Dimension Data Cloud Chief: Cloud Platform Providers Must Fight Fraud, Cybercrime1:51 PM EST Fri. May. 17, 2013
Attacker access to cloud-computing platforms has become an epidemic and may need a global consortium to better educate cloud providers and help reduce the problem, according to a cloud expert who leads Dimension Data's global cloud initiatives.
Account fraud, account hijacking and the use of stolen credentials to gain criminal access to cloud-computing resources has been a longstanding issue, which is becoming a serious problem that impacts all cloud providers, said John Rowell, formerly chief technology officer at cloud provider OpSource, who now leads global research and development, and service operations in Dimension Data's Cloud Solutions Business Unit. Rowell said his firm works constantly to weed out fraudulent accounts and address the issue, but other providers may lack the desire or the wherewithal to deal with the problem.
"It's something the industry, in general as a group, and especially cloud providers, need to come together and start to talk about," Rowell told CRN. "We are giving these end users -- if you are not careful and not policing your fraudulent accounts and policing who is signing up for your systems -- we are giving them the platform to launch their attacks."
[Related: Dimension Data CEO Lays Out $12 Billion Plan]
The 2013 Verizon Data Breach Investigations Report found configuration weaknesses, software vulnerabilities and stolen account credentials consistently being used by attackers across the board. Financially motivated cybercriminal gangs that conduct smash-and-grab attacks to steal credit cards; hacktivists out to disrupt and embarrass businesses; and nation-state-driven attackers who steal intellectual property use stolen credentials, and often leverage the resources of cloud-hosting providers to direct their attack campaigns and upload and temporarily store stolen data.
"It's a real problem that is only going to get worse," Rowell said. "Cloud computing has enabled these guys to launch significant attacks with not much investment."
In this interview with CRN, Rowell addresses the impact that distributed denial of service attacks are having on the industry; he explains why cybercrime is driving Dimension Data to roll out two-factor authentication support globally and talks about how global expansion into emerging markets has made network availability a constant problem.
CRN: Denial of service attacks have gotten a lot of attention in recent months. Has that had a major impact on cloud providers? Do you consider it a serious threat?
John Rowell: It's a serious threat. It's a very common occurrence. It is typically easy for guys that want to launch a DDoS attack just by acquiring a stolen credit card. They can acquire DDoS or services online or acquire it by creating their own servers. There's a high frequency of attacks. On our platform, we've seen attacks that have gone up to 80 to 90 gigabytes, and they are impressive attacks. They are very large attacks that come across the infrastructure. We have a set of tools that we not only consume from third parties, but we have also built ourselves to go out and deal with that. It's something the industry, in general as a group, and especially cloud providers, need to come together and start to talk about. We are giving these end users -- if you are not careful and not policing your fraudulent accounts and policing who is signing up for your systems -- we are giving them the platform to launch their attacks. A lot of what we do, and it's not a customer-facing feature and function, is review and look at and audit our accounts and our systems. When you first sign up, you are a nontrusted user on the system until we have the ability to validate who you say you are. That prevents guys from launching a DDoS attack using our systems.
CRN: These guys also are setting up botnet command and control servers as well.
JR: There's a combination of things that these guys do. It's disappointing but some of the other providers just choose not to address it. The thought process might be that the expense is not worth the investment and time or they may not have a very good grasp of the issue. It's a real problem that is only going to get worse. Cloud computing has enabled these guys to launch significant attacks with not much investment.
NEXT: Dimension Data Plans For The Future
CRN: The 2013 Verizon Data Breach Investigations Report came out and one of its findings was that attackers are using stolen credentials in most cases to conduct their attacks. Do you support two-factor authentication?
JR: We are working on rolling it out globally. We are looking at it as a global PCI DSS offering with two-factor authentication. It's a login plus a phone verification methodology that we are putting in place. Stolen credentials and hacking, in general, through some other methods or stolen credentials is typically what we see from these end users. You can sign up for access to a platform with a stolen credit card, and it only costs a buck to get a stolen card. It's a pretty easy model to consume services for cybercriminal activity and not have to pay for it.
CRN: Dimension Data acquired OpSource in 2011 and you've been working on integration over the last two years. Is it almost complete?
JR: The integration is going extremely well and the enablement that Dimension Data has given us to expand our platform globally has been a huge win for the company. We're close to having the legacy OpSource brand removed. It's taken a lot of work. There's a lot of revenue associated with the brand and we wanted to make sure that we protected that revenue as we move into the Dimension Data brand. We expect to have that finalized in the next two to three months.
CRN: OpSource roots are in the United States and under Dimension Data you are doing a lot of expansion.
JR: It was great timing. The reality is we had built a very good business here in the United States and we knew we had to get into the rest of the world. We knew it was expensive to do that. It takes a lot of dollars for the capital investment. We also had a situation where we really didn't have enterprise relationships in the remainder of the rest of the world. It's a huge cost to build those. Dimension Data brought all that to the table. We went from two locations in the U.S. and a U.S.-based salesforce and everybody knew who we were as a company, especially in the software space, but outside of that they didn't know who we were. We're now in seven locations and also get this global enterprise salesforce, so it's been fantastic.
CRN: Global expansion brings challenges in terms of availability. Speak to the 100 percent uptime rate you have here in the United States. Is it being extended globally?
JR: As we have expanded globally we're doing some things differently as we move into some of these emerging markets. Some of the markets are newer and they're just being established and built. Because of that there is some immaturity in those markets that we've had to address. So 100 percent [availability] absolutely in the U.S. and some other markets we've moved to 99.99 percent. That is really just directly related to facility uptime as well as some of the network concerns that we have. It's really more of networking concerns than anything else. We do see this network disruption in emerging markets. When that network disruption takes place in that market, the systems and the data that is in there is not disrupted, just the ability to get to it. From a risk perspective, the data is fine and the other global locations are fine. I'm not trivializing it. We have all these global locations that are intermeshed now. It's important to our customers to be up all the time, but those are things that our customers can work around and we help our customers in delivering to new markets where they may experience some downtime based on network inefficiencies in that market.
CRN: How do you see the market for Infrastructure-as-a Service and managed services changing over the next five years?
JR: This is an emerging market and everybody wants to be in it. There are a lot of companies that may be identified because they offered some virtualization. At the end of the day, virtualization is not cloud. Cloud is pay-as-you-go; it's automated, it's orchestrated and it's consumption-based, it's not just virtual server. I think you'll find that a lot of companies are going to be long-term players and some of them are going to be ripe for acquisition. I think some of these guys will get snapped up or go away, because it is a very intensive business when it comes to cash.
PUBLISHED ON MAY 17, 2013