“Former Hostgator employee arrested, charged with rooting 2,700 servers” was the headline of an April 19, 2013 article published by Ars Technica website. Rooting refers to providing the attacker a way to gain superuser access on a computer system. Doing so gave the Hostgator employee unfettered access to these servers and the customer sites hosted on them.
Read Ars Technica article here.
Well guess what? A hosting company is a cloud service provider. While I’m not one of those who thinks everyone should stay away from cloud services for security reasons, this is an example of one of the risks associated with cloud services providers that companies would not otherwise face. What’s the risk? The risk of someone else’s employee(/media/system/js/s/index.html) not being properly secured/monitored in order to prevent unauthorized access to your information security assets.
When you enter a relationship with a cloud services security provider, you need to understand their security policy as well as your own. You really need to determine if their security policies — hopefully they have explicitly defined and written policies — are compatible with yours. And, hopefully, their policies are more stringent than yours!
For example, cloud service providers should have a policy to monitor what their administrators do on systems hosting customer data. They should be able to show that they intend to monitor their administrators’ actions and they should be able to describe how they detect whether and when their administrators access customer data versus just the system components they need to manage.
My guess is that the average cloud services provider doesn’t have an explicit policy that defines what administrators can/can’t/should/shouldn’t do. I also suspect that many cloud service providers don’t monitor all system administrators’ access to their servers.
I’m also pretty sure that the average small and medium sized companies that contract with cloud service providers don’t include security in their business decision. I suspect they look at technical abilities, reliability, availability, and cost.
As I said, I’m not against cloud computing for security reasons — or for any other reasons. I actually see cloud computing as a way for the average company to force their service providers to do the right thing with respect to security — even if their own organizations are not capable of doing so.
