Public clouds help everyone! The good, bad, and ugly…

21 03 2013

The Good

Public clouds offer a growing set of capabilities to consumers and its adoption is only growing. Gartner predicts compute specific services will grow to $20.2 billion in 2016 (qtd. in Columbus).  Whether you are looking for capital reduction, ease of access, quick provisioning, or the ability to scale massively, cloud takes the hard work out of it. Public cloud operating models support online registration and pay-as-you-go billing which allows anyone with a credit card to consume the service.  This new consumption model allows organizations and individuals to consume potentially massive amounts of resources with minimal upfront costs or technical know-how.

The Bad

Because public clouds are designed to accommodate the largest of capacity requests, they are typically built with massive supporting infrastructures and have access to near limitless bandwidth.   As access typically only requires a credit card, it is readily available to anyone; even fraudulent consumers, hackers, or cyber terrorists.  These “aggressors” can access and use cloud resources by registering with stolen credit cards or by compromising exposed resources if poorly protected.  It does not take much effort or money to get a stolen credit card in an “Amazon-Like Online Bazaar” (Riley). The fact is that fraudulent consumers can sign up through an automated system, make use of a stolen card, and begin to provision resources without anyone physically verifying their identity.  As these models are typically pay-as-you-go monthly services it can be weeks before a fraudulent consumer is identified through a failed billing.  Since fraudulent activities can last for several weeks before remediation occurs, these aggressors can consume the resources and conduct their business at the cost of the provider.

The Ugly

Not only are these aggressors able to utilize a cloud for weeks, they are accessing resources that are “unlimited and can be appropriated in any quantity at any time” (Mell and Grance 2).  This creates a burstable resource that may not have been available to fraudulent use in the past. Large infrastructure and bandwidth are generally expensive, it would be risky for aggressors to procure and operate a legitimate environment for illegitimate uses.  The risk of seizure would always be a concern. With massive cloud infrastructures aggressors can provision, clone, and migrate systems around the world faster than ever possible with physical infrastructure and without complicated malware. If IP addresses get blacklisted, they simply request a new one from the system and they are back online.  Assuming for a moment you have access to three public cloud providers for only 20 days, each with five sites to provision to, each averaging five minutes per clone of a virtual machine, an aggressor could provision more than 82,000 virtual machines in 19 days.  This is more than enough to spend a day causing havoc with a large wide spread distributed denial of service attack. In just the time it would take to identify and process mitigation strategies even the largest of targets could be jeopardized.  Though unlikely, the idea of cloud as an asset for aggressors on the internet should be acknowledged. What are the possibilities with this kind of resource in the wrong hands?

The Problem

Who is ultimately responsible for ensuring legitimate use of these massive public clouds? Is the service provider wholly responsible? Surely a provider cannot be expected to analyze all packets that transverse its network in search of malicious intent. Or should they? It will drive costs up though may be unrealistic in some situations.  Service providers do share responsibility in reducing the amount of fraud in these environments as it reduces available resources for legitimate customers.   As a public cloud operator and evangelist of cloud services, I believe that these issues must be dealt with as a community.  Everything is going to the cloud, it important that organizations update their business continuity plans and practice a layered defense.  Service providers must also develop policies and procedures to support the identification and removal of fraudulent consumers and aggressors.  Finally, government agencies need to update policies and processes to deal with evidence gathering and forensic operations in these large multi-tenant environments.


Columbus, Louis. “Forecasting Public Cloud Adoption in the Enterprise.” Forbes. Forbes Magazine, 02 July 2012. Web. 04 Feb. 2013.

Mell, Peter, and Timothy Grance. NIST Definition of Cloud Computing. Publication no. 800-145. Gaithersburg: National Institute of Standards and Technology, 2011. Print

Riley, Michael. “Stolen Credit Cards Go for $3.50 at Amazon-Like Online Bazaar.” Bloomberg. Bloomberg L.P., 19 Dec. 2011. Web. 04 Feb. 2013.




One response

25 03 2013
Kevin Reasor

Interesting post. I had not really thought about public cloud infrastructures being used to support/implement security exploits. I assume most of the normal security infrastucture would be in place for these public cloud vendors but they probably have to do more than a normal organization would to detect and address threats from within the inner network boundaries.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: