SP&T News Sécurité Québec Security Pages Focus On Security Expo Security Bookstore
  • JUser::_load: Unable to load user with id: 341

Cloud computing: good or bad?

November 28, 2011 Written by 
To use the cloud or not to use the cloud, that is the question.I recently met with the CEO of a large company who had suffered a network security breach. He asked the question, why did this happen and why didn’t my Information Systems people prevent the attack? My answer was simple. As the CEO, you drive your business to have network connectivity and availability. Security is something that always seems to get in the way and only becomes a priority when something bad happens.

Businesses that drive towards connectivity and availability often overlook the key components of security.
What is the cloud and should businesses gravitate towards it? There are clearly many advantages from a corporate perspective. The ability to access data from anywhere an Internet connection is available, without having to worry about getting into your corporate network through a VPN (Virtual Private Network) is clearly of huge benefit. It also takes the burden off the Information Systems department and moves it into the virtual realm. How nice is that, not having to rely on the IT department anymore for your data access?

Today, we now have the iCloud. I am not a Mac user, and I recently learned about this new offering from Apple. iCloud will give you fully fledged replacements for MobileMe’s iDisk and iWork.com (the beta website service Apple launched alongside iWork ’09 that enabled you to share your Keynote, Numbers and Pages documents with friends and co-workers, while also acting as a handy backup).

Instead, iCloud will now give you iCloud Storage, another push-based cloud computing service that will automatically synchronize any new documents you create on your Mac, iPad, iPod or iPhone to the other devices you own. So no longer will you have to worry that you’ve left behind a crucial Keynote presentation for work on your Mac at home.

Another new feature of iCloud is the Photo Stream service, which enables you to do with your pictures what you can do with your documents – sync and share them seamlessly and easily using push technology. On the Mac, this feature will be integrated into a future update to iPhoto, but you can already imagine what that means for photos you’ve take on your iOS device: they’ll also automatically appear on your Mac and other Apple devices — and they’ll even appear in the My Pictures folder of your work computer.

Most of my work today involves the computer aspect of civil litigation. Inevitably someone has stolen customer lists or intellectual property for the purpose of realizing a financial gain. I have been involved in cases where one company has sent in an undercover person to steal that property from their competition, or enticed an employee to leave the competition and work for them. There are also other ways of getting information. Take the example of a couple involved in divorce litigation and one of the partners is trying to find hidden accounts that may be in the possession of the other. I asked one of my private investigator friends how it would be possible to obtain that type of information without seeking a judicial order. Simple, he said: there is always someone who is willing to give up the information for a price. What he was really saying was, I can pay someone on the inside to divulge that information “unofficially.” The only question left is how much will it cost.

Which brings us back to the issues around cloud computing. As a security professional I can only say it is a bad idea, a very bad idea. Let me give you my two questions for cloud computing: If someone were to have access to this information, would you care? Does this information have any value to anyone else?

If the answer is yes to either of these two questions, then the only way that I could suggest using the cloud is if that data is encrypted and the keys (passwords) are not stored with the information. My basic premise is this: storing confidential or proprietary information in the cloud is just not a smart thing to do if you have any concerns over protecting your intellectual property. You have no idea who has access to it or even where it is being stored.

As much as the cloud seems like a good idea, it isn’t. The next wave of news articles won’t be about how millions of credit card records were stolen from Company “X” it will be about the intellectual property that was stolen from the cloud. Bets anyone?

Marty Musters is the Director of Forensics for Computer Forensics Inc. He can be reached at This e-mail address is being protected from spambots. You need JavaScript enabled to view it

Email This e-mail address is being protected from spambots. You need JavaScript enabled to view it


+1 #1 Cynthia Weeden 2011-11-29 09:44
While I respect Marty's opinion, I would take the opposite stance. Software providers using the cloud to deliver applications usually have more rigor than corporations in protecting their own data. As part of your due diligence, be sure that applications are hosted in Canada (for privacy reasons), have SAS 70 certification, are in a Tier 1 data center, and the contract requires them to disclose any breaches. YOu also can request the right to conduct a physical security assessment of the data center. I work with many cloud-based applications including mass notification and security incident management and find the vendors are extremely diligent. Their business depends on it. As Marty said, security within a corporation is often less of a priority for a CEO than achieving their core business strategy.

Add comment

Security code