What security concerns are hidden in the murk of cloud computing?
STORY HIGHLIGHTS
- Cloud computing stored data on remote servers so is available for any location
- Security concerns over threat of hacking and lack of privacy protection
- Worries also about lack of back up should remote servers fail
- Cloud providers say they are working hard to address growing concerns
(CNN) -- Stormy weather could be on the horizon for cloud computing as security experts warn not enough is being done to make sure one of the hottest IT trends is safe.
"There are many motivations for why an individual or a company would want to engage in cloud computing," said Thomas Parenty, managing director of Parenty Consulting, a Hong Kong-based information security consulting firm. "None of them have to do with enhanced security."
The reasons why more businesses and individuals are tapping into cloud power boil down to economics and convenience.
Broadly speaking cloud computing refers to outsourcing data once stored on privately owned computers. If you have an email account or are on a social networking site, like Facebook, you are using a cloud platform. The data is stored on servers operated by someone else, which means that data is subsequently available to use anywhere there is an Internet connection.
On an enterprise level, this allows companies to cut IT costs by reducing the amount of hardware and software they need to purchase and maintain or store information.
For individuals, photos or documents uploaded to the cloud (using services like Flickr or Google Docs) are accessible from home, from cyber cafes, or via mobile devices.
Yet the problem according to Parenty is that "you have no idea who is managing the computers with your information. You have no idea where they are. You have no idea what protections may or may not be in place to make sure your information is not stolen or disclosed or that it does not accidentally disappear."
A recent study from CIO Magazine found that despite the increasing popularity of outsourced computing, 50 percent of CEOs surveyed said safety was one of their biggest worries.
Potential security threats to virtualized computing environments are complex.
Hackers can capture a lot of customer information in clouds. When you put more eggs in one basket, the prize is much bigger.
--Jim Reavis, Cloud Security Alliance
One concern stems from the issue of security itself. Companies have in place their own firewalls and anti-virus software to protect data stored on the premises. When computing is outsourced, control of security measures is also relinquished.
"There is no Good Housekeeping Seal of Approval that says this vendor does good, secure cloud computing," Parenty told CNN. "A company or an individual looking to move to the cloud is going to have to make a huge leap of faith that their data is being protected."
Then there is the worry that if remote servers crash or are compromised, data, ranging from family photos to financial records from a Fortune 500 company, could simply vanish into thin air, forever.
In January 2009, for example, Ma.gnolia, a bookmark storage service (similar to Yahoo's Delicious.com), went offline after its databases crashed. As a result, users permanently lost records of links to all of the Web pages they had stored. Now relaunched membership is now by invitation only.
"You have to have a plan B," said Craig Balding, founder of the blog cloudsecurity.org. "If I am going to trust any online photo provider with my family photos, I need to make sure I have a local back-up or pay for a second provider, which makes it less attractive because it is going to double the cost."
Within the data centers of cloud providers, the situation is murkier. Servers often use special virtualized software allowing data from multiple companies to be stored on one server or processor (an analogy would be instead of a cabinet containing files from a single customer, it holds files from numerous clients).
While the virtual machines cut costs and save energy, they also raise questions about data leakage as well as whether a customer would ever find out files have been breached, said Jim Reavis, executive director of Cloud Security Alliance, a non-profit advocated for cloud security standards.
Such high concentrations of information also create the perfect storm for hacking.
"We are very concerned about the bad guys using the cloud," said Reavis. "[Hackers] have the ability to move laterally and capture a lot of customer information. When you put more eggs in one basket, the prize is much bigger."
Bad guys also have the ability to infect clouds with spyware, botnets and other malicious programs, Reavis said.
In January, Google announced its web-based Gmail system had been compromised by a malware attack originating in China. As a result of the breach, Google announced it would stop censoring its Google.cn search engine and possibly end business operations in the country.
"We expect a whole new generation of malware to come out of things that are specifically designed for cloud providers," said Reavis. "We can imagine some very sophisticated next-generation hyper botnets that are very hard to defend against."
A final concern surrounds privacy.
In the United States, where many cloud companies are based, legal standards make it much easier for law enforcement to obtain data for criminal or other investigations, said Kevin Bankston, a senior staff attorney with the Electronic Frontier Foundation, a San Francisco-based digital rights group.
"Data stored in the cloud is substantially easier for the government to obtain than the data you store yourself because of lower legal standards," Bankston said. "And it is easier to do it secretly. We think this is a serious security concern, and the law needs to be updated."
Despite what seems to be a deluge of fears surrounding computing-in-the-sky, cloud providers say they are working hard to make sure their cloud services safe.
"This obviously is something we have been worrying about," said Huang Ying, IBM China Research Lab associate director who leads one of the company's cloud computing projects in China. "We need to remember this is just getting started and the requirements and challenges are just coming out."