Cloud providers have attracted enterprise customers with the promise of rapid elasticity, on-demand provisioning, high availability and a pennies-per-hour pricing model. But there's just one problem: These very qualities have enticed criminals to adopt cloud services as well.

 

When a scam artist is looking to set up a phishing scheme to gain access to victims' bank accounts, the built-in redundancy, scalability and automation capabilities of cloud servers are extremely appealing. And when all it takes to procure cloud services is a working credit card -- without ever needing to deal with a live salesperson -- the cloud becomes an even more viable base from which criminals can commit fraud.

 

"All of the advantages of the cloud for enterprises are the advantages for the bad guys," said Jeff Spivey, international vice president of ISACA, a founding member of the Cloud Security Alliance (CSA) and president of Security Risk Management Inc., a Charlotte, N.C., and information security consultancy. "It's that anonymity and scale that's attractive to the fraudsters."

 

Without proper cloud-based fraud detection and prevention practices in place, cloud providers can become unwitting hosts for cybercriminals. It's a threat that can expose providers to legal liabilities, profit loss and blacklisting. What's more, any cloud provider can become a target.

 

"While cloud has been a phenomenal enabler for legitimate businesses, it's also been a phenomenal -- and I mean phenomenal -- enabler for fraud and fraudulent activity," said John Rowell, senior vice president of research and development as well as global service operations at Dimension Data, a South African cloud and managed services provider. "Fraud is a huge deal on the business side."

 

How does cloud-based fraud occur?

 

Across the broader market, discussions about cloud security have focused primarily on the customer side of the equation. Even as cloud providers continue to devote the resources necessary to ensure that customer data is secure, they can't overlook the fact that some of their own customers could be a threat.

 

Fraud manifests in the cloud in several ways, according to experts. Typically, fraudsters use a stolen credit card to procure virtual machine (VM) instances or platform services on which they build their operations -- among them phishing schemes, money-transfer scams, identity theft and malware.

 

"[You] can go get a fraudulent credit card, a good one -- it'll be working, but it'll be stolen -- for less than a dollar," Rowell said. "So, think about how the cloud enables [criminals]. All they have to do is sign up online and they can have a server in five minutes for less than a buck, and it's a throwaway identity."

In a joint investigation in 2012, researchers from McAfee Labs and Guardian Analytics uncovered a massive, cloud-based banking fraud operation that attempted to bilk an estimated $78 million from account holders in Europe, Latin America and the United States. The investigation, dubbed "Operation High Roller" because of the criminals' focus on high-balance accounts, found the scheme's success hinged on the resource availability and automation in the cloud, as opposed to a single host computer.

 

"With no human participation required, each attack moves quickly and scales neatly," investigators wrote in a report.

 

In some cases, criminals skip the stolen credit cards altogether and instead crack into a legitimate customer's account, hijacking the VMs to use for their own fraudulent activities. Cyber criminals are also looking to Infrastructure as a Service to provide vast amounts of on-demand processing power to launch distributed-denial-of-service attacks, according to Raj Samani, vice president and chief technology officer of McAfee Inc.'s EMEA operations.

 

Consequences of failure to detect fraud

 

Although fraud may not be the gravest security threat cloud providers face, ignoring it jeopardizes their bottom line in several ways.

 

From a purely financial perspective, any revenue gained from a stolen credit card is likely to evaporate quickly, thanks to the sophisticated fraud detection systems banks and credit card companies now use. The real damage comes from the revenues cloud providers never see from legitimate customers because the hundreds of VMs they would have paid to access have been tied up by the fraudsters.

 

"[There are] service providers that … do not have adequate fraud measures in place, and they have to be losing insane amounts of money on it," said Dimension Data's Rowell. "It's got to have an immense impact to their profitability as well as just the health and cleanliness of their platform."

Moreover, cloud providers that don't commit resources to fraud detection and prevention could ruin their reputation -- and kiss goodbye any chance to engage enterprise customers, Rowell added.

 

"If you were putting up a storefront, you wouldn't want to hang your shingle beside a shop that says, 'Hey, we're selling stolen credit cards.' No one wants to be associated with that," he said. "It's incumbent on the service provider industry to police fraud. If they're not doing it, they're doing their entire customer base a disservice."

 

Enterprises are also likely to block IP addresses from which spam and other suspicious activity originate, unintentionally blacklisting the cloud providers that host them.

 

While there is no legal precedent yet, it's possible that governments and law enforcement agencies may start holding cloud providers criminally or civilly responsible for neglecting to detect and eradicate fraud, said ISACA's Spivey.

 

 

"Depending on how big the problem becomes will determine whether regulators or lawmakers start to get more involved," he said. "But if I'm running a store, for instance, and I know people are coming into the store buying and selling drugs, and I never brought it up to people, then law enforcement is basically going to [conclude] that I enabled this to occur because I let it happen on my premises."

http://www.cio-today.com/story.xhtml?story_id=021002JDEDBX

Mobility. It's not a new trend, but it's a growing one. Indeed, the workforce is becoming increasingly mobile and that mobility is driving security concerns that software giants like Oracle are trying to solve.

Oracle sees a critical need for solutions that help enterprises control access to business data and also protect that data on mobile devices. Advanced security controls for personal and corporate devices, are needed, without complicating the user experience.

To meet these needs, the enterprise-software maker is launching the Oracle Mobile Security Suite, which lets users securely access enterprise data from their own devices, while at the same time protecting that information by isolating corporate and personal data.

Oracle Says Its Solution Is Different

"By extending security and access capabilities to mobile devices, organizations can protect corporate resources on employee devices without compromising the user experience," explained Amit Jasuja, Oracle's senior VP of Java and Identity Management.

Jasuja said Oracle's security solution brings the firm's Identity Management platform to mobile devices, so organizations can address the bring-your-own-device (BYOD) challenge logically.

Along with Oracle's existing Identity and Access solutions, the new suite offers an integrated platform that organizations can use to manage access to all applications from all devices -- including laptops, desktops, and mobile devices.

Oracle insists its approach is different from the approaches taken by other mobile device management (MDM) solutions because those others focus on the devices themselves. That strategy can create separate security silos requiring companies to spend more money on expensive products to integrate with their identity solutions.

Instead, Oracle said its Mobile Security Suite focuses on the apps and the users, allowing IT to more efficiently and securely administer and manage access.

An End-to-End Solution

The company said its Mobile Security Suite provides a secure workspace so organizations can separate corporate and personal apps. That means enterprises can protect their apps and data as well as enforce their security policies without interfering with users' personal information.

The workspace also offers security controls, enabling companies to enforce single sign-on, per-app network tunneling, and encryption for stored data, and integration with Microsoft Active Directory for shared-drive access.

As for mobility security controls, the software are able to limit access or restrict functionality based on location. The solution also lets companies control their application policies, including limiting copy/paste/print to prevent data loss.

Additionally, if employees are terminated or otherwise leave their jobs, organizations can remotely wipe corporate data and apps from their mobile devices.

The Oracle Mobile Security Suite also includes an e-mail client, secure browser, file manager, white pages app, document editor, and a mobile app catalog that can serve as an app store.

Read More:
http://dymanassociatesprojects.com/
http://dymanassociatesprojects.com/about.html
http://dymanassociatesprojects.com/cyber.html
https://www.behance.net/gallery/Dyman-Associates-Projects-Are-you-willing-to-pay/14947673