Stuart McClure has simple advice for companies that want to put their data in the cloud: Don't do it. When it comes to security, the former chief technology officer of McAfee said choosing a safe service can be like "picking a dog with the least fleas."
Yet when McClure needed help running his security startup, Cylance Inc., he didn't heed his own advice. He said he reluctantly hired a company that handles administrative work such as managing employee 401(k)s over the Internet, even though he described the cloud provider's initial security plan as an "abysmal mess."
"It's just a painful process," McClure said. "The challenge is you have to get comfortable accepting a certain amount of risk around the data -- and if you can't do that, you really shouldn't get into the cloud."
The economics of cloud computing have become so irresistible that even die-hard opponents, who fear confidential information will be stolen or service outages will hurt their business, are making the shift to save money on hiring staff and buying computer servers.
Spending on cloud computing is forecast to grow 18.5 percent to $130.7 billion worldwide this year, according to Gartner Inc. As consumers pour data into the websites of Google Inc. and Amazon.com Inc., companies including Salesforce.com Inc., Savvis Inc., Terremark Worldwide Inc. and Rackspace Hosting Inc. have grown up alongside them catering to businesses.
Still, the question about cloud computing remains: Is it secure?
The answer: Large, successful attacks aimed specifically at cloud providers for business have, for the most part, not materialized. Yet.
"I've been looking for it, but I can't find any real evidence that the cloud is more risky than hosting everything completely internal," said Wade Baker, managing principal of Verizon's RISK group, which investigates breaches. Verizon owns cloud provider Terremark. "I've studied a lot of breaches; we get a lot of information from a lot of different organizations, and it doesn't seem to be there."
Most hacking attacks against corporations are still aimed at internal computer systems, he said. Eighty percent of the breaches Verizon investigated in 2012 involved internally hosted data. The remainder involved externally hosted data -- but those breaches began inside companies' networks and spread to the third-party hosting services, not the other way around, Baker said.
While cloud companies are loath to disclose details of attacks against their networks, hackers are clearly paying attention.
FireHost, a cloud hosting company based in Richardson, Texas, blocked more than 64 million attacks last year, said senior security architect Chris Hinkley. Most were directed at FireHost's clients and not the online service itself, he said.
The distinction is important in determining whether the cloud is riskier than using internal networks. Hackers who attack FireHost clients may have no idea they're actually targeting servers managed by a cloud service. But direct assaults against FireHost's infrastructure are growing, Hinkley said, which indicates some hackers are focusing on the cloud.
One upside -- perhaps the only one -- to the high number of attacks is that it gives FireHost valuable insight into hackers' techniques.
"It's a double-edged sword," Hinkley said. "We have thousands upon thousands of different customers on our infrastructure, and we're seeing attacks on those tenants. But the benefit of our infrastructure is we can use all the attack data to protect other clients."
Savvis, a subsidiary of Monroe (Louisiana)-based Internet provider CenturyLink, said last year it was seeing 400 targeted attacks per month on its public application programming interface (API), which amount to direct assaults on the cloud company's infrastructure. Attacks were growing 25 percent per quarter.
The number of attacks has since stabilized, said Chris Richter, Savvis's vice president in charge of security products and services, who declined to give updated numbers.
Google is seeing targeted attacks against both its consumer and corporate data stored in the cloud, according to Eran Feigenbaum, director of security for Google Apps.
"Any online presence that's saying they're not seeing targeted attacks is not being forthright or doesn't have the insight into what's going on," he said. In one high-profile attack, hackers from China targeted the Gmail accounts of human-rights activists in 2009. Google now has 300 information-security professionals focused on protecting company and client data, Feigenbaum said.
Even as the cloud market grows, lingering concerns over security have affected how companies use third-party online services.
Only a fifth of the largest companies use an external cloud service for critical tasks, said John Pescatore, director of emerging security trends at the SANS Institute, a research and training group based in Bethesda, Maryland. For instance, big banks are reluctant to outsource the systems used to process ATM transactions.
Still, cloud services can be especially appealing to small companies that can't afford to run secure data centers, said Richard Bejtlich, chief security officer of Mandiant in Alexandria, Virginia, a firm that investigates hacking attacks.
That was the case for Mike Gustafson, chief executive officer of Virident Systems, a data-storage company. While at a previous company, which only had three full-time IT workers, he was part of an internal debate over whether to outsource critical data to the cloud. The issue boiled down to balancing millions of dollars in savings with the potential security risks. After receiving contractual assurances from the provider, Gustafson signed on.
"For our business model, it was much more attractive to look at a small fixed price," he said.
In spite of his discomfort with cloud services, Cylance's McClure was able to alleviate his concerns by striking a deal with a provider that satisfied his security demands.
"Cloud security is an oxymoron," McClure said. "Unless you're working with veteran, well-established entities, when you start to move away from those more mature models, you get into a slippery slope that falls off really quick when it comes to security."
Security fears often accompany technological change, but those issues can be managed with enough preparation, said the SANS Institute's Pescatore.
"When we left the mainframe, the security guys said the world's over -- how are we going to secure all these PCs?" he said. "Every time we make one of these major changes, security gets broken and threats come around and life goes on."
To contact the reporter for this story: Jordan Robertson in San Francisco at firstname.lastname@example.org
To contact the editor responsible for this story: Marcus Chan in San Francisco at email@example.com