Headlines tell the story: “DDoS Attacks on Major Banks Causing Problems for Customers.” “Hacktivists expand bank DDoS attacks.” “DDoS Attacks on Banks Resume.”
No wonder distributed denial of service (DDoS) attacks have become the No. 1 concern for a growing number of financial institutions. As one bank analyst describes it, “Literally, these banks are just in war rooms, sitting at controls trying to stop [the attacks].”
Security remains a major concern as FIs move to cloud computing, and vulnerability to DDoS attacks should be considered as part of this move. So just what are the DDoS risks for FIs when moving to the cloud? And what steps can they and their cloud providers take to dispel these concerns?
A DDoS attack is an attempt to make one or more computer systems unavailable, typically by overwhelming them with a large number seemingly legitimate requests. Traditionally, these attacks were targeted at web servers. Increasingly, however, attackers target supporting infrastructure that may not be as well protected, such as the domain name service, which translates Internet domain and host names to IP addresses.
An attack from a single computer is easy to block using traditional security technologies, such as firewalls. But today’s DDoS assaults are an orchestrated bombardment from thousands or even tens of thousands of computers. The result: edge protections such as firewalls are unable to differentiate malicious requests from normal traffic, and cannot block them without also blocking legitimate requests.
A hosted cloud service is vulnerable to the same DDoS attacks as any other hosted service, including direct attacks on cloud-based web servers and attacks on a provider’s supporting infrastructure. However, because of its heavy use of software-based virtualization and management systems, a cloud service’s supporting infrastructure can have a significantly larger attack surface, and may be vulnerable to attacks from the outside and from within.
So what’s a financial institution to do when it wants to move to the cloud?
• Get your cloud host provider to explain in depth how it protects its cloud management system and its customers’ information from orchestrated attacks. This includes explaining its approach to protecting against traditional attacks as well as those that specifically target cloud technologies.
• Have your provider discuss the “bad neighbor” problem that can be more prominent in the cloud. That’s when your cloud server or application could be running on the same physical server as another customer and that customer gets attacked and you suffer collateral damage. Find out how the provider prevents one customer from impacting another on the shared infrastructure. Be sure the provider isolates network connectivity from one customer to another.
• Consider using multiple clouds or combining a public cloud deployment with a private or hybrid component. This may not protect against an attack targeting you directly, but it provides a hedge against attacks on any single provider’s cloud infrastructure.
• Determine whether a cloud provider is leveraging other cloud providers to deliver its services. Such “nested” clouds are particularly common among Software-as-a-Service providers who often deploy their software on another cloud provider’s infrastructure, which may also be vulnerable to DDoS attacks.
• Recognize that more attacks are emanating from cloud providers themselves as an attacker sets up fraudulent accounts and uses the cloud servers, each far more powerful than a single desktop computer, to launch large-scale attacks. This can result in collateral damage to you if you use the same cloud provider, both through exhaustion of the cloud provider’s resources (see the “bad neighbor” problem) and by the provider’s network being blacklisted as a source of attacks.
• Make sure to develop and test a contingency plan. This plan should account for DDoS attacks directly against an FI’s servers as well as those targeting a provider’s infrastructure, and should identify roles, responsibilities and response procedures for both the FI and the provider.
• Consider leveraging cloud services as part of a broader DDoS resiliency strategy. Cloud-based recovery services may enable you to rapidly recover key systems in the cloud when your primary facility is under attack. Don’t let your security concerns overshadow the promises of effective cloud computing. The cloud does introduce some new DDoS risks, but also presents tremendous opportunity for improving overall resiliency.
The cloud is not a panacea, but it should not be ignored entirely. The most successful FIs will be those that understand the risks and tackle them head on.
Oren Hamami is director of Security Strategy at SunGuard Availability Services.