The Unthinkable Risks of the Cloud

Can the small cadre of cloud-computing vendors respond to the needs of their clients quickly enough to fix a breach?

By mid-2013 – meaning now — cloud computing will be in use by about 80 percent of about 600 companies with at least 500 employees each,  according to a 2012 TNS Infratest survey. The trend is undeniable:  Data management and storage are moving offsite to cloud computing vendors on a vast scale.

Touting cloud computing as a way to eliminate the costs of buying and maintaining on-site information-technology assets, vendors offer it in the form of software as a service (SAAS), a distribution model in which software applications are delivered to clients over a web-based network. 

Offered in comprehensive, fully-integrated form, SAAS can serve the needs of entire companies through huge, web-based platforms.  As cloud computing rapidly becomes the delivery channel for software developers of all shapes and sizes to get their products to market, offering applications in a cloud is now the rule, not the exception.

A relatively small number of vendors have the service capacity to offer SaaS to big companies that want company-wide cloud computing.  The barriers to entry are formidable; only the best-capitalized vendors need apply.  Although market-share statistics are hard to come by, the list of companies large enough to offer cloud computing on this scale is short: Microsoft, Amazon, Google, Salesforce, Rackspace and not many others.

The concentration of data and virtual computing in the hands of relatively few vendors raises an important risk for their clients.  If the Internet-based systems of any one vendor are hacked, the result could be security breaches and invasions of privacy across entire industries in which their clients do business, creating liabilities on an almost unthinkable scale.

Can this small cadre of cloud-computing vendors adequately respond to the needs of their clients to quickly fix such a breach, restore services and, most importantly, cut off the damage to these clients’ own customers?

Can the balance sheet of any one of these vendors protect its clients from such losses and liabilities?

Could a company like Microsoft eliminate the risk of a virus being planted by a hacker in its Azure cloud computing product?  

If it can’t, will its balance sheet – as vast as it is – be enough to protect its clients against wholesale desertion by their customers? 

Don’t think such things can’t happen.  If hackers can penetrate the Department of Defense, the risk that they will penetrate Microsoft or Google cannot be ruled out.  Compromise of just one of these vendors – even one with a modest market share – conceivably could shut down, at least temporarily, a sizable slice of the U.S. economy.

29 thoughts on “The Unthinkable Risks of the Cloud

  1. “If hackers can penetrate the Department of Defense, the risk that they will penetrate Microsoft or Google cannot be ruled out. ”

    So scary and oh so true. Hackers are very “gifted” people who can really threaten the security of the cloud. That’s why I still use backup for all my files…just in case….

  2. It looks attractive at the first glance. But, as a retired top engineer in the field of military communication theses Cloud service providers would have to pay me to have the privilège to store my data processing and storing capacities. It is really foolish, to say the least, to rely on a netwok infested with hackers and to put you in the hands of such voracious companies such as Google, Microsoft and their likes whose processing resources are not more protected than the US MoD. or the White House.

    • There’s encryption on-the-fly, where you encrypt all of your data before sending them to the cloud.

  3. I agree with “Mitch Medina,” “thepianist1221” and “Senechal Jean.”

    For two reasons:

    (1) What they wrote makes a lot of sense;

    (2) he he, if I were a hacker the first thing I’d probably do is assume an online identity with a seemingly benign pseudonym such as “Adam” or “chester” then post comments about how there’s nothing to worry about.

    • If that’s the *first* thing you’d do then you probably wouldn’t make a very good hacker. ;-)

  4. An interesting corollary is that cloud services may develop faster in jurisdictions offering liability limitations to Cloud Providers, the cyber-equivalent of a financial tax-haven. Look out soon for the appearance of ingeniously-incorporated Cayman-Island-based cloud providers…

  5. You take your chances with a cloud service but prudence requires a good DR plan and a secure offsite backup site when disaster strikes.

  6. Remember, whenever you put your data onto someone else’s server, you cannot delete it or control it because of their server backup system. Even if you close your account with the cloud storage vendor, there could still be a copy of what you saved there somewhere in their system. This is not the same as putting your jewellery in a safe deposit box at a bank where you can empty it and there is nothing left in there. If the information is private and confidential, why would you store it in other people’s server? It is the responsbility of each company and each individual to backup and safeguard what is important and confidential. Putting it in cloud storage is just counter intuitive. Buying your owner server and setting up your own offsite storage is not that expensive or complicated.

