Military Siege Theory & the Cloud
June 8, 2016 Leave a comment
The Siege of Pilsen 1618 (https://en.wikipedia.org/wiki/Siege_of_Pilsen)
The Cloud – Another Trend to the “Dark Side” & Ancient Aliens
There isn’t a day that goes by in the technical presses and communities where vendors aren’t hawking their Cloud Services as the new way to store and process data while claiming to improve costs to the IT organization’s bottom line.
On the surface and mixed with the prevalent trends in business technical developments this sounds well and good but no trend occurs in a vacuum. Since 2010, the Cloud has become a new buzz-word for professional developers as well as consumers where literally anyone can store anything they like “up there”. And the name, “The Cloud”, has an almost surreal-like sound to it while ignoring the fact that it was designed by some slick marketing outfit to attract anyone with a penchant for cool sounding idioms.
But what really is “The Cloud” but a glorified hosting service where one can store files, host web applications and databases amongst a repertoire of other implementations that have all become rather standard for most hosting and storage services that already exist. And since the name of “hosting services” sounds too technical for most people we now layer it over with a soft sounding acronym, “The Cloud”, a place where giant puffs of large white, majestic cumulus puffs of vapor hang silently in a deep blue sky always waiting for their next passenger to serenely float through them.
Yet, there is a “Dark Side” to this majestic wonderland of hosted technologies; cumulus clouds can often turn dark and foreboding and it is this “Dark Side” that this piece will discuss.
As I mentioned, no trend occurs in a vacuum, though professionals in many fields tend to see things that way. In technology today, it appears that a majority of the Human race cannot see past it’s nose when it comes to the next “new thing”. One look at the popular “Ancient Aliens” show on the American History Channel will convince many that aliens are guiding Humanity to it’s true path; back to the stars. And they support this contention with the many examples of universities and companies all researching and developing technologies that will allow us to do this along with other propositions demonstrating how aliens have been working on their Human project for many years.
Except here is where “reality bites”… Humans cannot exist in space for too long due to the massive exposure to radiation; so long trips into it’s farthest reaches just is not feasible unless someone devises some form of radiation proof material that can be used on rocket-ships and clothing. Also, let’s not forget the high speed debris that is whizzing all over the place out there that can penetrate just about anything it hits with the velocities they are traveling at. Not too cool for pressurized cabins… So the suggested alternative is to develop robotic bodies that have the capacity to be completely manipulated by Human thought processes if not encompass Human consciousness altogether. However, if one South Korean scientist is correct in his theories based on quantum mechanics, Human consciousness is not housed within the brain; now there is a gigantic “Oops!” for the whole concept leaving us with the use of robots who many scientists fear will turn upon the Human race; another big “Oops!”…
This is a rather humorous example but it does demonstrate how even many scientists are rushing to develop something that simply may not be possible with the given facts and possibilities since they are not considering the limitations imposed on them by realities that may be irreconcilable.
This is also true for all of the current hype surrounding the use of the “The Cloud” by business organizations.
Basic Economics & Military Theory
Let’s start with some basic economics, which is exactly what Cloud Services are working with. We can call this type of economics, “aggregate economics”, which is also very nicely referred to by such vendors as “economies of scale”; another nice acronym for the uninitiated who don’t really understand what cloud vendors are selling, which are their economies of scale and not yours. Cloud Service Providers are actually called aggregators; they sell a product that allows you and everyone else to pay them for it’s use. This is how they make money and they make it at the expense of their customers.
EBay, PayPal, Etsy, Google, Bing, and many other similar organizations like cloud vendors are aggregators; all making large sums of money while individuals and businesses involved make substantially less in sales if anyone can find them within the aggregate world or less in savings when you consider the hidden costs to the dangers that such technologies pose.
Aggregators also centralize their customer needs and operations within their own corporate IT organizations, which in reality is one of the most dangerous things any company can do if they fall for the line that all their critical data hosted under such circumstances will be safe.
