Lots of companies and home users “have their head in the clouds” moving their services, servers and data to the cloud without realizing they are using the cloud since a decade already and they have never given any thought about security of using services from the cloud. Even now, with financial incentives, they do not consider or look at the security implications at all.
Where does a network stop these days? Where does the business network stop? This is not easily definable anymore. Today, networks lacks clear crisp boundaries and it becomes more and more difficult to define what the real inside and outside of the corporate network is. It even becomes more and more difficult for normal users to protect themselves and to detect the real risks behind every part of the network.
This problem is likely to increase and will become more and more problematic in the coming years. It seems as well that the cloud is becoming a part of our normal network these days. And we all use the cloud very intensively already. Even G Data has part of their products using the cloud and other companies do it as well.
With the launch and the announcements of various in-the-cloud OSes and mobile OSes we maybe have to think twice about what it will really mean for security in the future. And it is not only Chrome OS but also OSes like Joli OS, CloudMe, Glide and EyeOS. Apple’s iCloud is a little bit different, as it is more data-storage related and not an OS in itself but iOS and Android are also intensively using the cloud already, at least more than the traditional OSes.
The advantages
The advantages are obvious and very clear. First of all, we will always be up-to-date as patches or new features will be installed automatically . We won’t need to think about new product versions anymore, as we always will be using more or less the most recent versions.
Most software will be run in the browser. Of course we will be able to run browser plugins to create our own influenced desktop. So, most of the OSes and plugins or apps will run in some sandbox system, as this seems to be the keyword in all these cloud and mobile related OSes, products and services. And, most of the user data will be stored in the cloud for us to use it everywhere.
The risks
1. First of all, the sandboxing technology has been used in the past and exploits that breaking out of sandboxes has already been demonstrated for Internet Explorer, Java, Google Android and for the Chrome browser. So, it would be short-sighted to rely on for 100%.
2. The possibility to go back to a previous sterile state, which will be one of the nice features of Chrome OS, will be a very good security feature and will effectively neutralize any strange activity in the OS. Also, other mobile OSes have similar features coming up (e.g. iOS). The problem is that this process of setting back the machine can take longer than expected in some cases. And it certainly doesn’t mean that we will not have viruses or other malware anymore. It just means that the lifetime of the malware, which stays on the system or in the cloud, will be changing in the future. Instead of staying on the system for weeks and months, one day or even one browsing session could be more than enough to do harm to the system.
3. Another more problematic risk or threat is identity management. You can never be sure who is really who. Attackers can misuse your identity and this is exactly what is going to happen.
The cloud does not really know who you (physically) are. If attackers can get access to your network, the attackers can communicate with the cloud. As the cloud thinks it is still communicating with a trusted source (your network), lots of information can be intercepted or the cloud can be fed with lots of faulty data including self-replicating and non-replicating malware. The only way to stop this identity problem is to change to three factor identification, meaning that you have to use a password, a token and a biometric identifier to identify yourself. And even then, we suppose, we will see a heavy increase of attacks capturing browser sessions to authenticate as that specific user. It could become the rise of the network sessions attacks.
Although we have not looked into advantages and security related problems extensively, the issues mentioned above clearly show that the dangers and threats will stay but will move to different domains and vectors. This battle is definitely not finished yet!
Please note that the original post from this blog can be found at G Data’s Security Blog page.