Internet-based cloud services are gathering an enormous trove of information. Everything from highly personal medical and social media material to confidential financial and corporate documents are being stored online. Already a quarter of the world’s business data is cloud based. This is proving an irresistible lure for hackers.
One notable example was the February 2011 breach at Nasdaq’s Directors Desk, which maintains records for thousands of corporations. Nasdaq has said little about what happened. But the case reportedly has prompted several federal investigations and sparked speculation that the culprits could have spied on secret communications of company board members.
Coupled with more recent breaches at LinkedIn, Twitter and web marketer Epsilon — along with surveys showing that such attacks are alarmingly common among businesses — many experts say too little is being done to prevent cyber crooks from pilfering credit card numbers, trade secrets and other sensitive data on the cloud.
“It’s scary,” said Eric Chiu, co-founder and president of Californian security company HyTrust. If a hacker gets access to that information, he said, “they’ve got the keys to your kingdom. They can make copies of everything you have, and they can potentially destroy your data centre.”
The cloud is used to send email, print from mobile devices, exchange medical information, share on social networks and much more. Among cloud document-storage services (such as Dropbox and Google Drive) alone, the number of subscribers will double from 625 million this year to 1.3 billion in 2017, according to market researcher IHS.
Corporations have been among the biggest adopters. Research company Gartner has predicted that the worldwide revenue from public clouds, a popular kind shared by multiple customers, will soar from $US91.4 billion (NZ$110.6 billion) in 2011 to $US206.6 billion in 2016.
Yet the trend poses risks. Symantec in January reported that 43 per cent of the 3236 businesses it queried had “lost data in the cloud”, although it didn’t ask how much was due to cyber attacks.
Those companies weren’t alone. Of nearly 500 information-technology professionals Intel recently surveyed, 46 per cent said their companies had suffered a security breach — meaning their data was lost or accessed by unauthorised means — on two popular types of clouds. And most of the victims said they were experiencing more breaches than when they had kept the data on their own networks.
Some information placed in the cloud can get into the wrong hands because of equipment mishaps or employee foul-ups. There also are growing fears it could happen as a result of lawsuits or government subpoenas. Of 100-plus IT professionals polled last year by security company Lieberman Software, 48 per cent said “the thought of government or legal action deters them from keeping data in the cloud”. But hackers are among the biggest concerns, and many businesses mistakenly assume their cloud providers will keep the crooks at bay, said JD Sherry of the Japanese security company Trend Micro. While offering some protections, he said, the providers often leave security largely to their customers.
“That burden of responsibility typically falls upon the customer, and that often can be a huge challenge for a lot of folks,” he said.
Amazon provides a wide array of security measures for its cloud services, according to a company statement. But it said a customer of those services “assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software, as well as the configuration of the (Amazon)-provided security group firewall.”
It’s not clear how much monetary or other damage has been caused by cloud data breaches. Officials at Epsilon and Twitter have issued only terse comments about their breaches, while LinkedIn has argued in response to a lawsuit over its hacking that no one was seriously harmed.
But Eve Maler, a Forrester Research principal analyst, said even a social media site break-in can cause havoc.
“The bad guys might see direct messages containing personal information meant for the company, or could send out messages that harm the company’s brand or business,” she said.
Breaches of corporate financial data and trade secrets could be far more serious, and cloud-based companies will have to become quicker at responding to cyber attacks, said Art Gilliland, general manger of enterprise security products at Hewlett-Packard. Even so, he predicted more companies will be victimised as they shift their data into the ether.
“It’s going to happen,” he said. “It’s inevitable.”
By the numbers
Almost a quarter of all business information globally is now in the cloud, according to Symantec.
Among cloud document-storage services, such as Dropbox and Google Drive, the number of subscribers will double from 625 million this year to 1.3 billion in 2017, according to market researcher IHS.
Gartner predicts worldwide revenue from public clouds, a kind shared by customers, will soar from $91.4 billion in 2011 to $206.6 billion in 2016. But the security of cloud data is a big concern.
Of nearly 500 information-technology professionals Intel recently surveyed, 46 per cent said their companies had suffered a security breach on public and related “hybrid” clouds.
Symantec in January reported that 43 per cent of the 3236 businesses it queried had “lost data in the cloud”. In a survey last year of 2007 American adults by CouponCodes4u, an online site that provides coupons and other discounts by retailers, only 31 per cent said they felt safe storing personal documents through a cloud provider.
– Steve Johnson