The attack was simple: an email with a link to open up a Word document in Office 365, Microsoft's SaaS-based subscription productivity software.
Some [cloud providers] are absolutely awesome, but many suck, and you really need to do your research to know the difference.
In reality, the document -- pulled from a hidden site on The Deep Web -- exploited an Office 365 vulnerability. According to cloud security firm Adallom Inc., which detected the attack late last year, the attackers attempted to access files on the victim's SharePoint server. Had the attack succeeded, the data thieves would have been able to grab any information from the SharePoint server, without the customer -- or the cloud provider -- knowing anything was amiss.
"It's the perfect crime," Noam Liran, chief software architect for Menlo Park, Calif.-based Adallom, wrote in the analysis of the attack. "A crime where the victim doesn't know that he [has] been hit; a crime where there's no proof of any foul play anywhere; a crime where protecting yourself against it without being familiar with its modus operandi is next to impossible."
Microsoft, which patched the vulnerability in December, is not the only Software as a Service (SaaS) provider to attract the attention of cybercriminals. In fact, in the past 12 months, Adallom has seen similar attacks against four of the 29 cloud providers it helps secure -- three that the company helped to stop in progress, and a fourth attack that failed. An employee of another Adallom client, for example, had his home computer infected with a Zeus Trojan variant that targeted Salesforce.com and proceeded to attempt to download all the client's data from the cloud service. The attack, stopped after the first 100 records or so, exploited no vulnerability in Salesforce, and, according to Adallom, likely would not have been caught by either the cloud provider or its client.
The Office 365 and Salesforce.com attacks highlight that savvy cybercriminals are exploiting the information security gap between cloud computing providers and their customers. That gap exists because enterprises can't detect or control access to cloud data beyond their perimeters, and cloud providers can't -- or won't -- grant customers the visibility to see how their data is being accessed.
Other cloud security providers have seen attacks, as well. Skyhigh Networks Inc., a cloud-security firm that helps companies manage their cloud use, detected attacks that would likely have hidden in the visibility gap between cloud customer and service provider. One attacker attempted to exfiltrate data from a customer using Twitter, but was detected when the computer tried to send 100,000 tweets in a day.
Alert Logic Inc., which provides security for cloud infrastructure, has documented increases in attackers' focus on cloud services. The proportion of its customers facing brute-force attacks -- such as password guessing and other unsophisticated exploits -- increased to 44% last year, up from 30% in 2012; and vulnerability scans increased to 44% in 2013, up from 22% the previous year.
Vulnerabilities and no visibility
Vulnerabilities that allow access to cloud services are common, said Robert Zigweid, director of services for IOActive Inc., a Seattle-based security services firm that has performed security assessments for major cloud providers, including Amazon Web Services and Google Apps. He said cross-site scripting, cross-site request forgery, and weakly secured service application programming interfaces (APIs) are among the most common.
While the four breaches detected in 29 firms by Adallom may suggest a high attack success rate -- Skyhigh's data, for example, varies from 1% for business-centric services to 38% for consumer-focused services -- attackers are obviously looking for ways to gain access to valuable data in the cloud. And cloud providers' accessible-from-anywhere infrastructure appears to be less difficult to compromise than imagined, Zigweid said, arguing that these kinds of attacks are far more common than available data suggests.
"When we do penetration tests these days, we assume that there is a compromised device somewhere in the environment, and we take the approach that you need to protect your data knowing that," Zigweid said. "This is especially true in the cloud environment and in a BYOD environment."
While tracking down and fixing such issues is necessary, the lack of visibility into what happens to a customer's data in the cloud is a more serious issue, experts said. While most cloud providers have declined to take responsibility for the security of their customer data in the cloud, many also do not offer their customers the necessary tools -- such as event logging or flexible alerting -- to allow them to detect anomalous access to hosted data.
"A lot of these issues -- database scraping and malware backdoors -- are very hard, if not impossible, to detect if you are the average customer," said Larry Ponemon, chairman and principal of the Traverse City, Mich.-based Ponemon Institute research firm. "The really talented bad guys understand these issues, and are likely finding ways to be invisible to both sides: the provider and the customer."
Bilked banks and lawsuits, redux
It is unclear how best to close the cloud data security gap that exists between enterprises and their providers, or even whose responsibility it is to do so; SaaS providers typically expect companies to secure their own data, while enterprises often expect their cloud providers to protect their data against attacks only the provider can see.
While almost 80% of companies use SaaS, only about half of IT management believe they had visibility into the security of their cloud services, according to a study published last year by the Ponemon Institute and funded by CA Inc. Respondents were split on who was responsible for the security of the cloud applications: 36% put responsibility with the provider, and 31% with the employees who used the cloud.
While discussion over assignment of responsibility for cloud data security may seem reasonable on its face, precedent may already be shifting to assign increasing responsibility to cloud providers. Banks, which initially eschewed responsibility for lost funds if a customer's system was compromised, increasingly have been legally forced to protect their customers.
"If a bank has a customer with a laptop computer infected with malware, and they send all the customer's money to Ukraine, it is a problem for the banks," Ponemon said. "Likewise, I think a lot of cloud providers say, 'We are just equipment; we are just Software as a Service; if there is something bad going on, it is not our problem.' And they really can't say that anymore."
Know your cloud provider
To avoid falling prey to attacks on cloud data like those against Office 365 and Salesforce.com, companies must first research their prospective cloud providers and make sure they can gain some assurances about the provider's defenses and visibility into the security of their data, said Rich Mogull, CEO of Phoenix-based security-analyst firm Securosis.
"Some [cloud providers] are absolutely awesome, but many suck, and you really need to do your research to know the difference," he said. "The better providers are more transparent about how they do security, and undergo a host of audits and assessments that they either make public, or at least show you under NDA."
Until more cloud services provide their customers with access logs or monitoring services and alerts on anomalies, most enterprises will have to find ways to do it themselves, said Rajiv Gupta, CEO of Skyhigh Networks.
"Most cloud service providers are not going to take responsibility for information lost to a compromised account," he said.
This struggle could mean plenty of business for Adallom, BitGlass Inc., Skyhigh Networks, and other third-party startups focusing on enhancing cloud data security. Some cloud security experts believe any service that gives an enterprise better visibility into its cloud usage will enjoy increased demand in the future.
Yet, other experts argue that such services are a temporary necessity, a crutch for the enterprise, until cloud services work more closely with their customers to better secure data in the cloud. Amazon's CloudTrail service, which uses API calls to allow customers to see who has accessed an Amazon Web Service instance, is an example of where cloud providers need to take their security, said Stephen Coty, director of threat research for Alert Logic.
"The best alternative for service providers is really to supply their customers with log data," Coty said, "not just on the front end and who accesses their service, but on the back end to see what the cloud service's employees are doing, as well."
Until companies gain as much visibility into their cloud services as they have with on-premises technologies, attackers will undoubtedly look to exploit that gap.