Zalud report April 2011

Warfare in the cloud. Reginald Nowlin, manufacturing assembler for Harris RF Communications prepares racks of tactical radios. The gear extends wireless broadband tactical Internet connectivity to forward deployed areas of the battlefield.  

A major theme at this month’s ISC West in Las Vegas is the continued movement of security applications to the Internet, what some call “in the cloud” and others label Software as a Service or SaaS.

The approach, folks such as John Szczygiel of Brivo Systems, see value in the approach. It’s “pay as you go,” says Szczygiel. “No infrastructure is required.” The tight economy helps, in addition to the attraction of the Web. “The basic value of the model is sound. Rent, don’t buy.”

However, with any rental property, there are dangers and a less clear understanding as to who is the owner and what his or her responsibilities are.

That guy Justin Bieber knows.

The young singer kicked off his career on the Web and is the most searched keyword on Google. On the other hand, his music is among the most pirated; there are numerous scams centering on him and his profile; and there are scores of people pretending to be him or speak for him.

For those who have not kept up, cloud computing describes computation, software, data access and storage services that do not require end user knowledge of the physical location and configuration of the system that delivers the services. Parallels to this concept can be drawn with the electricity grid where end users consume power resources without any necessary understanding of the component devices in the grid required to provide the service.

Cloud computing is a natural evolution of the widespread adoption of virtualization, service-oriented architecture, autonomic and utility computing. Details are abstracted from end users, who no longer have need for expertise in, or control over, the technology infrastructure “in the cloud” that supports them.

The challenging bottom line, however, is that working, having data or running applications in the cloud have disadvantages and vulnerabilities as well as benefits.

Justin Beiber

Pity poor Justin Bieber. But piracy, intellectual property theft, scams and denial of service attacks are increasing in the Internet world. And, as security leaders move applications to the cloud, they need to be forewarned.

For example, the 2010 Internet Crime Report, released by the Internet Crime Complaint Center (IC3), highlights how pervasive online crime has become, affecting people in all demographic groups throughout the country. Last year, IC3 received 303,809 complaints of Internet crime, the second-highest total in IC3’s 10-year history.

IC3 is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C). Since its creation in 2000, IC3 has received more than two million Internet crime complaints.

The survey primarily centers on consumer complaints but also crosses over into business and enterprise incidents. On the latter, computer security and cloud computing experts warn that companies often purchase products and services for their dazzling features while forgetting to ask about or explore the security of the technology, especially in IP environments. See Global News & Analysis on page 12 for more statistics. New technology developed for IC3 allows investigators to collaborate on cases spanning jurisdictional boundaries. IC3 analysts also provide support for various investigative efforts.

“Internet crime has affected millions across the country, and the great thing about IC3 is that we have adapted our resources to meet this threat,” says NW3C Director Don Brackman. “We have implemented new tools to help law enforcement bring online criminals to justice.”

Gordon Snow, assistant director of the FBI’s Cyber Division, adds, “We encourage individuals to report Internet crime through the IC3 Web portal. The IC3 is a unique resource for federal, state, and local law enforcement to intake cases efficiently, find patterns in what otherwise appear to be isolated incidents, combine multiple smaller crime reports into larger, higher priority cases and ultimately, bring criminals to justice.”

There is no doubt that Internet Protocol and the Web browser are becoming the common interface when it comes to card access control, security video monitoring and retrieval, visitor management and mass notification, among other applications, work well in the cloud. The military has numerous cloud computing application in Iraq and Afghanistan – all of them have been designed with high level security in mind.

The security industry has been in the cloud for many years if you consider third party burglar and fire alarm monitoring as fitting into the definition. As enterprise security leaders move more forcefully to SaaS, there must be a complementary effort to cover the vulnerabilities, both old and new.the cloud, they need to be forewarned.