  7. I’ve looked at clouds from both sides now
    your data’s “safe” but still somehow
    it’s past abuses I recall
    I really don’t trust clouds, at all.

  8. Nice one Joe :o)

    I think you’d have to be insane to trust cloud vendors and insurance is worse than useless because it lulls you into a false sense of security.

    The bell cannot be un-rung – just ask the NSA

    I’ve got data on google but nothing I care too much about
    Important stuff, you have to encrypt and take responsibility for storing it yourself.

    Tony the dinosaur

  9. Apart from the financial risks, there is also the downside that becoming a corporate cloud service user diminishes the competitiveness of your business in the market place because you are now using the very same software that all your competitors also use and you are subject to the very same limitations they are.

    No longer can you gain a competitive advantage by doing things smarter than your competitors. To a large extent this has already happened in service industries. Most services today are the same no matter which vendor you get them from. The differences are microscopic and merely cosmetic.

    If one company offers something, their competitors will also be offering it. If one company can’t offer something, none of their competitors offer it either. No matter where you shop, you are always buying the same product. Choice has become an illusion. The choice is in the nice packaging, the glossy brochures and the branding. No real choice exists.

    Expect this trend to continue as we move further into outsourced services. Its a race to the bottom where in the end only the lowest-margin highest-volume businesses will survive on tiny margins with low paid employees and high employee turnover, leading to high customer churn rates and ultimately high shareholder churn rates, which finally leads to high volatility in their share price, which then leads to more cost cutting, amplifying the effect.

    Its a vicious cycle.

  10. I agree. The same applies for free email providers like, MS, Yahoo, Google etc.. .

  11. I do not understand how anyone can substantiate their alleged ownership of any confidential information once it is submitted to the cloud. How do you establish that the cloudster has preserved the integrity of your information? How many people and how much cloud support documentation and systems security reocrds do you need to present in a court to underpin your assertion that your precious information is your secure and confidential property? Might as well store your secrets in a tin under an oak tree. Cloud, Y2K, global warming, Obama, Central banks……the detritus of modern western civilisation.
    At least the Chinese neo-monarchist are making progress.

  12. It’s no surprise to me that the DoD was hacked. Google hires the best hackers in the world to try to hack their system. They even setup challenges to hackers to test their systems. The DoD on the other hand, has limited funding and suffers from funding cuts every time they cut the budget. So the DoD doesn’t have the money or the talent to throw at protecting their (our) data, at least not to the level of Google. Also, the DoD doesn’t have a billion dollar “brand” to protect…

  13. What is the atmosphere where clouds exist? Is it not by definition the surrounding gaseous environment of pressures and influences of heat and cold? Heat and cold (lack of heat) contrasts result in powerful storms at times. Similarly the definition of atmosphere can be defined as the influence, mental, or moral environment. Our post-modern philosophical world, seriously lacks more and more stable grounding in unshakable truth. In skillful, ingenious and the most suitable irony, humankind naturally moves not only their philosophies to “lofty beliefs” but also the essence of their work and personal information from the ground (which clearly at times can be shaken, but is generally more stable) to “the cloud” which is even more volatile to outward pressures (that’s the definition of atmosphere) and volatile changes from evil influences.

    Clouds are pretty on nice days, but tend to be very volatile to atmospheric (i.e. surrounding and pervading influences) conditions. Given the quick deterioration of the moral climate in this world, the cloud becomes that much more volatile and vulnerable.

    As the author nicely warns, be careful and wary of clouds – collections of information into larger clouds does not necessarily protect anything. Rather larger and larger clouds tend to produce the perfect storm.

    • Additionally, clouds also have the uncanny knack for distorting clear vision and at times hiding things. Things are better seen in the light, but people naturally love darkness because their deeds are evil.

