Why Google and Microsoft were at fault for the attack, not cloud computing

By now, much has been written about last week’s attack on Google, Yahoo, and more than 30 other companies. Google’s stark reaction to the attack has put the company at the forefront of this news story. At stake is one of the world’s largest Internet market as well as the already tenuous relationship between US and China, it is no wonder this attack is drawing the attention of headlines worldwide.

Why isn’t this an attack on cloud computing?

First of all, the mechanics of the attack, though not entirely clear, have nothing to do with cloud computing. What we do know is the following: A Microsoft browser vulnerability was exploited, some employees’ desktops were compromised, and the attacker used the compromised desktops via Google’s VPN to get to some of the servers. As a result, Google apparently issued an emergency refresh of the entire corporate VPN infrastructure last week, leading to more than a little bump in the road for employee productivity, which lasted more than 24 hours.

So, let’s look at the facts here. Exploiting browser vulnerabilities is a familiar attack method, one that has nothing to do with cloud computing. Compromising desktops and using VPN to further compromise servers is again nothing new. What is at the root of the problem here is a vulnerability from everybody’s “favorite” software company (more about this vulnerability to come later today), not the fact that the target of the attack is a prolific cloud computing company.

However, some of my clients (and many others) were asking why they would want Google to host their applications/data if Google is a bigger attack target than themselves. This is indeed an interesting question, one that is worth exploring. This question is particularly interesting when you consider that the attack in question involved exploiting vulnerabilities in IE 6. Why would Google employees still be running IE 6, an outdated browser? Clearly Google’s corporate IT isn’t doing a good job. But the fact that the attacker used VPN to further its attack suggested that the initial victim machine may not be a corporate managed machine. However, we do not know for sure. In any case, Google is at fault here for not managing its risks adequately. And being one of the biggest cloud computing companies, they should know better.

I will be uploading another entry on the specifics of the Microsoft vulnerability after 10am pacific today. Stay tuned. In the meantime, let me know what you think of the attack and the implications.

This entry will be cross-posted to Forrester’s SRM blog: http://blogs.forrester.com/srm.


About Chenxi Wang

Dr. Chenxi Wang is a Principal Analyst with Forrester Research. She serves on the security and risk team, covering topics such as cloud security, application security, and content security. Previously Chenxi was Chief Scientist with KSR Inc. (now part of Neohapsis). Prior to that Chenxi was an Associate Professor at Carnegie Mellon University.
This entry was posted in Application Security, Cloud security. Bookmark the permalink.

1 Response to Why Google and Microsoft were at fault for the attack, not cloud computing

  1. Pingback: VPN is hot again (thanks google!) « VPN Haus

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s