To cloud or not to cloud?

By Zack Schuler, CEO, Cal Net Technology Group

There has been more and more talk about “Cloud Computing” which I have personally seen start to take off, especially in the microbusiness space.  One of the vendors that I’m dealing with is using Google apps for just about everything, from email, calendering, to word processing, document sharing, etc.  For a company that doesn’t have a complex infrastructure, where applications don’t need to talk to each other much, this seems like a pretty good solution.

I start to question the viability of this model as you scale up in company size.  I am going to talk later about why I question this from an integration standpoint; for now I’m going to quickly focus on the security behind it.

I was fortunate to have coffee with a man by the name of Jason Lidow a couple of days ago.  Jason is the principle of The Digitrust Group, a boutique security company (you can read more about Digitrust on our partner page (http://www.calnettech.com/technologies_ProductandServicePartners.php)

Jason and his team can and have write exploits for just about any piece of software out there, and if they wanted to, can basically break into any small business or middle market company that is out there, merely because these companies have not covered 100% of their security risks.

So, as smaller companies begin to provide cloud offerings, think about what kind of target they are going to be by the hacking community?  If a hacker works based on “impact” where is he/she going to go?  Are they going to target a middle market company where they can affect 100 users and one company, or are they going to focus on a middle market cloud company, where they can impact thousands of companies and tens of thousands of users?

Getting away from a hacker focusing on impact, think about data.  Think about the amount of data they can get their hands on if they breach the cloud?  Then think about how the cloud company will have to notify (if they know about the breach) the company’s that use their hosted solution, and then each company will have to notify their clients/vendors/ etc. about the breach.  This gets ugly, fast.

My question is, what kind of disclosure do cloud providers provide the end-user with respect to how much security they’ve got in place?  Furthermore, and more importantly, how many CIO’s are in a position to decipher whether or not that security is adequate?  After all, their private data is now outside of their control, and for me (only being a CEO), that is a scary proposition.  Security is complex, and only a true expert can understand most of what the potential risks are. 

When asking Jason about this, here was his response  This is a hot topic and on everyone’s mind. People want to know what type of security is in place at these hosted providers (to prevent intrusions / DDoS / etc).  

I think we are going to see some very high profile breaches in the near future. The very interesting part will be how many providers actually have the hardware, software and skillset to *really* know if they have been hacked by experts such as highly trained organized crime (or even foreign intelligence). Some places will undoubtedly be breached by rookies and large disclosures will take place. It’s the former that I stress about.” 

In the interest of keeping this short and increasing is readability factor, I’m going to stop here and let you ponder this point.  I will talk later about integration issues that I foresee, and then usability issues with respect to cloud computing.