  14. If we do a comparison between a safe deposit box where we keep our physical valuables and cloud storage where we keep our information valuables, some things immediately stand out. (Note: in both cases we have outsourced the management/security/privacy of our valuables to 3rd parties).The value of the contents in the safe deposit box generally are the contents themselves, i.e., your jewellery, physical money etc. A breach of security of the safe deposit box would most likely entail the actual physical loss of the items. The element of privacy does not really arise i.e., nobody would take the trouble to break into your box, just note down what you have in it and then leave. And, even if they did that, its very likely that evidence of their actions would be apparent. In contrast, cloud services deal with information valuables. There is no physical entity. From a security perspective, even if someone “destroys” your information valuable, you could most likely recreate them from backups!. However, the greatest threat for information valuables is from privacy breaches – data leakage. Your data could be in hands of your business rival and you would have no clue that they have it. You would never know if someone had taken a peek at your data and made copies of it. Of course, these things can also happen in internal Data Centres – but i feel that the risks with the 3rd parties would likely be higher. Why ? Staff don’t work for you directly – hence possibily lesser allegiance to your needs; Managing many different organisations data may be a challenge; single point of failure perhaps; other orgainsation’s rogue/faulty apps may indirectly affect you. These are just some possible reasons.
    But I feel that unless these providers can provide bullet-proof assurances on privacy, large organisations which can afford to run their IT shops would continue to abstain from jumping on the bandwagon.

  15. Some of the points in this article are valid – but some are screamers too:

    “A relatively small number of vendors have the service capacity to offer SaaS to big companies that want company-wide cloud computing”

    Sorry? We’re talking about delivering a business requirement that was most likely previously provided by an internal IT department – but as soon as we move that requirement to the cloud, there’s only a half dozen providers that can manage? Really?

    For what application is that – ERP? Email? CRM? Most of these applications would previously have been hosted on a relative handful of midrange or commodity servers internally, or have been happilly provided by ASP’s and Hosting providers for years.

    Most other centrally accessible apps I’ve seen in large organisations are either relatively vertical, or bespoke – they just aren’t built for parallel scalling under the SaaS/IaaS model that “cloud” implies. Nor do they usually need to be – not many businesses add and remove knowledge workers at the rate that make parallel scaliing architectures a requirement. In practice, that means again that these apps can generally run on a small number of VM’s provided by any platform provider that takes your fancy.

    Now – talk of security, backups, data retention etc all make sense – but they’re pretty much the same discussions that you’d have with any IT vendor – and a huge number of large businesses outsourced big chunks of their IT anyway.
    Moving to the cloud doesn’t need to be any different – talk to your vendor, have them agree to how they’re going to treat your data, and have them sign a contract to that affect.

    Does that make them immune to being hacked – off course not. But you weren’t immune to that when you hosted your own infrastructure – and if you’ve selected the right vendor (good luck :-) ) then your overall security has improved.

    I would actually argue that for most businesses, a mid-sized hosting vendor is going to be your best bet. Large enough to have economies of scale and automation systems in place – small enough to care deeply about a relationship with your business, and to be willing to work with you on data retention, security and ownership issues.

    If you’re just throwing your data willy-nilly on to amazon or another hyperscale provider – well, accept that even a large organisations internal IT requirements are going to be miniscule at that scale, and you’ll be treated us such.

  16. Dear Mr. Wood,

    It would appear that you have done extensive research on this topic.
    However it would also appear you have absolutely no knowledge of what your are talking about.

    You state that these vendors offer cloud in the form of “SaaS”… Hmmm, wait a minute, SaaS = Software as a Service.

    Ok, true, SaaS is a form of cloud (also see; IaaS & PaaS).

    Yet, then you state that this is controlled by a “small cadre” of vendors, LIE!
    Facebook, instagram, twitter and MANY more, all fall under this SaaS category.

    The vendors you mention in the post and the way you are talking about “cloud” would suggest that you are actually referring to IaaS. On IaaS you are in control of you own virtual server, not unlike your own physical server.

    Please do more research OR consult someone with the appropriate knowledge before spouting a dystopian view on technology that has been around since (depending on your point of view) 2006.

    PS. hackers can hack into your small company’s network also… or even you home computer. General rule of thumb – if it has internet access, it can be hacked.
    E.g. car or perhaps the internet connected pacemaker. See
    http://www.ibtimes.com/car-hacking-darpa-funded-researchers-take-control-toyota-prius-ford-escape-using-laptop-video
    http://www.forbes.com/sites/singularity/2012/12/06/yes-you-can-hack-a-pacemaker-and-other-medical-devices-too/

  17. Write it on a piece of paper and tuck it away under the carpet, and no one vill find it, but your wife!

Discuss

Your email address will not be published. Required fields are marked *