June 19, 2012, 10:48 AM — Despite all of the hand wringing over cloud security, major cloud security breaches haven't been grabbing headlines. The past year has seen major breaches, such as the ones that hit Sony and Epsilon, but we haven't heard much of an emphasis about the cloud being a weakness.
Part of this, of course, could be a simple matter of semantics. Some have emphasized Epsilon's role as a provider of email marketing services -- in other words, it's a SaaS company -- but the breach was a traditional spear-phishing attack used to gain access to email servers, not, say, an assault on hypervisor vulnerabilities.
Cloud providers, such as Dropbox and Google, have had their issues, but the major cloud-related problems have involved outages, not data being breached.
As more enterprise resources move to the cloud, it's inevitable that we will start hearing more about cloud incidents. Minor breaches have already hit GoGrid and the Microsoft Business Productivity Online Suite, but we've yet to see anything on the scale of TJX, the VA, RSA or any number of other on-premise breaches.
That doesn't mean that cloud-invested businesses can breathe easily. "Attacks that work now work so well that you don't have to come up with a new, complex attack methodology," says Chris Eng, vice president of research for Veracode, a provider of cloud-based application security testing services. "Cyber-criminals aren't going to spend a lot of time to come up with a new zero-day attack if they can just use the same old SQL injection attacks that have worked for years."
Hackers Set Sights on Cloud, But Not as a Target
One troubling trend uncovered in the Sony breach is that hackers view the cloud not necessarily as a target, but as a resource. Hackers used stolen credit cards to rent Amazon EC2 servers and launch the crippling attack on Sony.
"Everything the cloud offers to legitimate businesses it offers to criminals as well," says Scott Roberts, senior intelligence specialist at Vigilant, a security monitoring company. "It's becoming common for cyber-criminals to rent cloud infrastructure to set up spambots or to build out a malware command and control infrastructure. At $50 or $60 a month, attackers can take advantage of resources that a few years ago would be too difficult and too expensive to build on their own."