Cloud computing: good or bad?

Businesses that drive towards connectivity and availability often overlook the key components of security.
What is the cloud and should businesses gravitate towards it? There are clearly many advantages from a corporate perspective. The ability to access data from anywhere an Internet connection is available, without having to worry about getting into your corporate network through a VPN (Virtual Private Network) is clearly of huge benefit. It also takes the burden off the Information Systems department and moves it into the virtual realm. How nice is that, not having to rely on the IT department anymore for your data access?

Today, we now have the iCloud. I am not a Mac user, and I recently learned about this new offering from Apple. iCloud will give you fully fledged replacements for MobileMe’s iDisk and iWork.com (the beta website service Apple launched alongside iWork ’09 that enabled you to share your Keynote, Numbers and Pages documents with friends and co-workers, while also acting as a handy backup).

Instead, iCloud will now give you iCloud Storage, another push-based cloud computing service that will automatically synchronize any new documents you create on your Mac, iPad, iPod or iPhone to the other devices you own. So no longer will you have to worry that you’ve left behind a crucial Keynote presentation for work on your Mac at home.

Another new feature of iCloud is the Photo Stream service, which enables you to do with your pictures what you can do with your documents – sync and share them seamlessly and easily using push technology. On the Mac, this feature will be integrated into a future update to iPhoto, but you can already imagine what that means for photos you’ve take on your iOS device: they’ll also automatically appear on your Mac and other Apple devices — and they’ll even appear in the My Pictures folder of your work computer.

Most of my work today involves the computer aspect of civil litigation. Inevitably someone has stolen customer lists or intellectual property for the purpose of realizing a financial gain. I have been involved in cases where one company has sent in an undercover person to steal that property from their competition, or enticed an employee to leave the competition and work for them. There are also other ways of getting information. Take the example of a couple involved in divorce litigation and one of the partners is trying to find hidden accounts that may be in the possession of the other. I asked one of my private investigator friends how it would be possible to obtain that type of information without seeking a judicial order. Simple, he said: there is always someone who is willing to give up the information for a price. What he was really saying was, I can pay someone on the inside to divulge that information “unofficially.” The only question left is how much will it cost.

Which brings us back to the issues around cloud computing. As a security professional I can only say it is a bad idea, a very bad idea. Let me give you my two questions for cloud computing: If someone were to have access to this information, would you care? Does this information have any value to anyone else?

If the answer is yes to either of these two questions, then the only way that I could suggest using the cloud is if that data is encrypted and the keys (passwords) are not stored with the information. My basic premise is this: storing confidential or proprietary information in the cloud is just not a smart thing to do if you have any concerns over protecting your intellectual property. You have no idea who has access to it or even where it is being stored.

As much as the cloud seems like a good idea, it isn’t. The next wave of news articles won’t be about how millions of credit card records were stolen from Company “X” it will be about the intellectual property that was stolen from the cloud. Bets anyone?

Marty Musters is the Director of Forensics for Computer Forensics Inc. He can be reached at mmusters@computerforensics.ca