Earlier this week, I wrote about how computer security expert Hugh Thompson warned that hacktivism is a new security threat to watch for in 2011. The attention drawn to retaliation attacks against sites that cut off funding to the controversial site WikiLeaks.org last year could inspire others to use the same tactic. In this post, I’m going to address a related concern about how such attacks could inflict collateral damage against companies that aren’t the original target of the attacks.
Thompson, program committee chair for RSA Conferences, discussed new security risks in a Web cast Wednesday that was hosted by RSA. He previewed some of the security issues to be addressed in workshops at RSA Conference 2011 that begins Feb. 14 in San Francisco.
As you’ll recall, after WikiLeaks obtained 250,000 confidential U.S. State Department cables, then posted some of them online and shared them with news organizations, certain financial services firms severed ties with WikiLeaks so supporters could no longer make contributions to WikiLeaks through Visa, Mastercard, PayPal and others. In retaliation, WikiLeaks supporters launched dedicated denial of service attacks against those companies' Web sites. Thompson, in his Web cast, said that even if your company isn’t targeted for such a hacktivist attack, you could be at risk if your data is handled by the same cloud service provider as the target of an attack. He calls it “collateral hacking.”
“If you’re using a cloud-based service and other tenants of that cloud are at more risk than you are, more vulnerable to attack or have more valuable data, what is your collateral risk?” Thompson asked.
To be sure, cloud providers tout the extent of their security defenses and customers contracting for cloud service can specify their data be managed in a single tenant environment rather than a multi-tenant one. But security worries keep some customer cautious about moving to the cloud. Thompson advises “more rigorous threat modeling” by those contemplating such a move.
But, he adds, it’s not just an issue of what security a cloud provider offers, but what security they’re required to deploy under the service level agreement they sign with you.
“What do these service level agreements say and what are the policies of that cloud service provider, not just for you as a tenant, but for other tenants?” Thompson said.
Look for breakout sessions on such topics at the upcoming RSA Conference.