Cloud Security Is Looking Overcast
Eran Feigenbaum knows a thing or two about risk. He moonlights as the TV and stage magician “Eran Raven,” known for stunts involving snakes, scorpions, and razor blades. He once played Russian roulette with nail guns on the NBC show Phenomenon, and in August he did a five-day run at Planet Hollywood in Las Vegas. That pedigree serves him well in his day job as director of security for Google’s business applications, where he’s responsible for convincing corporate risk managers of the safety of cloud computing. Working in computer security requires “a hyperawareness” of risk, he says, “the same as when you’re on stage performing with nail guns.”
Cloud computing has become one of tech’s biggest buzzwords. These services, offered by Google, Microsoft, Amazon.com, and dozens of others, offer computing power over the Internet as an alternative for companies that have traditionally bought their own fleets of giant server computers. The approach has won fans among corporate software developers and rank-and-file employees who like having access to documents and programs from any device at any time.
Corporate policymakers, though, have yet to fully embrace the cloud, fearing that the services may compromise proprietary data. A survey by researcher IDC found that fewer than a third of IT executives feel the benefits of cloud computing outweigh its risks. Nearly a quarter of the 500 executives surveyed said they don’t fully understand the regulatory and compliance issues in cloud computing, and 47 percent say cloud services present a security threat. Companies that don’t understand the risks “just shouldn’t use cloud computing,” says IDC analyst Phil Hochmuth. “The potential for a security breach or a compliance violation can be high.”
David Bodnick is seeing the change firsthand. “The risks of the cloud have been particularly salient for a few of our clients,” says Bodnick, president of WebIntensive Software, a New York company that develops online applications for dozens of customers such as LexisNexis, the United Nations, and Columbia University. One WebIntensive client, a search engine called Startpage, didn’t want to use a cloud service because it feared its data might remain on remote servers, and Startpage promises customers that it won’t store their Web-search history. A health-care information company let WebIntensive incorporate cloud storage into its application, but only if patient information were encrypted, which boosted the cost by 15 percent. “We are now getting questions that we didn’t before about the safety of hosting applications in the cloud,” says Bodnick.
Information technology managers say cloud computing lets employees skirt policies meant to keep viruses and hackers out of corporate systems and ensure compliance with regulations governing e-mail communications. At SF Bay Pediatrics in San Francisco and Mill Valley, Calif., doctors can collaborate on informational pamphlets for patients using Google Apps and online file storage service Dropbox, and can e-mail photos of conditions taken with their iPhones, says Chief Information Officer Andrew Johnson. But they’re forbidden from recording diagnoses or other information about patients because online services can’t guarantee adherence to federal privacy regulations. “We don’t store any of that in the cloud,” Johnson says.
Some managers who have tentatively adopted cloud computing fret that it may not be as reliable as their own systems. In April and in August, Amazon Web Services suffered crashes that took down sites including Netflix and smartphone app developer Foursquare. Online services from Microsoft and Google have had similar disruptions, cutting off users of Web-based e-mail, document sharing, and other applications. That has led to fears about buying too many essential programs from cloud services, says Sanjay Poonen, president of global solutions at business software maker SAP. Although SAP in May struck a deal to run some of its applications on Amazon’s service, Poonen says, “Nobody’s ready to move their entire business process, end-to-end, to the cloud.”
Cloud companies say they understand the worries. “When enterprises move to the cloud they are embarking on a fundamentally different way of doing computing,” says Adam Selipsky, vice-president of Amazon Web Services. Amazon, Microsoft, and Google all say they undergo a battery of risk audits of a host of factors such as access to data centers, safeguards on personal information in credit-card transactions, and firewalls to ward off hackers. Furthermore, they say, their services can be more reliable than many corporate systems. Gmail, for instance, was operational 99.984 percent of the time in 2010, and is at 99.99 percent uptime so far this year, Feigenbaum says. “That’s less than five minutes of downtime a month. Not too many organizations can do that internally.”