Cloud computing: the new monoculture

Raimund Genes Trend MicroVANCOUVER — As the war on cybercrime rages on, IT administrators and business leaders would do well to consider cloud computing the new monoculture which in turn paints a massive bull’s eye on it from a security perspective.

But this is the reality businesses must face, explained Raimund Genes, Chief Technology Officer, Trend Micro.

“Monoculture makes it easy for the attacker to attack since he only needs to focus on one platform or operating system. Microsoft Windows per se isn’t an unsafe operating system but we see about 65,000 new malware per day for Microsoft because attackers are focused on it,” he said.

“As virtualization enables cloud computing, you then have three main players: VMware the dominant player, Microsoft’s Hyper-V, and Citrix Systems which is more desktop virtualization.

“If I’m an attacker and I can’t focus on the desktop monoculture anymore, I will focus on cloud infrastructure. VMware has done a good job of creating security APIs to protect the hypervisor . . . unfortunately other virtualization players haven’t done this yet.”

Genes is responsible for introducing new methods to detect and eradicate online threats. He oversees a team of developers and researchers around the globe that develops new technology components to protect against email, Web and file-based threats under Trend Micro’s Smart Protection Network umbrella.

“Everyone talks about moving into the cloud but most companies still struggle with it. Should they choose a private or public cloud? How secure is the cloud? It brings new challenges (for IT security admins),” he said. “To enable cloud computing, one should think of how to create private clouds, encrypt everything within a public cloud and protect through the hypervisor.”

On the final stop of a five-city tour of Canada for Trend Micro’s second annual Canada Cloud Security Awareness Week, Genes gave a presentation to gathered business leaders and InfoSec administrators that detailed everything from the current online threat landscape and how phishing campaigns are launched to advanced industrial espionage techniques.

“In industrial espionage we’ve clearly hit a new plateau,” he said. “We’ve seen data breaches coming from the European Union, the Canadian government, and companies like Exxon and BP. It’s relatively easy to do by sending a piece of malware into a company, convincing a victim to execute it, and then the data is harvested.”

With respect to Canada, Genes noted malicious URLs rose in this country from 67,720 in 2010 to 95,466 in 2011 but that has much to do with cybercriminals targeting French-speaking Quebeckers. More alarmingly, Genes mentioned online banking in North America lags European and Japanese online banking security measures.

“The default here is just a username and password which is definitely not good enough for online banking,” he said. “European and Japanese banks use a two-factor authentication. Without this smart token . . . online banking is not possible. So they always have an additional authentication security protocol not just a username, password and a stupid question.”

Like other InfoSec thought leaders, Genes too warned of the risks associated with using social tools. Though he admittedly uses select social networks, he recommended limiting the personal data one shares on the whole thereby reducing one’s online footprint.

“Social media tools are certainly useful. I too am aware of the risks so I don’t share too much on my LinkedIn profile,” he added. “This is also why I don’t use Facebook and other more risky social networks.”

Another key takeaway: Genes recommends InfoSec admins make an effort to ‘understand the enemy’. A daunting task surely.

“Understand these are professionals we’re fighting, not amateurs. Read as many security blogs as possible and try to figure out what happened with (publicly exposed) data breaches,” he advised. “Also, in terms of cloud computing, how can we avoid outages such as what we saw recently with Amazon? In security and in the usage of cloud computing we have to rethink our current approaches.”

Cloud computing itself isn’t more or less secure than traditional computing he added. However the cloud will make the desktop environment more secure over time.

“You will only need to use a browser (to access data and applications in the cloud). So you could have a stripped down operating system with a sandboxed browser which resets itself after every session,” he said. “With this we could create safe desktops . . . with the consumerization of IT and with cloud computing you have to rethink your security strategy and redesign it from scratch.”

Liam Lahey is a Vancouver, B.C.-based writer and an Online Community Manager for Follow him on Twitter: @LiamLahey