Why Cloud Computing Needs Security

Bribery, extortion and other con games have found new life online. Today, botnets threaten to take vendors down; scammers seduce the unsuspecting on dating sites; and new viruses encrypt your hard drive’s contents, then demand money in return for the keys.

Startups, unable to bear the brunt of criminal activity, might look to the clouds for salvation: After all, big cloud computing providers have the capacity and infrastructure to survive an attack. But the clouds need to step it up; otherwise, their single points of failure simply provide more appealing targets for the bad guys, letting them take out hundreds of sites at once.

Last Friday, Amazon’s U.S. site went off the air, and later some of its other properties were unavailable. Lots of folks who wouldn’t let me quote them, but should know, said that this was a denial-of-service attack aimed at the company’s load-balancing infrastructure. Amazon is designed to weather huge amounts of traffic, but it was no match for the onslaught.

When it comes to online crime, the hackers have the advantage. A simple Flash vulnerability nets them thousands of additional zombies, meaning attacks can come from anywhere. During Amazon’s attack, legitimate visitors were greeted with a message saying they were abusing Amazon’s terms of service, which could mean that those visitors were either using PCs that were part of the attack, or were on the same networks as infected attackers. The botnets are widespread, and you can’t block them without blocking your customers as well.

Other rackets give the attacker an unfair edge, too: It takes an army of machines to crack the 1024-bit encryption on a ransom virus, but only one developer to write it.

A brand like Amazon can weather a storm, because people will return once the storm has passed. But just look at the Twitter exodus to see how downtime from high traffic loads can tarnish a fledgling brand. Slideshare survived such an attack in April, and while many other sites admit to being threatened, they won’t go on the record as saying so.

Up-and-coming web sites are often great targets, as they often lack the firewalls, load-balancers and other infrastructure needed to fight back. And it’s not just criminals: In some cases, the attacker is a competitor; in others, it’s someone who just doesn’t like what you’re doing.

Fighting off hackers is expensive. Auren Hoffman calls this the Black Hat Tax, and points out that many top-tier Internet companies spend a quarter of their resources on security. No brick-and-mortar company devotes this much attention to battling fraud.

Wanting to survive an attack is yet another reason for startups to deploy atop cloud computing offerings from the likes of Amazon, Google, Joyent, XCalibre, Bungee, Enki and Heroku. But consolidation of the entire Internet onto only a few clouds may be its Achilles’ heel: Take down the cloud, and you take down all its sites. That’s one reason carriers like AT&T and CDNs like Akamai are betting that a distributed cloud will win out in the end.

Cloud operators need to find economies of scale in their security models that rival the efficiencies of hackers. Call it building a moat for the villagers to protect them from the barbarians at the gate. Otherwise, this will remain a one-sided battle that just gives hackers more appealing targets.