The New Bank Robbers: Emerging Cloud Threats

Willie Sutton, the famous bank robber, is credited with robbing more than 100 banks between the late 1920s and the early 1950s, when he was arrested, convicted and imprisoned. Sutton stole more than $2 million during his prolific crime wave. In an article published in The Saturday Evening Post in January 1951, a reporter asked Sutton why he robbed banks, to which Sutton allegedly replied, "Because that's where the money is." In his autobiography, Sutton denied that he actually he used those exact words, but then wrote, "That's what almost anybody would say… it couldn't be more obvious."

Modern-day bank robbers aren't using masks and guns, but rather computers and social engineering. As businesses move their intellectual property and client data into cloud technologies, it's clear that the new bank robbers are going to be found in the cloud. Why? The worldwide public cloud services market is growing tremendously. And they're not just targeting banks anymore, but any company where they can find data to resell, disrupt or exploit.

Gartner predicts that from 2013 to 2016, $677 billion will be spent by cloud customers to create cloud advertising and other business services. This estimate does not even include the billions of dollars of private cloud infrastructure investment. So when the new bank robber is asked why he is targeting cloud services, he will most likely answer, "Because now that's where the data is" -- so that's where the money is. And now your data will be in an infrastructure under which you have less control than you've historically had.

What are today's bank robbers attempting to do? Some are using cloud services to run their Zeus botnets and other hacking infrastructures up close and personal -- perhaps even from the same provider you use to house your precious cloud services and servers. And they're unleashing the zombies back into these cloud environments, with their eyes on your data.

[ Want more advice on cloud architecture? Read Cloud Architecture: Get It Right The First Time. ]

You should also consider the risk of a compromise by a nefarious cloud service employee with a level of control or access into your servers or applications that you may have never considered in the past. And how certain are you that your cloud provider has sufficient controls to prevent inadvertent leakage or destruction of your data in virtualized environments shared with many customers?

Other risks include hacktivists who target your service provider with DDoS attacks, rendering your business service unavailable for hours or days because the cloud provider didn't have the bandwidth or controls in place to contend with the attack. The recent DDoS attacks in the banking industry should give pause to any business intending to move their business services into a resource shared with other companies that may be targets of these efforts.

If you're sharing a joint authentication mechanism with millions of customers in a SaaS environment, then be prepared for the possibility of falling victim to an authentication breach that affects all of your cloud provider's customers. This type of compromise recently occurred to the note-taking service Evernote, and it required the company to reset the passwords of 50 million customers as a precaution.

Willie Sutton's alleged quote has become a part of American legend. Known as Sutton's Law, it is even used in medical schools to illustrate the point that one should first consider the obvious when diagnosing an illness.

So what are obvious considerations to protect against these emerging threats?

1. Know what data your company is storing in the cloud.

-- Don't find out after someone else publishes it on the Web or sells it to a crime syndicate.

-- Be aware what types of data your business is producing or holding during the initial stages of the project.

2. If you are storing any confidential data in the cloud, encrypt it.

-- Assume the data is going to be attacked and potentially leaked in the future.

-- Encryption increases the costs for hackers to gain access to your data and may thwart their efforts.

-- The hacker may simply turn their efforts to competitors who decided encryption was an unnecessary effort.

3. Have a Plan B for critical business services.

-- Assume that your cloud provider is going to have a disruption in the future.

-- Determine how much downtime you can handle and still remain profitable.

-- If you have low tolerance for downtime, consider purchasing more redundant services or distributing critical applications between multiple cloud providers for failover in the event of an emergency.

4. Choose a cloud provider that is aligned with your risk tolerance.

-- Assess various cloud service providers and choose that one that best fits your budget and risk tolerance.

-- Don't bargain-hunt for a cloud provider -- you may one day wish you had chosen a provider with stronger security.

Moving to the cloud should not increase your vulnerability to robbery if you take precautions against these growing risks in the new cloud marketplace.

Robert Malmrose is a featured speaker at Cloud Connect Chicago, taking place Oct. 21-23, 2013.