Make the provider responsible
There are three major types of threats that are made easier with cloud computing: denial-of-service (DoS) attacks, cryptographic analysis and code-breaking, and command-and-control activities. Hacking from the cloud makes perfect business sense, but when the clouds attack, who is responsible?
One day, cloud providers may be held partly responsible for taking preventative action, using familiar checks and balances to prevent malicious use of their services while still offering customers the advantages of the technology.
With just three simple steps, cloud providers could change the dynamic today and deter potential attackers from abusing their services. The first step is credit checks. Cloud providers could require potential customers to complete a personal or company credit review to rent services. Second is ID verification. Providers could verify the customer's identity and credit card number are genuine. And third, providers should occasionally check on a consumer's activity, perhaps with preapproval from the consumer.
Many service providers and customers alike will balk at any potential restrictions on cloud use. Although monitoring cloud user activity may effectively stymie malicious activities, it also violates the basic assumption that a consumer's use of the cloud is completely private and that data can be encrypted to deny third-party visibility/access.
Yet, every cloud provider should be thinking about these issues. Otherwise, public, legal and industry perception may shift to consider those providers which don't put safeguards in place as at least partially responsible for attacks launched from their servers.
From the - June 2011 Issue of SCMagazine »