Cloud use grows, and so does security threat

by Steve Johnson, San Jose Mercury News

Holding everything from highly personal medical and social media material to confidential financial and corporate documents, Internet-based cloud services are gathering an enormous trove of information — already a quarter of the world’s business data — that is proving a powerful lure for hackers.

One notable example was the February 2011 breach at Nasdaq’s Directors Desk, which maintains records for thousands of corporations. Nasdaq has said little about what happened. But the case reportedly has prompted several federal investigations and sparked speculation that the culprits could have spied on secret communications of company board members.

Coupled with more recent breaches at Web Marketer Epsilon, LinkedIn and Twitter — along with surveys showing such attacks alarmingly common among businesses — many experts say too little is being done to prevent cyber crooks from pilfering credit card numbers, trade secrets and other sensitive data on the cloud.

"It’s scary," said Eric Chiu, co-founder and president of Mountain View security company HyTrust. If a hacker gets access to that information, he said, "they’ve got the keys to your kingdom. They can make copies of everything you have and they can potentially destroy your data center."

Although definitions of cloud computing vary, it usually involves a shared service that lets customers access their data using Internet-based software or servers. Cloud storage can cut a company’s costs, and make it easy to retrieve information from nearly anywhere via the Internet.

The cloud is used to send email, print from mobile devices, exchange medical information, share on social networks and much more. Just among cloud document-storage services, such as Dropbox and Google Drive, the number of subscribers will double from 625 million this year to 1.3 billion in 2017, according to market researcher IHS.

Corporations have been among the biggest adopters. Research firm Gartner has predicted that the worldwide revenue from public clouds, a popular kind shared by multiple customers, will soar from $91.4 billion in 2011 to $206.6 billion in 2016.

Yet the trend poses risks. Symantec in January reported that 43 percent of the 3,236 businesses it queried had "lost data in the cloud," although it didn’t ask how much was due to cyber attacks.

Those companies weren’t alone. Of nearly 500 information-technology professionals Intel recently surveyed, 46 percent said their firms had suffered a security breach — meaning their data was lost or accessed by unauthorized means — on two popular types of clouds. And most of the victims said they were experiencing more breaches than when they had kept the data on their own networks.

Some information placed in the cloud can get into the wrong hands because of equipment mishaps or employee foul-ups. There also are growing fears it could happen it as a result of lawsuits or government subpoenas. Of 100-plus IT professionals polled last year by security firm Lieberman Software, 48 percent said "the thought of government or legal action deters them from keeping data in the cloud."

But hackers are among the biggest concerns, and many businesses mistakenly assume their cloud providers will keep the crooks at bay, said JD Sherry of the Japanese security firm Trend Micro. While offering some protections, he said, the providers often leave security largely to their customers.

"That burden of responsibility typically falls upon the customer and that often can be a huge challenge for a lot of folks," he said.

Amazon provides a wide array of security measures for its cloud services, according to a company statement. But it said a customer of those services "assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software, as well as the configuration of the (Amazon)-provided security group firewall."

It’s not clear how much monetary or other damage has been caused by cloud data breaches. Officials at Epsilon and Twitter have issued only terse comments about their breaches, while LinkedIn has argued in response to a lawsuit over its hacking that no one was seriously harmed.

But Eve Maler, a Forrester Research principal analyst, said even a social media site break-in can cause havoc.

"The bad guys might see direct messages containing personal information meant for the company, or could send out messages that harm the company’s brand or business," she said.

Breaches of corporate financial data and trade secrets could be far more serious, and cloud-based companies will have to become quicker at responding to cyber attacks, said Art Gilliland, general manger of enterprise security products at Hewlett-Packard. Even so, he predicted more companies will be victimized as they shift their data into the ether.

"It’s going to happen," he said. "It’s inevitable."