As recently as two years ago Eugene Kaspersky, the co-founder of Russian security vendor Kaspersky Labs, went on record as saying that cloud-based security technology could destroy the economic model that makes creating malware profitable, driving cybercriminals out of business. "I think that we can see light at the end of the tunnel," he said, in an address at the InfoSecurity 2011 conference in London.

But has cloud security technology lived up to this hype? The answer is that while it hasn't got every cybercriminal on the run, it certainly provides formidable weapons for organizations to use in the constant struggle against them.


The most visible use of cloud security technology is for endpoint protection -- in the anti-virus clients that run (or should run) on every desktop and laptop computer. Most of the major anti-virus security vendors now offer a cloud-based component to their products, and these can certainly make life more difficult for cybercriminals.

Malware Fight on Two Fronts

That's because each endpoint with a particular anti-virus product installed on it becomes a sensor which reports suspicious unknown files that it encounters, along with their sources, to the vendor's security system in the cloud. If the file is determined to be malicious, it can be blacklisted along with its source URL. Any other endpoints that encounter the same file from that point on will be warned that it is malicious as soon as they report it to the cloud. If the source of the file is a new one, it will be added to the URL blacklist held in the cloud to prevent any other endpoints from contacting it.

This type of cloud protection's power is that it offers a two-pronged attack against cybercriminals. First, all endpoints are protected against a new piece of malware from the moment that it is first encountered and determined to be malicious. There's no need for an endpoint to download an updated signature file before it is protected.

And second, this harms cybercriminals because they can only get a return on their investment in malware from the time it is launched to the point when endpoints are aware of it and block it. Since cloud-based technology makes this window shorter, the potential to make profits decreases.

It also makes creating effective malware more expensive.  "Malware that cloud systems can't detect is much harder to develop. That means the entrance ticket for cybercriminals is much higher, and junior cybercriminals can't get involved," is how Eugene Kaspersky puts it.

Cybercriminals have been fighting back against this by producing multiple variants of the same base malware. This certainly makes life harder, but cloud-based file reputation systems offered by anti-virus vendors can be effective in combating this trend.

The theory behind a reputation system is that if a file or a URL is new or has not been encountered widely, then it is inherently suspicious. If an endpoint encounters a file that it knows nothing about, it can refer it to the cloud-based reputation system. If the file has already been encountered elsewhere and analyzed, it can then be categorized as known to be good or malicious. If the file has not previously been encountered by the reputation system and categorized, then it can be treated appropriately -- blocked, sandboxed, or evaluated to calculate the level of threat that it poses and then handled appropriately.

Most major enterprise anti-virus vendors including McAfee, Symantec and Kaspersky offer cloud-based protection as part of their endpoint products.

Minimizing Impact of DDoS Attacks

The cloud can also be used as a kind of no-man's land where potentially malicious software or URLs can be tested well away from the corporate network. An example of this is Proofpoint's Targeted Attack Protection service, which uses virtual machines run in the cloud to click on links received in emails, to test if they are malicious. If a link does prove to be malicious, the virtual machine in the cloud is destroyed and the link is blocked; if not, then the link is passed on to the intended recipient who can click on it from within the corporate network.

The cloud can also provide an effective way for companies to mitigate against distributed denial of service  attacks. By their nature DDoS attacks involve massive amounts of traffic which overwhelm Internet-facing servers in a corporate data center or hosting provider's facilities. Companies like Prolexic and DOSarrest operate cloud-based DDoS-mitigation platforms and a network of global scrubbing centers.

Handling DDoS protection in the cloud is far more practical than attempting to block an attack at the corporate firewall or relying on a service provider -- particularly if the service provider only has limited resources to handle incoming traffic themselves. When a DDoS attack is detected, traffic is redirected to a platform such as Prolexic's -- typically by changing DNS entries. Prolexic's platform can handle around 500Gbps of data, scrubbing it and passing on legitimate traffic only. 

Security Appliance Alternative

Cloud-based security services can also be particularly effective as an alternative for security appliances or point security solutions for providing overall protection to organizations which have multiple locations and mobile workers. That's because typical security measures based on security appliances can be difficult to implement and manage in distributed organizations.

Such cloud security services typically include: anti-malware scanning, Web filtering and monitoring, data loss protection, firewalling/intrusion prevention, secure remote access and centralized reporting.

How do they work? When an organization subscribes to a service such as Zscaler's, all its network traffic is diverted to the service. This can be done in a number of ways. For example, enterprise network traffic can be diverted to Zscaler by configuring egress routers, while laptops, iPhones and other smartphones can be configured to use Zscaler as a proxy, or to connect to it using a VPN.

Once this has been done, an AV/AS system  scans  all files before they are sent to end user machines. It also scans Web pages for malicious scripts, embedded viruses and links to malware. Zscaler's system also uses multiple commercial AV/AS engines concurrently in offline mode to help detect other threats. For advanced persistent threat (ATP) protection, Zscaler uses a technology it calls  ByteScan to scan every byte of every request  and response, to detect hidden iframes, cross site scripts, signs of phishing attempts, cookie stealing and botnet command and control traffic.

The benefits of this cloud-based security approach include:

  • Reduced capital expenditure. Running security systems inevitably involves a high level of up-front costs, including servers and software licenses or, in some cases, security appliances.  These costs are entirely eliminated with cloud security services
  • Reduced administrative burden. Running one's own security systems can take up a lot of skilled IT staff time – and that time can be expensive. These costs can be particularly significant in organizations that have a number of relatively small branch offices which don't have their own IT staff. With cloud-based security services, the majority of administration is carried out by the service provider.

Short List of Cloud Security Vendors

Companies that provide this type of cloud-based protection include:

Paul Rubens has been covering IT security for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.