Applying military analytical theory to such an environment is quite reasonable considering that such theory analyzes various factors that can affect the well-being of a unit; in this case a Cloud Provider.
When using only business or technical based analytical constructs, which in this case are quite narrowly focused, you get a result that appears much rosier than it actually is. On the business end the numbers for investment look much better than affording one’s own hardware and network infrastructure with their corresponding costs. On the technical end, it is simply the cool thing to do since for a developer it shouldn’t really matter where his or her applications and\or databases are hosted as long as the technologies being used keep their resumes attractive to potential recruiters. Technical security specialists, people who are never listened to until it is too late, have a much different view on things, which are mostly in line with the application of military analysis to these situations. But who talks to these people anyway?
And there are several segments of military analytical theories that can be used to provide a more realistic view of the claims for Cloud Service Providers.
“Force Distribution” Analysis
To begin with we can use “force distribution” analysis, which dictates how to distribute one’s forces in different situations including hostile ones. In this case, you either unite your forces when you need cohesive strength such as with an attack on a defender’s position or you distribute them when they are at rest or in retreat to avoid being harmed in mass. Of course the way a commander would unite or distribute his or her forces is dictated by the given situations so we are talking in generalities here.
In terms of “The Cloud”, hosting multiple corporate databases in centralized locations with critical data when it is known that criminal and professional hacking is becoming more prevalent, organized, and sophisticated is like playing Russian roulette with customer companies where it could easily take only one hit to destroy everything in place.
One can argue that Cloud Service Providers ensure the use of high levels of security to prevent such attacks or repel them if they occur. However, we are talking sociology here as well and it stands to reason that where corners can be cut, business leaders in these providers will cut them since that is what business leaders in general do. The state of the current American economy is “exhibit A” in this case1.
However, a more classic example of such decision making can be demonstrated with the 1983 mass-murder of 241 US Marines and 58 French soldiers in Beirut, Lebanon. In this event both the US and French soldiers were housed in mass in two separate barracks which were targeted by insurgent truck-bombs that blew both buildings to pieces killing and injuring everyone in inside.
Though there was security at the surrounding checkpoints to the barracks, it was not well prepared to prevent this type of an attack (which should have been expected) since it was following the standard orders of the day for that mission, which are listed as follows1 …
- When on post, mobile or foot patrol, keep loaded magazine in weapon, bolt closed, weapon on safe, no round in the chamber.
- Do not chamber a round unless instructed to do so by a commissioned officer unless you must act in immediate self-defense where deadly force is authorized.
- Keep ammo for crew-served weapons readily available but not loaded in the weapon. Weapons will be on safe at all times.
- Call local forces to assist in self-defense effort. Notify headquarters.
- Use only minimum degree of force to accomplish any mission.
- Stop the use of force when it is no longer needed to accomplish the mission.
- If you receive effective hostile fire, direct your fire at the source. If possible, use friendly snipers.
- Respect civilian property; do not attack it unless absolutely necessary to protect friendly forces.
- Protect innocent civilians from harm.
- Respect and protect recognized medical agencies such as Red Cross, Red Crescent, etc.
The first three rules as noted in red in the above list were followed by the guards at their security stations making it impossible to react in time to thwart the insurgents’ attacks on the barracks. In addition, there was no consideration for “defense in depth” (more layers of site security) that may have halted the truck-bombers once they broke through the outer defensive security measures and may have the time required to prepare their weaponry. Nonetheless, being unable to deny the attackers entrance to the military area, had the soldiers been distributed in the surrounding fields in foxholes as they should have been knowing the dangers of possible incursion into their areas, the casualty rate would have been substantially reduced.
The US commander in charge of these troops recognized his dereliction of duty and offered his resignation. In fairness to President Reagan at the time, he instead took full responsibility as Commander in Chief of the mission, though he did not withdraw US troops until 1984 but instead housed them in offshore transport ships where they were then kept out of harm’s way.
