This post is one in a series of articles that expand on the recently released McAfee Labs 2014 Threats Predictions. In this and related posts, McAfee Labs researchers offer their views of new and evolving threats we expect to see in the coming year. This article was written by Ramnath Venugopalan.
We foresee three broad threat areas that will affect cloud computing in 2014: data breaches and data loss, denials of service, and malicious uses.
Data breaches and data loss
In 2014, we expect to see an increase in attacks aimed at shared resources in any IaaS, PaaS, or SaaS (Infrastructure, Platform, or Software as a Service) cloud environment. Attackers will make an effort to access all client data on a multitenant cloud service by compromising a flaw in one tenant. Attempting to avoid data loss by leveraging alternate sites also opens up additional avenues for data breaches. Trying to avoid data breaches using encryption runs the risk of loss of data due to the loss of the key. This approach also makes the cloud less useful as a storage mechanism because searching for content based on keywords will be that much harder without searchable encryption, which is not very mature as a technology.
Customers risk a loss of control over their data as various free cloud providers effectively own the data that customers place with them. A failure at a cloud provider could result in the complete loss of all data stored there. Many consumers do not back up data at multiple providers or locally; they could lose everything if their cloud service fails.
We expect to see an increase in attempts to compromise vulnerabilities in the APIs exposed by cloud service providers. Cloud customers build upon these APIs, in effect adding attack surfaces that may lie outside cloud provider policies and defenses.
Every year, we add more and more personal data to cloud services such as Facebook, Google, Picasa, LinkedIn, and others. Compromising the authentication data of any one of those clouds could provide attackers with a wealth of information. They might be able guess or gather other authentication data leading to work-related systems, identity theft, family budget figures, physical theft from a residence, threats to personal security, and so on. The online reputation and connections of a compromised account could also be used to launch further attacks using social engineering or malware to infiltrate workplace computers or those of the victim’s connections. These threats will increase in 2014 as the value to be gained grows every year because more data is available and more people are connected.
Denials of service
With the increase in adoption of IaaS and PaaS solutions, denial-of-service attacks will also increase, causing service outages as well as direct financial losses—due to cloud providers billing the costs of the network and computing cycles incurred during an attack to the target of the attack. Victims will lose twice. Thus DoS attacks will have an impact on both the customers of a cloud service as well as on the providers of applications running on a cloud service.
In a related vein, we anticipate next year a rise in attackers using the computing power, flexibility, and ease of deployment of cloud computing to launch large-scale, targeted attacks on businesses and governments. We’ll see more “Dark Cloud” providers that either encourage such attacks or do little to prevent them.