Using a cloud provider means that the primary responsibility for security rests in the provider's hands, but that doesn't mean you can afford to ignore the security regime that has been put in place. Because they host multiple organisations and have access to financial data, cloud ecommerce providers are obvious targets for criminals seeking to commit fraud online, and the rate of attacks is growing rapidly.
Ecommerce picture from Shutterstock
The recently-released annual report from cloud compliance company Trustwave underscores how web sites with ecommerce facilities (and hence, by definition, some access to customer data) have become the main target for online criminals. Trustwave based the report on its investigations into a range of online incidents, including more than 450 detailed data breach investigations.
"The most popular attack vector is ecommerce websites," Trustwave managing consultant Marc Bown told Lifehacker. "You often used to hear internal attacks were worse, but that's changed."
While ideologically-motivated attacks (such as those masterminded by Anonymous) typically attract headlines, the majority of attacks have baser motivations, Bown said. "It's pure economics. Attackers are either doing this because they want to make money or they're ideologically motivated. An ideological attacker will spend as much time as they need to attack a specific target. A financially motivated criminal doesn't care who they hack as long as the reward is there."
A common error is to assume that hackers will aim for large sites, Bown said. "We make the assumption that an attacker is only interested in a big juicy target, and we make that assumption because we assume the work is difficult. But its pretty much automated and script-based. They're making their investment up front in some tools and then working those tools to make money. Most of the victims are really small. One of the questions I get asked is 'Why would anyone come after me?' One guy joked to me 'even my customers can't find me online; how did they?' Those small guys don't understand the risk."
Bown argues that the shift towards the convenience of cloud hosting hasn't seen a parallel recognition of the risks involved. "It used to be the case that everyone would get their own hosting account, install a shopping cart and run that. The trends is now away from that and back to centralised shopping carts. Everyone runs a central code base with different skins."
"We've definitely seen instances where those SAAS merchants have been compromised. Oftentimes those compromises have been frankly trivial. Customers often make the assumption that cloud-based services are more secure, but we suspect the opposite is true."
Part of the problem is that cloud ecommerce providers need to maximise volume, so security isn't always the top priority. The second factor is that even if you do want to improve security after your company has implemented a cloud solution, your options are often restricted. "You can look at log files if it's on your systems, but not with cloud if it's not in the contract," Bown said.
That said, even the basics are often ignored. "Eliminating those risks is arguably impossible, but we haven't done much to minimise them. Very few of the attacks we're working on are advanced. Mostly it's the same old things. If we get better, the attacks evolve and move on, but so far, they haven't had to evolve much."
As such, Bown's advice for companies seeking to improve security is not complicated. "Just check you're doing the basics right Check your passwords and defaults. Look at your app security as well. We know that online shopping applications are going to be targeted."
Close monitoring of transactions is also essential. "In almost all of the cases we inevestigated the company that had been hacked didn't find out about that themselves. They were told by a third party. They didn't have systems in place to detect that, or there's so much noise coming out of their monitoring they don't know how to make sense of it."