Given that standards and protocols are a way of life in Information Technology, they will be adhered to in similar fashion as the military did in 1983, providing multiple weak spots for sophisticated cyber-attackers who see Cloud Service Providers as very tempting targets.
The Necessity of Unit Morale & The Consequences of it’s Breakdown
Another consideration here within any unit is that of morale, which can be affected by many internal and external forces to it. However, the worse a unit is treated by the officers in the field and at headquarters as to their exposure to harm by opposing forces or by their own leaders, the higher the risk of security becoming more porous due to resentment and exhaustion. Such forces often give rise to deserters, collaborators, or traitors.
Due to the disciplined culture of military units, troops becoming disheartened enough to turn on their own is not a common occurrence though it is known to happen. And if we take a look at today’s modern US Military (which is actually becoming quite antiquated as a result of their ridiculous weapons procurement programs among many other factors) we will find some very serious weaknesses in our fighting troops. These weaknesses are being reflected by low morale, disillusionment with the reasons for going into the many conflicts they are exposed to along with similar disillusionment with how they are forced to deal with citizens of other nations involved in these conflicts.
The true art of soldiering has been overwhelmed by the Military’s penchant for adopting too many technologies that aren’t adequately tested for the missions they are supposed to perform, killing and injuring many of our troops in combat while ignoring the inherent training that soldiers actually require to perform their jobs without the reliance on such equipment.
This combination of factors has now led to a growing schism within the ranks towards the senior leaders and those that support current policies and those that want substantial reform.
Now we can apply a similar set of circumstances to US business organizations where business leaders have typically run roughshod over those they employ providing the grist for large swells of resentment, lowering the morale in many cases to where many would consider turning on their own companies.
Given the fact that Cloud Service Providers are typical of the tech industry there should be no doubt that such companies have created their own internal stresses among their own employees.
Having an employee turn on a single corporate entity for being mistreated or overworked is bad for that company. Have a single employee in a key administrative position turn on a Cloud Service Provider and the results can be catastrophic for many of the companies that house critical data with them (Remember Edward Snowden?). In other words you have something more than a news headline of the day; you have a situation that has just gone catastrophic for many, many people.
Ultimately, the last defense of such centralized organizations is their mass backup systems, which for well-heeled companies are off-site. However, no one has ever actually run through testing under such catastrophic circumstances since to do so would require that businesses completely shut down their daily processes to instead process mass data refreshes under simulated, catastrophic circumstances. And what businesses are you aware of that would sacrifice their daily profits to perform such critical functions? But let’s take this one step further and consider the circumstances whereby the primary processing centers of a business are physically brought under attack that inhibit it from use, forcing entire staffs to use off-site centers with off-site data. And what if the backup sites come under simultaneous attack as well? For centralized organizations such as Cloud Service Providers and every one of their customers, it would be a clean sweep of total and complete collapse and subsequent bankruptcy.
Don’t think this can happen; that the practicality of such attacks are the things of Science Fiction? I suggest you take a look at the corresponding notes\links at the end of this piece 2, 3.
This overview regarding the possible circumstances of Cloud Service Providers have already provided examples of entities ripe for siege operations by sophisticated external forces who will always have a very high chance of prevailing given the history of sieges “done right”.
The Siege (Alesia & Stalingrad)
When people think of a siege they most often conjure up images of massive forces attacking fortified locations in the style of medieval soldiers battling brave Knights on the ramparts. This is not what a siege is, though this type of military endeavor has been done many times in the past with mixed results.
A military siege is first an implementation of logistics and then and only if necessary the use of attacks on the ramparts by infantry. Practically all such sieges in history have proven successful for the attacker with the exception of one, which like a baseball game got rained out after about a month.
