Cloud Danger: Drag and Drop Theft
With the growing momentum in the federal government for cloud computing and virtualization, this worst case scenario will become reality for some agencies leading the charge into the cloud. Here's why:
You just may end up having your confidential data routed through Asia.
Many cloud solutions involve virtualizing the server environment. Considering that a virtual server's disk contents and state will easily fit onto portable storage media, stealing data from your server just got easier. A virtual machine (VM) is an attractive target, because it's drag and drop theft: you can pilfer data without physically moving equipment, conducting a forensic image, or performing any complex disk copy. Once I have the copy of your VM, I am free to hack away in my own environment without any time or security limitations.
In the cloud, your data are on the move. Not only will your data reside in an external network, but the service providers themselves can't promise you where the data may flow. Just ask Urs Hoelzle, senior vice president for operations at Google, who admitted this month that a widely covered Google outage was the result of Google routing traffic through Asia for a period of time. Considering Google's role in the cloud environment, the prospect of routing U.S. government data through foreign channels will certainly raise some eyebrows.
If your service provider has physical access to your environment, any person with access to the virtual servers can perform activity on your server. Think that some malicious activity involving your virtual memory would be logged or monitored? It's not likely; audit tools for much of the virtual-cloud space appear to be non-existent. This means I could easily perform some malicious activity on your server - such as copying a file containing personally identifiable information off your server - then rollback the state of the server to hide my activity. You'll never even know it was taken.
Odds are, your IT security policy doesn't address these issues. However, you can apply existing concepts and processes to this new paradigm to mitigate some of the risk.
Take your mobile device policy, for example: now that servers have gone mobile, it may make sense to extend your agency's mobile device policies to servers in the cloud. It would also be prudent to look closely at contract language to see whether the vendor can assure data will be domestically hosted and routed. If not, you just may end up having your confidential data routed through Asia.
Eric M. Fiterman is a former FBI special agent and founder of Methodvue, a consultancy that provides cybersecurity and computer forensics services to the federal government and private businesses.