Security risks lurk in the cloud

Cloud computing will never be completely secure; however, organisations such as Zynga would not have existed without the scalability of the cloud.

This is according to Caroline Wong, strategic security manager of Zynga Game Network, who spoke at the ITWeb Security Summit today. Zynga is a massively played online social gaming network, famous for Farmville on Facebook.

The sixth annual ITWeb Security Summit kicked off this morning, at the Sandton Convention Centre. International and local IT experts will, over the next two days, discuss security topics such as Stuxnet, WikiLeaks and data privacy in an increasingly connected world.

Wong was formerly the chief of staff for the Global Information Security Team at eBay, where she built the security metrics program from the ground up.

According to Wong, cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources, which can be rapidly provisioned and released, with minimal management effort or service provider interaction.

She said cloud computing can be compared to an analogy of “fat pants”, because cloud computing provides an organisation with ample room to grow its IT infrastructure, and provides for additional capacity when it needs it.

It was this elastic characteristic of the consumer cloud that drove Zynga's success, added Wong.

“In June 2010, Zynga [released] Farmville onto Facebook, and within the first six weeks the game gained 200 000 daily active users.

“Rapid user growth meant Zynga was running out of data centre space and did not have the ability to invest in computing infrastructure to keep up with business demand.

“So we made the strategic decision to use cloud resources in order to effectively scale-up. The innovation of Zynga had to do with social networking and connecting people in a way that hadn't been done before. There was unpredictable growth in this new market, and Zynga probably wouldn't exist without the cloud.”

However, Wong indicated cloud computing is relatively immature and inherently insecure. She explained how the online community, which started out building trusted relationships, is now a hotbed for social engineering, privacy issues and account compromise.

In addition, social network users still freely give out their personal information. Wong said it's easy for a cyber criminal to steal a person's information from their social network based on looking at friends' profiles, and use that information to create another account or for financial gain.

Wong said more needs to be done by cloud service providers to secure cloud networks.

“There's certainly a lack of cloud service provider transparency. Cloud services, not all of them, offer clear audit trails as part of their offering. Questions we are asking cloud companies, [include] how do they separate one company's data from another? How do I ensure that I get my data, and that I don't get somebody else's data?”

Wong said organisations need to be smart about cloud computing and about what information is placed into the cloud. “Saying no to cloud is not an option. There is no way I could say to Zynga that we can't do cloud because it's insecure. I believe cloud computing provides for an opportunity for security to get better.”

She recommended that organisations think about their security strategy, business model and information handling.

“We use Amazon Security Groups to determine who has information access, and which groups can communicate with other groups. And, secondly, availability zones intelligently deploy hosts across availability zones, and also across geo-redundant data centres; replicate data so that instance failure does not result in permanent data loss.”

Wong explained Zynga also built cloud management services such as Rightscale Cloud Management Platform, which automatically adds capacity to respond quickly to traffic spikes in user activity.

“We can now manage hundreds of services in minutes without large teams of systems administrators to manage them. If you need anything in the cloud that is not being provided by your cloud service provider, and if you have the expertise, build it yourself.”

Wong added that business users and organisations need to be smart about where their data resides, as not all data is equal.

“We should be thinking about security strategy and information handling, and what is going to go into the cloud. Whatever I find to be the keys to the kingdom I need to make an educated decision whether to put that in the cloud or not.

“In Zynga's case, we decided not to store personal identifiable information in the cloud. We provide an encrypted [application programming interface] layer to protect that information.”

Zynga has a close partnership with social network giant, Facebook, according to Wong.

“Facebook is the primary mechanism with which Zynga does its business,” explained Wong. “We not only trust Facebook to deliver our games, but we also trust them with a lot of our payment processing.”

One of the biggest challenges on Facebook is social engineering and account theft. Wong pointed out the top shared concerns between social and cloud are user access, malware-linked applications and privacy.

Zynga, named after a legendary African warrior queen, uses a “freemium” business model, meaning that the company sells virtual goods online. On Farmville, for instance, the gamer can earn additional coins by paying real money for virtual goods, and this helps the user to achieve higher levels in the game.

Wong said Zynga makes 90% of its revenue based on this freemium sales model.

Zynga started in 2007. According to Wong, the online gaming social network has 70 million daily active users and 250 million monthly active users.

Today, Zynga is the number one social gaming site on the Web in terms of online user numbers. Some of the games Zynga has developed include Farmville, Frontierville, Cityville and Mafia Wars.