Out-Law News 1 min. read

Businesses urged to review cloud security features when selecting provider following study


Cloud providers may not have sufficient security in place to prevent malicious cyber attacks on organisations from within the cloud environment, according to a security consultancy.

Security consultancy firm Stratsec, a subsidiary of BAE Systems, said that businesses should check whether the cloud service security features are sufficient to protect against attacks.

Stratsec said it conducted a range of tests on "five common cloud providers" that revealed security failings with each of the providers. The researchers subscribed to each provider and then set up a 'botCloud' network from which it could launch a number of test cyber attacks on mock "victim hosts". The tests include running 'denial-of-service' attacks against the 'hosts' to disrupt services, as well as subjecting them to malicious software traffic which hackers sometimes use to steal information.

"The results of the experiment showed that no connections were reset or terminated when transmitting inbound and outbound malicious traffic, no alerts were raised to the owner of the accounts, and no restrictions were placed on the [virtual machines used to perpetrate the attacks]," Stratsec said in a blog.

The consultancy said that it was "relatively easy" to set up a 'botCloud' and that it required "significantly less time to build" and was more "reliable" than a "traditional botnet". In addition, it could be set up relatively cheaply, Stratsec said.

Organisations that have "mature technical security capability" would be more at risk from attacks launched from a 'botCloud', the researchers added.

"For organisations that are seeking to host their services on the cloud, if you have a mature technical security capability with your on-site solutions, you may find higher likelihood of compromise, reduced likelihood of notification attack and possible difficulties in investigation and response when you move toward Cloud hosted services," Stratsec said.

The security consultancy said that businesses looking at hosting services through the cloud should review whether cloud providers have features such as a "high-end firewall" and intrusion detection system, and check whether providers regularly test their "environment" for security problems, whether these checks are conducted independently and whether they can be validated.

"Be diligent in your investigations and consider how the cloud provider’s security model fits with your enterprise security architecture," Stratsec advised. "Think about services you are planning to host on the Cloud. Do not get temped with ease of use and cheap cost. Be aware of a possible botCloud attack. The traffic that is coming from public Cloud providers should not necessarily be deemed safe."

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.