Cloud Security Greatest risk: unclear security responsibilities

The advent of the cloud security era, the Internet's resources to share the characteristics of the ultimate, but also for cloud computing security controversy is also uproar. More and more companies are turning their corporate security into corporate cloud-computing security vendors, trying to use new technology to keep their corporate data from leaking. But in practice, because IT service customers take it for granted that their cloud providers should assume security responsibilities, this makes these customers vulnerable to attack. At the same time, virtualization and cloud computing also play a role.

"Security and cloud hosting are two separate things, and the cost of getting started is very low and often simple," said Ezra Gottheil, an analyst at the Science and technology Business Research company responsible for server issues. Customers may not spend a lot of time thinking that they should be responsible for their safety. "

In a report released this week, Gartner, a market-research firm, said the security responsibilities of cloud computing were unclear. They consider it necessary to obtain a list of information about how cloud services work and a service-level agreement that clearly identifies the customer's expectations and requirements.

In March this year, the Cloud Security Alliance conducted a study that identified seven top security risks in cloud computing, one of which was that customers ignored security practices and that service providers refused to provide information to address this security risk. Cloud projects and the risks they face may become extremely complex, according to research from the Cloud Security alliance. Now the advantages that the cloud has shown and some groups are actively promoting cloud deployment. Worryingly, these groups may not be able to follow the security situation.

451 Group analyst Josh Corman said the nature of the cloud computing business meant that many customers or potential customers did not know how they were exposed to risk when they placed a website or company application on other people's hardware.

Even if this is not the case, most cloud and site hosting clients assume that their service providers have the security responsibility to protect their sites, says Chris Drake, chief executive of Firehost, a cloud provider responsible for hosting and protecting customer application security.

How cloud customers suffer

Lawleaf, a financial services company, is a recently developed customer Firehost, whose main business is to provide loans to those who raise money for lawsuits. After an attack that almost led to the company's demise, Lawleaf eventually gave up the network hosting provider they had chosen to Bluehost.

Tim Burke, general manager of Lawleaf, said he started running the company with little money in 2007, when his main job was to sell member-management software to non-profit companies, which was only one of his sideline businesses. He initially chose the Bluehost escrow lawleaf.com, the reason for the Bluehost choice was the company's reputation and the 6.95-dollar service cost per month. Burke said he was quite satisfied with Bluehost's service before lawleaf.com began to go downhill earlier this year.

In January of this year, Lawleaf.com was attacked by SQL injection. The attacks caused frequent crashes and, worse still, web sites that were forced to install malicious plug-ins on unsuspecting users ' computers. By February, Burke said, the site would crash two times a week, and by March, the site's crash rate had reached a single day.

The download of the malicious plugin made Lawleaf a warning from Google. Burke said that if Lawleaf does not fulfill its security responsibilities to solve the problem, then Google will prohibit their site appears in the search results list.

Because most of Lawleaf's business comes from its own web site, frequent crashes have caused the company's business to decline, affecting the company's credibility.

"We lost a lot of business because of the website problem and we lost thousands of dollars a day," Burke said. What worries me most is the lawyer who recommends our service to clients. The client provided us with confidential documents, and the lawyer recommended us to the client for financing. If our website is being hacked every moment, then the customer will not trust us at all. "

Fortunately for Lawleaf, the client files sent via email have not been compromised. Despite this, Burke said, every collapse of the site has had a serious negative impact on the company's reputation.

Burke points out that when the site crashes, Bluehost will alert him and make some preliminary analysis to determine that the problem is not on their server. Bluehost has never taken any further action to solve the problem, he said.

"They just keep telling me to kill the virus or close our pages," Burke said. I tried many times as they said, but the website crashed. "

Bluehost Company's focus is to provide low-cost hosting services for customers and smaller companies. In addition to a monthly fee of only 6.95 dollars of basic services, they do not provide a higher level of service, and will not respond to customer response to multiple issues.

As the lawleaf.com problem has not been resolved, Burke replaced the service provider for Firehost. Firehost promises to prevent future attacks or prevent them from occurring after an attack. Burke says they now pay 400 dollars a month for service. After taking over the lawleaf.com, Firehost separated the PHP based page and cleared the problem code.

Drake, chief executive of Firehost, said: "In fact, Lawleaf has done a good job of shutting down the PHP page." But the problem persists because there is a large amount of SQL injection code in the database. "

Burke is called a better service, and they've paid a lot of money to Bluehost. So far, Burke still believes that Bluehost should be responsible for the site security, has the obligation to solve the problem of malicious plug-ins.

Although Bluehost's commitment to the normal operating rate and reliability of up to 99.5%, but the company did not take responsibility for lawleaf.com security issues. "In this case, I'm not sure it's a mechanism," said Gottheil, an analyst at the Science and technology business research firm. However, since SQL injection attacks are often attacked through their own web pages, it is the customer's responsibility to guard against such attacks, regardless of whether the customer knows it or not. "

The Lawleaf and Bluehost cases show us why cloud computing customers need to figure out who should assume security responsibilities.