Modern day sieges are most often implemented as economic blockades, which by the way are also seen as war crimes since so many civilians are negatively affected. For example, the US embargoed Iraq after the first Gulf War, which resulted in over 500,000 child deaths as a result of starvation, malnutrition, a lack of drinkable water and medical supplies; a war crime that then Secretary of State Madeline Albright was just fine with.
Nonetheless, one of the most famous sieges in history was the Siege of Alesia fought between Rome’s famous commander, Julius Caesar and the Gaul’s most prominent military strategist and leader at the time, Vercingetorix4.
The Fortifications built by Caesar in Alesia according to the hypothesis of the location in Alise-sainte-Reine Inset: cross shows location of Alesia in Gaul (modern France). The circle shows the weakness in the north-western section of the contravallation line
However, Vercingetorix made a number of mistakes, which broke the rules for successful siege tactics in which he should have starved the Romans who were holed up in Alesia instead of confronting them. But Vercingetorix was a warrior and not one for sitting around to take the time to implement a “quality siege” and so he led a multiple attacks on the well-fortified Roman ramparts. By doing this, Vercingetorix did not concentrate on his rear leaving it wide open for a counter attack.
Despite his mistakes, Vercingetorix nearly defeated the entrenched Romans when he found a weakness in Alesia’s northwest wall and broke through. Yet here too he made a severe tactical mistakes by concentrating all of his forces in a single area whereby the Romans were able to repel his attack. Had Vercingetorix feinted a secondary attack on another area of the wall, Caesar may have fallen for the feint and not mounted the defense he did. When the Romans were able to finally bring the Gallic attack to a stalemate the Roman Calvary showed up on the Gallic rear and the rest was history.
What Vercingetorix should have done is, as mentioned, simply let the Romans starve inside Alesia while preparing his forces for a rear-guard Roman attack preventing the rescue of Caesar’s command. He had the forces, simply not the tactics.
In a more recent, classical siege using proper siege tactics, the Russians craftily used their fierce winter weather and growing forces during World War II, to lay siege to the German 6th Army, which they surrounded in Stalingrad. The German Luftwaffe could barely get relief supplies through let alone fresh troops in such continuous, inclement conditions forcing the eventual surrender of the German Army.
I hope you see where this is all going when it comes to Cloud Service Providers when you consider good siege theory is based upon time and attrition not direct confrontation.
Siege Theory and Cloud Service Providers
Given that Cloud Service Providers are in essence fortified, centralized locations for data, well designed cyber-sieges can effectively break the digital backs of such organizations and there are many ways to do this. And technical security specialists tend to see the same dangers with such organizations as quite a few have already been successfully breached.
Unlike, military units, Cloud Service Providers are really terribly limited as to what they can do successfully in terms of defense under such circumstances. Whereas good military commanders will always keep flexible mobility as an option in defensive maneuvering, Cloud Service Providers cannot simply up and move their physical location. As a result, they are more or less stuck with the cyber-fortresses they have built.
This then gives cyber-attackers all the time they need to design a successful incursion into such a company from anywhere in the world. And by doing so they are also in a position to then initiate similar siege-like operations that were popular in the 19th century and earlier.
Developing cyber-siege operations are far easier than defending against them as the “Hacker Community” committing such attacks are not only varied in capabilities, they are scattered all over the globe and in increasing numbers with all the time they need on their hands. Such people and groups can spend inordinate amounts of time in researching and developing an attack plan and with the capabilities at their disposal from genius intelligence to state supported assets, it is highly unlikely that centralized data storage centers can defeat any and all such attacks on their environs; especially if sophisticated, multiple attacks are made at the same time.
Though physical logistics (ie: food), a major consideration in classical siege operations, are not a major factor in such endeavors they still do exist to an extent. For example, in place of food, which the denial of can mean the starvation of those being besieged, electricity is now the primary parallel component. Thus an attack on the physical electrical components that supply the Cloud Service Providers could wreak massive havoc across all of the customer applications and data being stored there. The result here is that the more production level operations customers have with any particular Cloud Service Provider, the more such customers’ operations will be negatively affected without any capacity on their part to rectify matters under such a logistical attack.
