Security Situation in Cloud Computing
BSI spent half a year evaluating different public sources such as information portals and self-disclosures of cloud providers to assess the security situation in cloud computing. In order to be able to locate recorded incidents, they were classified in a cloud layer model of IETF (Internet Engineering Task Force) according to risks such as manipulation, information flow, services outage or privilege escalation.
In the aforementioned six months, 404 incidents were recorded. 98 percent of them applied to service availability. This can be explained in so far as that self-disclosures of providers almost exclusively refer to availability. Up to 78 percent of service outages are located directly in the service layer of the cloud. Whereby most of the time errors occur in the software or during update problems. Of the 317 outages in this layer, 92 can be traced back to technical failures, 13 were human errors and two were deliberate acts – there was no information available regarding the remaining incidents. The second most common outage with 12 percent (46 incidents) is found in the virtual resource layer. Outages in this layer signify that the software of the service did not have sufficient virtual resources available (processing power, RAM, hard disk and network services). Of those, six cases each were triggered by technical failure and human error, in 34 cases, the cause is unknown. The remaining 10 percent of incidents regarding availability concerned cloud management and physical resources.
99.9 Percent Availability of Cloud Services
According to the BSI report, most of the outages (377) were rectified within one hour, and another 12 outages within four hours. Here it is to be emphasised particularly, that 91 or 92 outages in the cloud services layer, which were caused by technical failure, were able to be resolved within an hour. In summary, the evaluated cloud providers achieve essentially an availability of around 99.9 percent (up to nine hours’ outage per year). This means, that cloud providers seem to be only negligibly limited in their service availability due to cyber attacks, as they have sufficient counter measures in place. The BSI sees the threat, where the cloud is concerned, more in another area, namely the theft of customer data. This presents an attractive target for data thieves at cloud providers. Here complex attacks involving great effort may be worthwhile for attackers. In order to meet this threat, joint efforts to prevent and detect cyber attacks are required as well as the respective response of cloud providers.
IT Security: More and more cloud providers offer an insight
It is welcomed that large cloud providers such as Amazon Web Services, Google, Microsoft and SAP nowadays have information platforms, which offer detailed reports about the current security status of various areas of the cloud. This gives customers more transparency and serves as a source to assess the IT security situation.
Increase in criminal ransomware attacks
At the beginning of 2016, Germany was also affected by a massive wave of ransomware attacks. Malware is described as ransomware, when these limit the access to data and systems or prevent that these resources are only released again against payment of ransom money. The most common attack vectors to infect systems with ransomware are attachments of spam emails, which are often sent via botnets, as well as drive-by download attacks via exploit kits. These are in the main untargeted mass attacks. As the attackers use most of the time cryptographic strong algorithms to encrypt user data, previously created backups are often the only possibility to retrieve data.
Understanding IT Security as an overall concept
According to the report of the Federal Office, around 380,000 new malware versions are discovered every day. The most common method of infecting a system with malware are email attachments and unnoticed infection by the user when visiting websites (drive-by downloads). Most of the time, malware is installed with the help of the user, whereby technical protective measures are bypassed and attackers are able to infiltrate secured networks. Users can no longer rely on traditional anti-virus solutions and firewalls alone. Therefore IT security should be understood and implemented as an overall concept and this should also incorporate user behaviour. It is easier for attackers to overcome the vulnerable area ‘human’ as this is often the weakest link in the IT security chain, instead of complex technical security measures requiring a lot of effort. A company should therefore conduct relevant training measures not only once, but as part of an overall concept in regular intervals.