasn’t perceived as happening that often.”

One of the direct implications of the Cloud Security Alliance recommendations is that security issues are actually introduced into the cloud by customers, especially when their existing infrastructure hasn’t been fully scanned and cleaned. This leads to the possibility of security risks compounding themselves, where one customer is impacted by another’s vulnerabilities.

BlueLock offers security services as VMware-branded extras on a kind of a la carte menu. It’s this menu which helps get customers over the hump, by letting them pick and choose security options that let them shift some of the burden to the CSP while keeping the final tally inside the range of affordability. The result, O’Day tells us, are client deployments that pose less of a danger to each other.

“The founders of this company all came from the data center industry,” notes BlueLock’s O’Day. “So we were already used to inheriting the lowest common denominator of everyone’s security issues. If someone’s environment wasn’t fully patched, they would get hacked, they’d suck up a tremendous amount of bandwidth, and that would impact other customers. We already had a lot of thinking in terms of how to manage that risk. That’s a big part of the reason why we built our platform on VMware rather than general software we put together ourselves. There are already things that VMware’s core infrastructure handles really well, in terms of isolating customers from each other.”

The problem, simply put, is fear. It’s where this whole exercise begins; it’s what brought us to this point. There’s a fear of not knowing what’s going on inside your systems. It’s the same fear if you’re 14 or you’re 41, if it’s your PC or your data center. But beneath that, there’s a deeper fear of finding out. Because then comes the real test of whether you’re responsible for the consequences. Do you know what you are meaning? Yes if so, No if continue.

Responsibility, as we’ve just seen, means different things to different people. Cloud services give businesses a way to delegate the burdens of administration to experts, and the result can be a safer data center. Yet while one way or the other, you can delegate responsibility, both on paper and in practice, it’s impossible to shirk the duty of awareness. “I just didn’t know” is the kind of excuse that only works for teenagers.

See also:

• Todd Weiss’s Clearing Up The Cloud blog
• The Crowded Cloud: Making Application Consolidation Pay Off
• How Well Do You Know Your Cloud Provider’s SLA?
• The P2P Debacle: Are You the Leaker of Classified Data?