The US Electrical Grid – Semi-centralized With highly Vulnerable Infrastructure
Such physical attacks for example, are the constant worry of other US assets such as utility companies5 whereby there have been quite a few reports detailing the weak and vulnerable nature of the nation’s electrical grid system, which is primarily predicated on antiquated technologies. This may make actual digital attacks more difficult while making physical attacks more attractive with the added benefit that most such sites are poorly guarded. However, getting within the perimeter of such sites is not necessarily a requirement as many of the attached assets to these sites run under ground and beyond the site perimeters.
An example of how devastating a power outage can be in the United States is the blackout that occurred in the mid-2000s when a power station went out in Ohio, which caused a ripple effect into New York state at an upstate power station that shut down the entire metropolitan area. And that was just from a hardware glitch. Imagine if it had been a concerted, physical attack.
Iran – A Combined Physical\Cyber Siege
Yet, as an example of a combined physical and cyber-siege, the Iran centrifuge attack through the US\Israeli created Stuxnet virus is one that demonstrates a very sophisticated and successful attack of this nature. The fact that it could replicate and distribute itself efficiently meant that this single piece of rogue software literally lay siege to the Iranian nuclear infrastructure completely on it’s own. Thousands of these small centrifuges were thrown offline and damaged as a result. This attack was reportedly to have been accomplished by physically slipping in a flash drive to an Iranian centrifuge site that uploaded the virus, which then duplicated itself across the networks until Iranian Cyber Security could contain it. Unfortunately, the US and Israel did not plan out this attack too well as the Iranian attack also had a some severe blowback into regions surrounding Iran.
Yet, just a fraction of this effort would be required to attack such weakened infrastructures as the US electrical utility systems from both a physical standpoint as well as from software incursion.
In turn, realizing such threat capabilities, it would be expected that the physical installations of Cloud Service Providers would be better protected but this is not necessarily true as the entire Information Technology field is predicated on a sociology that one gets it’s products out quickly no matter what their genre, leaving many oversites in the mix, including security while also deprecating physical threats to a second class status.
In addition, as the US especially, promotes an increasingly digitalized life-style along with businesses that are following in similar fashion, low-tech operations are more easily ignored from the vantage point that they are not seen as imperative to a corporation’s health once processes have been successfully digitized. The result is that low-tech attacks on physical infrastructures are seen as less of a threat than digital ones, making them more dangerous than normally considered. For example, how severe does a large banking institution consider the physical destruction of their data lines when compared to the necessities to defend against digital incursions for critical customer and organization data? Probably, few at the decision-making levels consider this at all considering that their psychologies often disparage those who would consider such attacks as not worth their time.
The State of US Nuclear Arsenals _ A Technological Disaster Waiting to Happen
A classic example of this type of thinking, if one has been following the recent reporting on the state of the US military nuclear sites around the country, would be that it should come as no surprise that government bureaucracy has kept site security in such a high state of vulnerability from both physical and digital attacks that it has become known that such security is so poor that direct, physical attacks are becoming more possible with each passing day.
Since nuclear arsenal technologies are still from the 1970s, a digital attack would be far easier to induce network failures than is commonly thought.
Most corporations are infested with similar bureaucratic thinking making such complacent dangers as potentially dangerous to their own vital digital processes as the US has allowed it’s nuclear arsenals to be exposed to.
The answer of course is to simply throw another trillion dollars over the next decade at this festering national security issue instead of simply abandoning such useless weaponry in the first place. And given the predilection of US arms suppliers to consider profit over quality, as has been amply demonstrated in many recent weapon rollouts, it is highly unlikely that such an investment will yield anything substantially better in terms of security than what is already in place.
