Software as a service

Tag Archive for Software as a service

RB | January 30, 2014

Comments Off

Cyber Attacks on Schools

Cloud services and data-management systems are multiplying in the edu market. Schools, districts, and states are using online networks to store student data such as records PII, medical records, attendance, and grades. Putting all of this data online is scary enough, these systems are designed to allow parents (and attackers) to get to data from a home PC.

More convenient for teachers and parents

Education Week explains that the switch to online data is often more convenient for teachers and parents. But these changes can also make state agencies, districts, and schools vulnerable to cyber attacks. The author cites the August 2013 DDoS attack on the Kentucky Department of Education’s statewide Infinite Campus information network as a precursor of things to come. The Kentucky agency was able to fight off the DDoS attack before any data was compromised but school DDoS attacks are occurring more often as they get easier to execute. David Couch the Kentucky Department of Education’s chief information officer said.

What I understand from what I’ve seen is that [DDoS attacks are] a commonality now … I think most organizations have to add to their tool suite a way to detect them.

Online attacks

GCN reports another edu DDoS attack. This one is on OnCourse Systems for Education a SaaS that provides software services to K-12 schools. The firm became the victim of UDP flood from Germany and the Netherlands. The firm tried to fly under the radar, Mark Yelcick, chief technology officer and partner at OnCourse said.

This was the first DDoS attack at OnCourse, and we never thought that we would be a target … There’s no money or assets to be gained by attacking an SaaS provider of K-12 educational systems. We felt that the firewall, intrusion protection and DDoS protection from our data center provider would be enough.

In order to turn back the tide of rouge packets, OnCourse brought in P rolexic. Prolexic has solutions tailored for the education market. The company engaged its emergency services, routing traffic through Prolexic’s 1.5 Tbps cloud-based DDoS mitigation platform and stopping the attacks. CTO Yelcick said, “We simply cannot afford downtime brought about by a DDoS attack.”

Because DDoS attacks can target any IP address, it’s impossible to completely prevent them, so for districts and the companies that offer data management services, the focus is on battling these attacks as they come.

“We have to be prepared and understand the environment that we are operating in so we’re prepared to address these issues as they come up,” says Infinite Campus CEO Eric Creighton, the victim of the Kentucky DDoS attack.

Attackers are after student PII

Part of predicting and combating cyber attacks is understanding why people order these attacks in the first place. When the target is a network that stores student grades and attendance information, the immediate thought is that a student is responsible. However, Mr. Creighton says that students rarely attempt attacks and, in his experience, have never succeeded.

“I don’t think these are attacks attempting to get data … There’s no jackpot of valuable data –there’s no payload here.” CEO Creighton may be spinning the results. rb- I wrote about schools collecting and losing PII here.

One reason that schools and districts are targeted is that their systems are designed for convenient access. Easy access for parents and teachers, makes for easier targets. Marcus Rogers, a professor, and chair of the cyber forensics program at Purdue University told Education Week.

For a lot of these attacks, the intended victim or goal is something bigger than the school. Obviously schools want to protect their data, but the bigger threat is when they use those networks now to go out and attack a power plant or a stock exchange or an air traffic control systems. That’s when the stakes go up.

Caused by a BYOD device

Kentucky education officials believe that the attack on their systems was triggered by a beacon. They hypothesize that a beacon was unknowingly placed on a student’s mobile device, which he or she took with them to school. Viruses can cause a device to send out a beacon, instructing thousands of other devices to attack the network the device is connected to. In Kentucky, officials say that this won’t stop individual districts from implementing bring-your-own-device programs. However, schools can decrease the chances of an attack by making sure that these student devices are properly protected according to Education Week. CIO Couch believes schools will start to protect themselves.

I think what you’re going to see is districts making sure that before people plug into their network they have up-to-date, good virus protection … I think you’ll start to see that in K-12.”

Purdue’s Rogers says that even when schools know best practices for avoiding and combating attacks, such measures are often cost-prohibitive. “A lot of times the schools know what to do, but at the end of the day if they’re trying to get library books, a firewall is not going to be their big concern.”

DDoS as a distraction: The one-two cyberpunch (pando.com)

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: 2014, Cloud computing, DDOS, Denial-of-service attack, K12, Kentucky, SaaS, Security, Software as a service

RB | October 13, 2011

3 comments

Cloud Computing Risks

Cloud Computing Risks Cloud computing is a term even non-IT folks would have heard about at least once by now fueled by the concept of Software-as-a-Service (SaaS) and virtualization. The idea is that IT services and processing capabilities could be more efficiently housed in a data center and delivered over the Internet based on demand.

Dr. Dobb’s, editor-in-chief Andrew Binstock told FierceCIO that the primary advantage of relying on cloud providers is that their combined expertise on the security and reliability front is in all likelihood better than that of most SMBs and even some larger IT shops.

