Cloud Computing, Technology Security

Hotmail Breach shows off the dangers of the Cloud…


Just a couple of days ago I talked about the unfortunate tendency for corporations to look for the cheapest solution, not the best. While covering that I touched on the new found trust in Cloud Computing. This is a trend where big companies, looking to save money, are turning to hosted solutions for e-mail, documents, even operating systems instead of controlling them all on their own.

The problem is that these systems are not very secure. Web Based E-mail and document systems are all too easy to breech.  Just look at the recent leak of "several thousand" Hotmail accounts to a third party site "most likely due to a phishing scam". That is a lot of user accounts to be exposed by a Phishing scam if you ask me and serves as an example of how insecure these systems can be. Now I know we are seeing a free web based solution here, but it is pretty much a cloud type of service.  Yes, not all cloud systems are this insecure, and not all will be vulnerable to this type of attack but is still a cause for concern here.

It shows that Cloud Solutions are not quite there yet and are really only being considered due to a perceived cost reduction. When you look place your trust in a cloud based solution you are working on the assumption that all of your data, from e-mails to confidential documents, are secure from, intrusion. You place your company’s very life in someone else’s hands. If you maintain your systems on your own [even if you co-locate] you have the responsibility and know your defenses. You can secure it from attack on your own. When you place your information in someone else’s care you do not know what they are doing nor how often attempted breaches occur. This information is often kept from customers under the heading of trade secrets or just plain "for security reasons".

It is information that a customer should know though. Not the details but the general information of how your data is secured [if you are a paying customer] with a full disclosure of the scale of attempted attacks that are successfully prevented given on a monthly or quarterly basis. However none of the companies I contacted were willing to include that for their cloud services when I asked about it.

So why are these systems being pushed by many corporate IT managers and CIOs? Well as I mentioned above it is all about money. If I can move all of my documents, applications mail, etc to a cloud based system I can save on power, salaries [you do not need as large of an IT Staff] and hardware. But this cost savings that is perceived is not really there. After all can anyone place a price on customer or employee personal information loss [just look at what could have happened to that bank]. Considering the number of attacks that happen every day to the large number of individual companies that host and collocate their own systems imagine how much more concentrated that will become if many of these are moved to the same group or groups of servers! It is the equivalent of putting all of your eggs in one basket [something that we are always told not to do as kids], one big, easily found, clunky, basket and then putting a sign on that basket saying "All my Eggs are here, along with lots of other people’s Eggs".

The people running the clouds also are only concerned with money. Getting you to move to their cloud systems is a steady stream of revenue. You pay monthly for the service [yes I know there are free cloud systems but I am talking about paid corporate services] whatever it is from e-mail to documents to OS. Now, think about it? you are paying a corporation [to save money] that is also looking for the cheapest way to provide the service [to save money].

Sort of turns that shiny white cloud to a much more murky grey, I know for me it excludes the use of cloud computing for the foreseeable future. Let?s face it the internet is a dangerous place, why would I put my company?s information out there and risk it?