The Lowering of Societal Critical thinking Skills
This symptom also follows the general, sociological deterioration in US society (as well as several European societies) whereby as people become more immersed with their technologies both personally and organizationally, critical thinking skills, which also effect common-sense, survival skills suffer immeasurably. And this has been well documented in many ongoing reports on the matter.
If we ignore the logistics for the need for physical electricity (a corporation’s food more or less) or such physical assets we can however, consider another area of siege theory; supply-line attack points. In this case, we would be discussing the actual data lines that data is sent in and out of from a Cloud Service Provider’s installation; the equivalent of their own bread and butter. These can be attacked as well both physically as well as digitally. In the digital sense, routers can be digitally corrupted while sniffer\transmission software and equipment can be embedded into the wiring or its inherent infrastructure that will allow for corruption and or the siphoning off of data.
These data lines are also the ones that can be used to distribute all sorts of viruses, Trojan horses, root-kits, and malware, which could not only be undetected by in-house security processes but damage the data at the installations themselves while feeding it back to the individual customer organizations as well, doing damage to a host of individual companies tied to the Cloud Service Provider’s equipment. Remember, this is all going over the Internet and mostly through publicly accessed lines.
Hackers Have Time for Operational Planning while Cloud Service Providers can Only Build Walls
The greatest advantage that the “Hacker Community” has, which is also similar to that advantage of a classical siege, is that of time. Hackers, as previously mentioned, whether they are individuals or state-run organized groups, can take as long as they require in developing an attack plan while cloud vendors can only hope that they have taken care to secure any vulnerabilities that such attackers could make use of. This of course cannot be accomplished to 100% effectiveness by any Cloud Service Provider for the simple fact of what is called the “fog of war” in military parlance. The “fog of war” defines the uncertainty of any derived plan used to engage in offensive or defensive operations as well as the actual uncertainty during the engagement itself. And since Cloud Service Providers rarely know the extent of the capabilities of their potential attackers, they cannot effectively defend against them with similar levels of efficiency.
To thwart the most insidious of attacks, many corporations have come to believe that the encryption of their customer data is a strong deterrence to such attacks. This is similar to the construction of physical defenses such as walls that are used to surround the besieged with protection. However, if the attackers use such substances as “Greek Fire” (a forerunner to napalm in antiquity) with accurate firing upon the walls’ high points destroying the capabilities of the manning of such walls while also killing people within them, a wall becomes more of a life-threatening construct than one which was designed to preserve it; staying within and you can get burned to death, exiting and you can be cut down.
In other words, any wall that is put up can be breached in one way or another, even one that has been encrypted with sophisticated technologies such as with Cloud Service Providers.
And there is really no way for any customer organization to ascertain just how well any encryption plan has been implemented by any such provider. Many claim that they use the latest in security encryption technologies to protect their customer data and applications. Well, many hackers have access to such technologies as well, considering that it is their bread and butter to be used for carrying out sophisticated attacks. And their capabilities in this arena are getting greater and more sophisticated with each day.
Such a situation than provides any cognizant customer the understanding that in the short term, costs could be contained with the use of such external services. However, one critical breach in their service’s security and all such costs could become minimal compared to what could be lost in the long term.
Cyber Attack Threats are a Constant to Cloud Service Providers with no 100% Effective Defense
Data breaches of all types through the use of sophisticated decryption technologies and other invasive techniques have caused many serious problems for many companies, for which little has been reported due to a fear of a loss of credibility. Nonetheless, such information in our electronic societies somehow always makes it out into the public domain at some point. And Cloud Service Providers have not been immune to such incursions on their data.
The real problem these vendors face is what happens when a sustained attack or siege-like operation is initiated against them using multiple attack points with differing attack techniques; the true cyber-siege as with the Stuxnet virus.
