In the not too distant future, either through direct regulation or through enforcement or private right of action, products or services that significantly enable the bad guys to commit fraud or attack infrastructure, will incur liability.
It’s not sustainable to make the power of cloud computing available to the bad guys. That kind of computing power, along with a stolen credit card, allows spammers, hackers, or other devious persons, to launch powerful attacks with incredible ease. All the benefits of the cloud flow to the bad guys.
If you think there is little incentive for organizations to protect their own customers because of lack of consequences, then imagine how little incentive there is for organizations to protect 3rd parties from the malicious activities that their products and services can be used for. For cloud service providers, this is likely to result in regulations similar to what financial institutions have to implement with Know Your Customer. Why bother with botnets when I can rent cloud computing power?
To prevent liability, you will need to have some kind of Abuse Threat Model to help determine if your product/service can be abused:
- Is your product/service free?
- Do you publish content?
- Can impressions be delivered (e.g., mail, IMs, news feeds)?
- How public or available is your product/site?
- Are similar or competing products being abused?
Depending on the level of risk, you’ll want to institute an appropriate level of monitoring and remediate. Remediation is always tricky. When evaluating remediation, you need to take into account:
- Impact on customer;
- Impact on abuser; and
- Impact on your business.
Schneier suggests the following analysis:
- What are the assets you are trying to protect?
- What are the risks to these assets?
- How well does the security solution mitigate those risks?
- What other risks does the security solution cause?
- What costs and trade-offs does the security solution impose?