Cookie policy: This site uses cookies (small files stored on your computer) to simplify and improve your experience of this website. Cookies are small text files stored on the device you are using to access this website. For more information on how we use and manage cookies please take a look at our privacy and cookie policies. Some parts of the site may not work properly if you choose not to accept cookies.

sections

RSA: Microsoft to arm the Internet's most vulnerable gatekeepers

  • Print
  • Share
  • Comment
  • Save

Perhaps counterintuitively, some of the Internet's biggest gatekeepers are also some of its least-protected enablers. Country-code Top-Level Domain registries (ccTLDs), whose databases are responsible for routing user requests to reach a website to that website, are typically universities or small organizations who provide the registry services to entire countries or regions.

 

A registry like this basically keeps a database of domain names for a country, a region or another grouping. Examples would be URLs ending with .fr (French domain name registry operated by a non-profit called AFNIC), .edu (operated by a non-profit that promotes the use of IT for education in US educational institutions) or .co.uk (a UK ccTLD, also operated by a non-profit).

 

These shops cannot afford to throw a lot of resources at security, which makes websites in their databases – which map domain names to websites – easy prey to hackers. “They don't have the resources to apply security teams to run scanning tools or do deep code reviews,” Mark Estberg, senior director of security and compliance for Microsoft's online services, says about ccTLDs.

 

A typical IT infrastructure of such a registry consists of a few servers in a colocation data center. They have the same security guidance all web-service providers have, but it's not enough. “Typically what happens is they'll have a cross-site scripting vulnerability on their web service or an unpatched server, and that vulnerability will be taken advantage of,” Estberg says.

 

On the end-user side, the result is a request to reach a certain website is simply redirected to a different website that may install some malware on the user's computer or display a message – often a political one. Such attacks have been happening for years, and many of the world's websites have suffered, including a number of Microsoft sites.

 

“It's been happening for years, and what we've noticed more recently is the volume of attacks [has] increased,” Estberg says. This is why Microsoft announced on Tuesday, in conjunction with the RSA Conference in San Francisco, that it will be providing free security services to all top-level domain registries, including ccTLDs, to help prevent and, if attacked, deal with such attacks. The risk-assessment service the company is offering (finding security vulnerabilities and suggesting ways to fix them) will employ the same procedures Microsoft uses to protect its own infrastructure.

 

Permanent state of alert

Being one of the world's largest software companies and now also a major provider of cloud-based services, Microsoft is basically in permanent state of being under attack, Estberg says. While its web services have suffered consequences of attacks on ccTLD registries, the most common type of attack on the infrastructure supporting Microsoft's cloud services is Denial of Service (DoS). “We're subject to Denial-of-Service attacks on a very regular basis,” he says.

 

Estberg's team – about 100 people responsible for security and compliance of the global cloud infrastructure – has built out a large infrastructure to manage these attacks and implemented technology to redirect the packets that attempt to flood the company's servers during a DoS attack.

 

He thinks there are two main reasons DoS attacks are so common. One is elasticity and scalability of public-cloud infrastructure. The main appeal of using cloud for “legitimate” IT purposes is also what makes DoS attacks fairly easy to undertake. Instead of looking for physical PCs around the world to send a flood of requests to a web service, attackers can now deploy a bunch of virtual machines in the Cloud to do the job. The second reason is that the attackers have become more organized, Estberg says.

 

The infrastructure Estberg's team secures is separate from Microsoft's own IT – a delineation the company keeps very deliberately. This is the infrastructure that supports its Azure Infrastructure- and Platform-as-a-Service offerings. These are subject to DoS attacks, but the most targeted part of Microsoft's cloud portfolio are its Software-as-a-Service offerings for consumers, such as Outlook.com or Bing. Attacks on its SaaS products for enterprises (Office 365 or CRM Live) are usually more focused on specific data, since these are the systems storing a lot of enterprise information, but they also come under typical DoS attacks on a regular basis.

 

Attackers' goals vary, Estberg says. Some of them look for publicity, others try to steal data, and yet others want to simply create disruption.

 

Estberg, 45, has been at Microsoft for 13 years, 11 of them in security. When asked if there was a single thing he thought every operator of cloud infrastructure should know about security, he is quick to answer simply: “Remember the fundamentals.”

Related images

  • Mark Estberg, senior director of online services security and compliance, Microsoft

Have your say

Please view our terms and conditions before submitting your comment.

required
required
required
required
required
  • Print
  • Share
  • Comment
  • Save

Webinars

  • Is Hyperconvergence a Viable Alternative to the Public Cloud?

    Thu, 31 Mar 2016 15:00:00

    Enterprise IT leaders are right to be skeptical of such bold claims. After all, is it really possible to deliver an on-premises infrastructure that delivers the same agility, elasticity, and cost-effectiveness of public cloud providers like Amazon Web Services? If you’re following the traditional IT model, with its many siloes and best-of-breed point solutions, the answer is, most likely, no. To truly deliver a viable alternative to public cloud, you need to look beyond traditional IT. Join Evaluator Group and SimpliVity to learn more about how hyperconverged infrastructure can deliver the efficiency, elasticity, and agility of public cloud."

  • "Single Pane of Glass” comes to your Datacenter facility & IT operations

    Wed, 24 Feb 2016 18:00:00

    Join Hewlett Packard Enterprise and RoviSys,as well as OSIsoft, for a webinar hosted by DatacenterDynamics’ CTO Stephen Worn, as they discuss the implementation of the “Single Pane of Glass” solution and some of its resulting benefits: •An estimated 10 Million kWh saved in the first full year of operation •Ability to easily meet “Best-Practices” throughout data center operations

  • Overhead Power Distribution – Best Practice in Modular Design

    Wed, 3 Feb 2016 16:00:00

    Overhead power distribution in your data center offers many attractive possibilities, but is not without its challenges. Join Starline's Director of Marketing, Mark Swift; CPI’s Senior Data Center Consultant, Steve Bornfield; and University of Florida's Joe Keena for an exploration of the options and some of the pitfalls, supported by real-life examples from the field.

  • White Space 29: See the diagram

    Fri, 29 Jan 2016 10:40:00

    Peter is investigating DevOps, Bill looks at security while Max is stuck on the infrastructure level

  • White Space 28: The good, the bad and the ugly

    Thu, 21 Jan 2016 12:10:00

    Join the DCD team again this week, as they discuss AMD's ARM based efforts, waste heat, BT's EU deal and cloud for Canucks and much more! Enjoy.

More link