Protecting your customers from brute force attacks in Cloud services or in an outsourcing company
About brute force protection and Cloud Security and VPS (Virtual Private Servers) and outsourcing or hosted environments
Thoughts on cloud security by Juha Jurvanen @ JufCorp
If you are a Cloud Service provider or an outsourcing company and giving your customers access to various Windows services such as file access, Exchange, Exchange OWA, Sharepoint, Citrix, RemoteApp and Terminal Server services or even VPS (Virtual Private Servers) , there are things you may want to consider.
Cloud security is often debated and it should be. There are pros and cons to each technical solution. Your customers rely on you to have your services reachable, virtually 24/7 and initially, they’ll be happy when that works.
Nowadays though , Cloud Computing has grown to be more accepted and with it a few questions are coming to life.
Your customers will eventually start asking you how you actually deal with various brute force attacks and dictionary attacks to protect their data. You will also , sooner or later, be faced with questions of reporting of these attacks and to be able to gather various reports of when and from where a specific user was logged in,
Remember that you customers have moved from an inhouse hosted environment where they had the ability to gather this intel themselves and they will be expecting to be able to get it from you. They also had the ability to use Syspeace to protect them but once they’ve shifted to your services, they have absolutely no idea of what security mechanisms you have in place for them and these questions will start to come around.
Historically, it’s been very difficult to handle these situations (feel free to read earlier post on this blog to see what I’m getting at for instance http://syspeace.wordpress.com/2012/10/21/securing-your-webmailowa-on-microsoft-exchange-and-a-few-other-tips/ and http://syspeace.wordpress.com/2012/10/16/various-brute-force-prevention-methods-for-windows-servers-pros-and-cons/ ) so many sysadmins have just more or less given up but when we’re moving to Cloud Services and Cloud Computing, people will expect that also these matters should be sorted. The issue is “why should we move our data to something we can’t even control or know how the security is set up or verify it easily ? ”
Sooner or later, the end users and customers will start testing how your response really is and verify if there are any mechanisms in place (sometimes out of curiosity and sometimes due to internal processes and audits).
Is their attacked account locked out ? For how long ? Is the attacking IP locked out ? Can you as a Cloud Service provider contact the user and let them know that someone tried to user their account from an IP address in China , although you know the customer has no business in China? Do you alert you customers about it ?
No, probably not and it’s easy to understand why.
Because all of this has required a lot manual work so most service providers and outsourcing companies just don’t want to deal with the problem and tend to not talk about the actual problem, being basically, they have no idea on important stuff such as from where a login attempt was made, what username was used and how was it handled? Was it successful or a failed attempt and how many times did the attacker actually try ?
If you are a Cloud Computing Service provider I highly suggest you have a look at Syspeace to enable you to add this service for your customers and protect access to your Cloud services preemptively and actually have these things handled automatically, without increasing your workload but still tightening your security and to a very low cost.
If you’re a VPS provider, consider for instance having the Syspeace software pre installed in your images and let your customers know it’s there so they themselves can decide whether to use it or not. It’s not an extra cost for you but it does show your customers that you’re actually thinking about their security and that you’re thinking ahead.
So far, Syspeace has actually saved 4.3 M US$ in only a few months in costs for the manual workload associated with brute force attacks and dictionary attacks.
I believe that the service providers that start thinking about these things and take them seriously will have an advantage to those who don’t and quite a few will take having a system such as Syspeace in place for granted, as you would with antivirus.
Have a look at the Syspeace website and see for yourself how quickly and easily you can implement a brute force prevention system without the usual costs of appliances or costly consultants.