Google and proponents of cloud computing were quick to say that this week's Google hack should not raise questions about the inherent security of the cloud, but the incident is fueling debate about the safety of storing data in facilities accessed over the Internet.
Google's stance on China shatters security inhibitions
Google said “this was not an assault on cloud computing.” Meanwhile, the founder of cloud vendor Elastic Vapor, Reuven Cohen, asserted that “the Google Hack proves the cloud is more secure than traditional desktop software, not less,” apparently because systems were “compromised through phishing scams or malware, not through holes in Google's computing infrastructure.”
Others disputed this idea, such as Search Engine Land editor Danny Sullivan, who wondered if the security breach “will develop into a major reversal for the growth of cloud computing.”
Pund-IT analyst Charles King cautioned that we still don't know all the details of the breach, but said it should raise concerns about the security of cloud computing services. All IT systems, whether in the cloud or not, have some inherent flaws, but “any time a data center is open to the public Internet, there is the opportunity that it can be hacked in a number of ways,” he says.
“Every system has some inherent flaw or weakness. People do break into supposedly impregnable bank vaults, tunnel through walls,” King says. “No house is burglar proof and the same can be said of data centers. The bottom line here for me is some of the people who have been promoting cloud as … the future of IT have really been overstating the case. I think we will continue to see events like Google and the [T-Mobile] Sidekick failure over time.”
Google on Tuesday said that in mid-December it faced “a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google.” Attackers were apparently attempting to access the Gmail accounts of Chinese human rights activists, and also launched attacks against more than 30 other companies.
Later in the week, it was reported that a flaw in Internet Explorer had been exploited to hack into Google's corporate networks, and Microsoft said it is working on a patch.
On Twitter and in blog postings, industry observers debated whether the attack is proof of security problems specific to cloud computing, a phrase that generally refers to computing resources made publicly available through the Internet.
“This was not an assault on cloud computing,” Google asserted in its official blog. “It was an attack on the technology infrastructure of major corporations in sectors as diverse as finance, technology, media, and chemical. The route the attackers used was malicious software used to infect personal computers. Any computer connected to the Internet can fall victim to such attacks. While some intellectual property on our corporate network was compromised, we believe our customer cloud-based data remains secure.”
Google's main business is delivering advertising-supported Web search results, of course, but the company has also become a custodian of enterprise data because of services such as Google Apps, a Web-hosted alternative to Microsoft Exchange.
It is thus important for Google to convince businesses that storing data in Google facilities is safe, despite the events of last month.
Sullivan, in his blog post, noted that he has been moving more and more data into Google services but is rethinking that strategy in the wake of Google's security troubles. He criticized Google's insistence that the attack was not an assault on cloud computing.
“It was very much an attack on cloud computing, as Google's main blog post made clear,” Sullivan wrote. “Hackers went after Gmail accounts, not just through malware-infected computers but directly by targeting Google, that post told us. Gmail — your e-mail, stored in the cloud. That's an attack on cloud computing.”
Cohen disagreed in his own blog post, saying the attack doesn't reveal any deficiency in cloud security because hackers used social engineering techniques to gain access to private systems.
“What this hack really proves is that people are easier to hack then networks,” Cohen writes. “The weakest links are the people who are stupid enough to open an attachment they don't recognize, even if it appeared to be from someone they trusted. That's the beauty of social engineering based hacks. The e-mail appears to be from your mother, father, friend or colleague. The lesson we must learn is one of education, don't open attachments you don't recognize.”
Regardless of how the attack was executed, it did happen and consumers of cloud-based services should remember that there are risks when storing data with a third party, King says.
“Just because you're using a cloud service doesn't obviate the need for backing up data to a local hard drive,” King says. “Like anything else the online data repositories are not infallible, and it's critical for consumers and businesses to protect their data and protect themselves in multiple ways.”