Bob Violino at Internet Evolution writes that cloud computing offers some clear benefits for organizations: lower costs, automated software updates, greater flexibility, and the ability for IT staff to focus on more strategic projects and not day-to-day maintenance tasks.

It’s easy to get caught up in the cloud excitement with major IT vendors such as Amazon (AMZN), Apple (AAPL), Dell (DELL), Google (GOOG), HP (HPQ), IBM (IBM), and Microsoft (MSFT) pushing the concept and rolling out cloud offerings. But organizations looking into cloud computing need to consider some key risks as well.

Larry Ellison, the chief executive of Oracle, told shareholders in 2008 that Cloud technology is a fad that lacks a clear business model. “I think it’s ludicrous that cloud computing is taking over the world,” Ellison said. “It’s the Webvan of computing.”

Richard Stallman, the founder of the Free Software Foundation, sees cloud computing as a trap that will result in people being forced to buy into locked and proprietary systems that will only cost more over time. He told The Guardian: “It’s stupidity. It’s worse than stupidity: it’s a marketing hype campaign.”

Some of the cloud risks are well documented, but as the push for cloud services continues, a few risk points are starting to come into focus:

Data Privacy. When it comes to the U.S., the Fourth Amendment states that people should “be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures…” But web-hosted applications and cloud services are too new for the courts to have been able to offer far-reaching guidance on data privacy online. Data stored outside of the country makes data privacy issues even more complex.

Information security. A report from the World Privacy Forum discusses the issues related to cloud computing and the privacy and confidentiality of information. According to the report, “for some information and for some business users, sharing may be illegal, may be limited in some ways, or may affect the status or protections of the information shared.”

Even when no laws prevent a user from disclosing information to a cloud provider, the report says, disclosure may still not be free of consequences. “Information stored by a business or an individual with a third-party may have fewer or weaker privacy or other protections than information in the possession of the creator of the information.” A cloud provider’s terms of service, privacy policy, and location may significantly affect a user’s privacy and confidentiality interests, the report states.

Data Security. There are many threats to data online. The application or service provider could go belly up, hackers could attack or just be locked out of your account. The good news is that data portability and security policies are being scrutinized closely by several organizations.

Mr. Binstock observed that no cloud storage provider will promise that they will not access your data under any circumstances. It is also common to find explicit clauses that allow law enforcement agencies access to your data.

Believing that this is acceptable because there is nothing incriminating in one’s data storage, is, in his words, “intensely naïve.” The obvious problem, notes Mr. Binstock, is that any government agency examining your data is under no contractual obligation to you to keep them safe, or even delete copies that were created.

Chenxi Wang at Forrester noted that an effective assessment strategy must cover data protection, compliance, privacy, identity management, and other related legal issues. “In an age when the consequences and potential costs of mistakes are rising fast for companies that handle confidential and private customer data, IT security professionals must develop better ways of evaluating the security and privacy practices of the cloud services.”

Network. The idea of putting the network health in the hands of the ISPs is very troubling. Have you ever tried to work with an ISP to find out why your round-trip latency times are so high? can your organization confidently define: The bandwidth requirements of your apps? The end-to-end throughput needs? Where will your data really be? Will it take the same path today and tomorrow? Who will pick up the phone when you call to say “the cloud is slow?” Will you be able to understand them?

Complexity. As cloud computing evolves, “combinations of cloud services will be too complex and untrustworthy for end consumers to handle their integration,” according to a report from Gartner Inc.. Daryl Plummer, chief Gartner fellow notes:

Unfortunately, using [cloud] services created by others and ensuring that they’ll work — not only separately, but also together — are complicated tasks, rife with data integration issues, integrity problems and the need for relationship management

Finances. Cloud computing changes the way software is purchased. The model for purchasing software one time and then choose to opt to buy the newer version a few years later maybe on the way out. With cloud computing, the vendor can just raise the prices the following month. It requires a different mindset, of subscription fees as opposed to purchase. We will see how the public takes it.

These are some of the issues that must be addressed if companies are to decide that cloud computing offers benefits that exceed the ROI of providing similar services in-house without increasing risk.

rb-

Sure, “the cloud” will work for most people most of the time, but if there are a lot of users, there will be a lot of errors. With 100,000 users, 10% having problems over 10 years is 10,000 unhappy users.

Cloud computing and the Internet part II (ecrimeexpertblog.wordpress.com)

Category: Uncategorized | Tags: 2011, AAPL, Amazon, AMZN, Apple, Cloud computing, Dell, GOOG, Google, IBM, Larry Ellison, Microsoft, MSFT, Risk, SaaS, Software as a service

S	M	T	W	T	F	S
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30

Bach Seat