Cloud Computing

July 2011. It is hard to say long term whether cloud computing will take off or end up like a lot of the other technology fads of the past. Like the paperless office, which is slowly becoming a reality about 20 years after being touted as the next big thing. Or thin clients, which seemed like a good idea (low cost desktop PC, centrally managed) until the price of desktop computers and laptops went sub NZD $1000.

The key thing is the big players are investing heavily in cloud computing. Obviously Google with Gmail and Google Docs etc has always been a cloud based solution. This might explain why Microsoft are pushing the cloud movement so much, basically it is a huge threat to the current Windows, Office and MS Exchange revenue streams (i.e. core business). It is simply a case of fight them head to head with similar product offering.

Ironically Microsoft's strength probably would have been to take on cloud computing by demonstrating its weaknesses, not by offering similar services.

For business cloud computing does bring a lot of exciting things to the table, mainly along the lines of collaboration, remote/offsite access and mobile computing. However it also introduces a whole new level of risk and potential pitfalls. The main risks are security and business continuality.

Internet Access / Reliability.
For New Zealand companies to take the gamble on moving the business to the cloud they need assurance that their internet connection is going be 100% reliable. After all if your critical business information is in the cloud and you have no internet access, then you no longer have access to your data.
The weakness here is not limited to your local internet connection, your internet service provider or their infrastructure, it is every step of the chain which leads to your cloud based solution. For New Zealand, a lot of cloud computing data centres are located off shore around the world.

Security.
It is a big risk to store confidential and sensitive information in the "Cloud" and businesses need to proceed with caution. It is critical to assess the risks and take the appropriate precautions. The problem is that some business are putting their trust into companies which are providing free online solutions without even reading the terms and conditions for the service they are using.

Case in point, recently the free online file sharing service Dropbox faced a major backlash over Terms and Conditions of their service. The original section read: “You grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent reasonably necessary for the Service.”

Dropbox has since updated its terms and conditions after customers were enraged by the clause detailing ownership of their data.

This isn't the first security issue for Drop Box in June 2011, Drop Box accidently rolled out an update with a Security bug which "Made Passwords Optional" for four hours.
Drop Box's reponse to this blunder: "We’ve now confirmed with Dropbox that the service did have this issue yesterday — Dropbox says that it began after a code push at 1:54 PM PDT and was fixed at 5:46 PM PDT (they had the fix live five minutes after they discovered it). So, in total, the bug was live for around four hours." read more here ...

The problem is, while Drop Box is an excellent service for getting a recipe for grandma's apple pie to cousin Betty (if it is too big to email), the service is being used by companies to move sensitive data around.

Many companies will be using cloud based services like drop box to share confidential information with their employees and business partners.

There is definitely a place for services like drop box, their terms and conditions were in place to protect their business model and it was highly unlikely they would have used your data (or should I say their data, if you ticked the "I agree box") maliciously or for anything outside its intended purpose. Plus they obviously didn't mean to accidentally expose your data to everyone in the world (their bad), however there is another lesson to be learnt.

The lesson isn't not to trust Drop Box or another cloud based solution, it is how is your data being exposed and what are the risks?

For companies the risk isn't so much about the issues around the service, it is about the lack of understanding of the risks by IT departments and managers in their company.

Any employee can use services like Drop Box to move data around, it may be that they need to get that confidential trade pricelist to a printing company or they could be moving data offsite which they shouldn't be (maybe they are looking for another job and they want to take some of your confidential price info with them).

Sure they can already, just copy it to a USB key or onto the laptop etc, but cloud computing introduces a whole new risk. Unless you reset the Drop Box password, there is a risk they may continue to access confidental information long after they have left your company and are working for your competitor.

Just imagine, another staff member has just uploaded the latest price list and brochure for the secret product you have been working on, the ex employee can simply download and view this information. Even worse they could have given your drop box username and password to anybody, but it is not just your ex employee to be concerned about - what about the employee who worked for the printing company? How is the printer protecting your confidental file, what happens if their employee leaves? The key point is your company needs to know the risks and have policies in place to protect your data.

It is not just Drop Box that is damaging the reputation of cloud computing industry. This is far from a one off instance, this year alone has seen a number of high profile failings in the Cloud computing arena.

Like the Sony Playstation network security breach, which not only compromised the personal information of around 77 million users worldwide, but also resulted in Sony taking their Playstation network down for several weeks while they patched the security hole. For users of the Playstation network this meant that some gamers were unable to play online games. If this was a cloud based service for businesses, it would have been un-acceptable not to have access to services your business had become reliant on.

Ironically the attack on Sony's PlayStation network was reportably launched from Amazon E2C Cloud Service

Unfortunately for Sony, Sony Pictures was attacked by hackers in June 2011 only a few months later. In this attack it was reported by the hackers responsible:- "Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it".
One would have expected that Sony would have had better security in place and it is still unknown if credit card numbers were stolen in the attack. Again the problem here is not so much around Sony's failings, the concern is that many users use the same password for other online (cloud based) services. So the impact of this attack could be felt for years to come. The stolen data can be mined and the hackers can build a profile on the users whose data has been compromised and attempt to access things like their online banking.

This is just a few of the higher profile attacks on cloud based services in 2011 (as at July 2011).
There have been many more issues recently.

Closer to home Distribute.IT, an Australian based domain registrar and hosting company recently was hacked leaving all servers down and unrepairable. But that’s not the bad part. They had no offsite backup.

Distribute IT's official response to their customers: (Quoted verbatim)-
"Our Data Recovery teams have been working around the clock in an attempt to recover data from the affected servers shared Servers. At this time, We regret to inform that the data, sites and emails that were hosted on Drought, Hurricane, Blizzard and Cyclone can be considered by all the experts to be unrecoverable. While every effort will be made to continue to gain access to the lost information from those hosting servers, it seems unlikely that any usable data will can be salvaged from these platforms. In assessing the situation, our greatest fears have been confirmed that not only was the production data erased during the attack, but also key backups, snapshots and other information that would allow us to reconstruct these Servers from the remaining data."[sic]

Another blow for Cloud computing and good reason to ensure you have your own backup of your critical data, stored somewhere you have full control over!

Article by Craig Robins July 2011.