In an article written in 2014 by Charles Babcock6 that details the type of cyber-threats as defined by the Cloud Security Alliance (https://cloudsecurityalliance.org/), which are ongoing, major concerns for Cloud Service Providers currently, it was made clear that no matter what type of sophisticated security system is in place, inclusive of encryption, the defender cannot guarantee 100% deflection of any such attack.
All such attacks can wreak havoc on any organization but even more so where so much customer data has been centralized. All of these attack types are well known and are listed below…
- Data Breaches (requiring password/varying levels of decryption capabilities)
- Data Loss (varying levels of decryption capabilities)
- Account Or Service Traffic Hijacking (requiring password/varying levels of decryption capabilities)
- Insecure APIs (exploitation of vulnerabilities)
- Denial Of Service (requires mass automation abilities)
- Malicious Insiders (disenfranchised employees/attacker-employee insertion)
- Abuse Of Cloud Services (use of cloud services as “super computers” for decryption purposes)
- Insufficient Due Diligence (bureaucratic complacency)
- Shared Technology (access to cloud service shared technologies such as a hypervisor)
Adding to these threats is the increasing number of seriously angry, disenfranchised people from society who are increasing in number in the United States and in some parts of Europe while also being employed in various capacities within corporate and technological infrastructures in these nations. In the US alone it has been found that the number of such people could be as high as 200,000,000. This is a lot of combined anger to have directed at established institutions where earlier, employee loyalties can no longer be relied upon to thwart such attack potential. In many instances, the threats to corporations of all types are just as large and varied from within as from without.
The result is that Cloud Service Providers can be as easily defeated through willing collaborators on the inside of such corporations or the infiltration of an asset who is employed by such companies for the sole purpose of preparing for an attack from the inside.
Though the movie, “The 300”, which detailed the Spartan defense of Thermopylae in ancient Greece, was an offense to people everywhere who had a basic sense of history and culture, the betrayal of the Spartans by a disgruntled Spartan soldier or camp follower that provided information on a rear attack path to the Persian army (a legend, which may in fact have been based on fact) was a significant example as to how the insidiousness of inside collaborators can easily aid in the defeat of a besieged group or open doors to operations that will eventually overwhelm the defender.
US business organizations as they are for all the hype in the press about their changing ways have in reality made little progress in how employees are actually treated overall. Some of the hype may in fact be true for smaller startup organizations and smaller businesses in general but if Long Island, New York is any example of small and medium-sized business management, there is little hope that it will change much in the future. Larger organizations of course have the sheer mass of bureaucracy to grind down employees without being as directly offensive as many small businesses can be.
Thus, the seeds for their own internal destruction have in many cases already been planted making access by external attackers somewhat easier in theory.
The result of the described combination of factors regarding attacks on Cloud Service Providers, make such incursions inevitable. The question then is how customers want to predicate their decisions on such matters by balancing short-term gain against long-term potential loss.
Under such circumstances, as with the troops that were stationed in Beirut, Lebanon in 1983, business organizations have only one survival plan at their disposal. They must follow the same design concepts as were internalized with the designing of the Internet’s underlying infrastructure, which determines that dispersal of nodes provides overall security for an attack against any one or several nodes. This infrastructure design was classic unit dispersal theory to minimize losses when in a defensive posture and under attack.
Businesses, in this case, are much better off in providing their own in-house data storage, despite the cost and the remaining potential for attack, than centralizing their assets under the housing of a single monolithic organization. By business organizations emphasizing self-housing of their data, the physical dispersing of such data storage among multiple, individual sites does reduce significantly the potential for attack on any one company since the target areas become more numerous and smaller making them less attractive as individual entities.
I doubt the Marines who survived the tragedy in 1983 would disagree…
- Anonymous hits major financial institutions
- Cybercrime global losses in banking sector estimated at $500 bln
- Wikipedia (https://en.wikipedia.org/wiki/Battle_of_Alesia)
- The Conversation (article provides a gruesome glimpse at America’s crumbling infrastructure)
- Ongoing Threats Against Cloud Service Providers