The dark side of the PaaS of cloud computing security

The public cloud has great potential to reduce computational costs and increase adaptability, but the shadowy forces in the field are also ready to take advantage of the cloud-computing release modules such as "platforms and Services" (PaaS). Arbor NX recently monitored a Google app PAAs application that was a botnet command control (CnC). Google quickly removed the software, but the incident sparked some interesting topics.

In the area of malware, this is not a new topic, and it has previously been referred to as "malware as a service (Malware as)". Just as legitimate companies have entered the cloud domain because of the benefits mentioned above, cyber criminals have also moved some of their malware into "shared infrastructure" sites to make them more difficult to weaken, block, or unload. Slightly new is the increase in malware hosting Google Apps, such as Google Reader, Blogger, and so on.

What caught my attention was that the bad guys quickly learned to use the PAAs infrastructure for the malware CNC service. No need for imagination to anticipate the bad people from using PAAs to control their malware and then turn to the new target IaaS application software. The public Cloud (Saas/paas/iaas) has a very persuasive value position in terms of cost, but the "outside of the box" IaaS provides only the most basic security (perimeter firewalls, load balancing, and so on), and applications that go into the public cloud need to come from hosts like trend Micro Deep Security 7.0 is a higher level of protection. These countermeasures can reduce the likelihood that the villain attacks the IaaS host or takes over the pivot 杻 as a zombie network.

If a malicious person buys an IaaS host, I think the service provider should monitor and act as a violation of the Service Provider Service level Agreement (SLA) to prevent this behavior. But how can service providers assess how their iaas are used without violating the confidentiality of the application software? If they do not monitor their use, they may want to verify the identity of the customer? And what if the service was purchased with stolen personal information (PII) and credit card numbers?

Malware threats are old problems, but cloud computing poses new challenges.