Criminals Lurk in Cloud Computing

Most likely, you are working in a cloud. I don't mean it as an insult. I mean it as fact. According to a recent survey by the Pew Internet and American Life Project, 69 percent of Americans store data online (think of photos uploaded to the Kodak Gallery Web site) or use a Web mail service like Gmail or access other applications and documents that reside on a server, usually a web server, that is not their own.

It's called cloud computing, where the "cloud" is a metaphor for the Internet. Users supply the data and the cloud (read: "someone else") provides the processing. Such services promise us a lot, namely the ability to work and access files no matter where we are, easily share work with others, tap into massive computational resources, and avoid complex information technology infrastructure overhead, as long as we have Internet access.

But as with many compelling new technologies cloud computing is accompanied by a host of security and privacy concerns. Data that may have otherwise been (more or less) secure within the confines of an individual's personal computer or corporate network is now vulnerable out in the cloud on someone else's server. Ceding power to third parties is not a good idea, whether it be an online company or an Internet service provider (ISP). We must carefully consider whom we trust and how much.

Part of the problem is the amount of data pouring into the cloud. Individual users and large organizations pour tremendous amounts of sensitive data into the servers of online companies. From innocuous-appearing search queries to data files submitted for processing, what at first seemed inconsequential may become larger than the Library of Congress when aggregated over time and across many individuals and organizations. 

Users are making more than 11 billion search queries per month in the United States alone, and search is just one service amidst hundreds of other offerings. These troves of data, data that we've placed in the hands of online companies, paint incredibly detailed portraits of our personal and professional lives as well as reveal the tactical and strategic operations of our employers. The value of this information is unprecedented and is coveted by criminals, businesses and governments world-wide and is often exploited by the cloud computing service providers themselves in a variety of ways, including targeted advertising, user profiling, and by selling the data to suspect data brokers.

If history has taught us anything about digital data, it's taught us that it's slippery, sometimes spilling by accident, other times by illegal access. Many online applications fail to protect the confidentiality of data in transit between the end user and the service provider. Any network eavesdropper can easily snare the data. Similarly, ISPs have the ability and incentive to modify communications. We have already seen initial forays by ISPs, such as the Canadian ISP Rogers, who inserted content into some of their customers' Web pages as they surfed the Internet. The key idea here is that we can no longer trust that the information we exchange with an online company hasn't been tampered with, which undermines a core requirement of cloud computing, trusted network access.

Another related weakness is that many online companies do not employ encryption, the scrambling of messages to prevent unauthorized access, for their communications with you. Similarly, most services verify your identity through a simple, and often easily compromised, user ID and password combination. Technology exists in the form of encryption and multi-factor authentication, using a combination of things you know (e.g. a password), things you have (e.g. a special hardware token such as an identification card), and things that are uniquely yours (e.g. your fingerprint) to help counter these problems.

However, and this is important, these authentication technologies do not help protect the user from the online company itself. The online company is a trusted partner in the communication and must be able to decrypt your data in order to perform most of the services it provides; allowing them unfettered access to your data. The robust authentication allows the company to uniquely identify you; a dangerous combination. 

The fact is I don't trust most online companies all that much. The prevalent business model on the Web is advertising funding free services. The services aren't actually free; we pay for them with micropayments of personal information, such as the contents of our emails, word processing documents and search queries. From a business model perspective, it is in the best interest of online companies to create detailed profiles of their customers to provide highly targeted (and hence far more valuable) advertising and to share or sell this data with others. 

I'd like to point you toward a cure-all that alleviates the risks of cloud computing, leaving only the benefits. Unfortunately, no such solution exists. For now, I recommend keeping your data close to home. If you must share it, share it only with companies that you trust. Even better, encrypt the data in transit, and when possible, encrypt it on the cloud computing provider's servers, where only you have the key.

Configuring your browser to delete cookies after each Web browsing session and to block third party cookies altogether are two other strategies that I strongly recommend. Research in truly anonymous cloud computing is ongoing and I'm optimistic that we will see significant advances in the next decade.

Cloud computing promises much but comes at great risk to the security and privacy of those that use it. Control of the software application resides with someone else as does the data. For now, cloud computing is dark and ominous. Tread carefully.

Greg Conti is an assistant professor of computer science at the U.S. Military Academy in West Point, New York. His research includes security data visualization, usable security and Web-based information disclosure. He is author of Security Data Visualization and the forthcoming Googling Security, which is due to be released this month. Conti has spoken at a wide range of academic and hacker conferences, including Black Hat, DEFCON, RSA, and the International World Wide Web Conference.

The views expressed in this article are those of the author and do not reflect those of the Discovery Channel nor the official policy or position of the U.S. Military Academy, the Department of the Army, the Department of Defense or the U.S. Government.