Two recent events serve to highlight the importance of proper due diligence and appropriate contractual protections when dealing with cloud-based and other hosted service providers:
- A recent white paper from Context Information Security details the results of a study they performed on several cloud service providers that identified numerous vulnerabilities that could be exploited by a determined attacker.
- According to a lawsuit filed in US District Court in Hawaii by the producer of the syndicated children’s TV series “Zodiac Island,” an entire season of the show has been wiped out thanks to a fired employee at its data-hosting company who hacked into networked computers and destroyed its work. See WeR1-CyberLynk Complaint 110403
The Context exercise involved testing security related to the way cloud services are provided. In a traditional dedicated hosted environment, devices are physical and are separated by firewalls. Any intruder must start at the outer firewall and work their way through each system in order to get to the hosted data. In some cloud-based systems, the “devices” or “nodes” in the virtualized network reside “next to” each other – with each one node representing one or more customer’s data. This means that instead of facing an infrastructure based on separate physical boxes, an attacker can now purchase a cloud “node” from the same provider being used by the company the attacker is trying to compromise, then start looking for ways to launch an attack on the target company’s node from the attacker’s node on the same physical machine and using the same physical resources as are being provided to the target company – in other words, skipping over most of the protections that exist in the more traditional environment.
As a subscriber to the service providers’ cloud services, Context requested permission to perform security tests on their node. About a third of the tests Context wanted to perform were prohibited by the terms of service, but an actual attacker might not be as compliant as Context was required to be. Of the remaining two thirds of the tests, the cloud providers failed about half and passed the rest (a total of about 40% failures).
Context has provided information about the various vulnerabilities that it uncovered to the relevant cloud service providers. The important lesson for companies planning to use cloud services is to perform appropriate due diligence on potential hosted service providers with respect to their security and to be sure that appropriate contractual terms are included in the agreement in terms of: security standards, background checks for personnel, auditing provisions (not just financial auditing) and insurance.
The Context report also states:
It is also worth noting that by using a 3rd party to provide Cloud services, there is an implied trust of that 3rd party and their security practices. … There is the potential therefore, that a malicious employee, another node client or outside attacker could compromise a node’s security due to 3rd party failings.
Which brings us to the case of “Zodiac Island.”
According to the lawsuit filed by WeR1, the producers of Zodiac Island, a man named Michael Scott Jewson was terminated from CyberLynk. A month later he used a computer at his parents’ home to access CyberLynk’s network and delete over 300 GB of data, comprising two years of work from hundreds of contributors globally, including animation artwork and live action video production. According to the complaint, because of an alleged failure of CyberLynk’s backup procedures, roughly 21% of the data is unrecoverable. The unrecoverable data includes portions of 14 episodes of Zodiac Island, which means that those episodes cannot be reassembled in their entirety.
The complaint states that Jewson was charged in February with a federal computer crime violation and admitted his guilt in a plea agreement that has yet to be approved by the U.S. District Court for the Eastern District of Wisconsin (where CyberLynk is located) (United States of America v. Michael Scott Jewson, Case No. 2:11-CR-00037-JPS).
WeR1 is suing CyberLynk and Jewson for breach of contract, negligence, conversion, and computer fraud, saying that the company violated its contractual commitments to provide secure data hosting.
When performing due diligence on a potential hosted service provider, customers should try to review the service provider’s security policies and procedures. However, many companies restrict access to those policies and procedures on the basis that they could provide assistance to attackers who are willing to pay for the service to obtain a platform inside the service provider’s firewall from which to attack other customers (e.g., the type of attacks CyberLynk tested). If a service provider is not willing to share its security policies and procedures, contractual representations and warranties to compliance with standards like the ISO 27000 series, the National Institute of Standards and Technology’s Special Publication 800-144 and use of the tools provided by the Cloud Security Alliance can provide a customer with some comfort that a service provider manages its information security appropriately.
If WeR1 is unable to recover the deleted material due to a failure of CyberLynk’s backup procedures, this is where a contractual limitation of liability would come into play to protect CyberLynk. Any exclusions to that limitation, as well as insurance on the part of CyberLynk, might provide some recourse for WeR1.
It’s important to bear in mind that contracts drafted by service providers are written to minimize the risk to the service provider. When reviewing those contracts, customers need to think through scenarios like this to evaluate their rights and remedies and how they would be compensated (if at all).