The qualities which make the cloud so appealing are also those which make it most vulnerable. Being able to offload storage of the growing mountain of corporate data to a third party, while making it accessible from any location on any device with an internet connection, has huge advantages for a business. It is also a huge temptation for hackers.
It has been a busy year for Lulz Security and other hacking co-operatives, with big, high-profile targets compromised. Sega and Sony's gaming networks have fallen prey, as has Apple's iTunes service. The most audacious target was RSA, a security firm which produces code-generating fobs used by 40m businesses to protect their own networks.
In fact, in most of the well-publicised cases, the servers attacked were managed by their owners and not by a cloud host. Where it played a role, the cloud tended to be used by the hackers against their target companies.
Releasing data
At RSA the unidentified hacker transferred sensitive information off company servers on to a hacked cloud-hosted server. Amazon, one of the leading renters of cloud storage, is reported to have unwittingly provided a server used in the Sony attack, although the company has never confirmed this. A hacker used a bogus name to set up an account for the raid on Sony's PlayStation network during which the login names, passwords and other personal details of 77 million users were compromised.
Given such publicity, IT managers are understandably worried about releasing their data on to other firm's servers. A global survey published earlier this year by Trend Micro of 1,200 IT executives (at companies with more than 500 employees) found that just 10% were currently using cloud services. Of these, 43% had experienced a data security lapse or issue with their cloud provider in the past 12 months.
"Security is something which should be pushed more and more to the fore," says Simon Bain, whose company Simplexo supplies secure remote access to emails and documents.
Simplexo's system stores emails and documents. Customers on the move can retrieve them by typing a keyword into a search box and Simplexo will search the files to find the relevant information.
It does index file content in order to do this, but the index is written in code. Simplexo does not store usernames and passwords either, if a customer loses them they are simply obliged to re-register. If the system is hacked, each individual's information is "sand boxed" or stored separately.
Other companies, such as Telehouse, which runs 41 data centres around the world, maintain security by using a combination of firewalls and intrusion detection software.
The detection software Telehouse uses seeks out unusual patterns from a network, finding repetitive or continuous communication. It can also detect unusually heavy traffic. If the bandwidth being used on a particular interface goes above, say, 95%, a warning is triggered, which alerts human monitors.
Telehouse systems integration manager, Paul Kanabahita, says: "If a customer has a problem, we can know well before they do what the problem is."
Steve Hughes, senior cloud expert at telecoms and networks firm Colt Group, says IT mangers should seek out cloud providers with ISO (International Standards Organisation) accreditation. The standards require providers to vet their staff and have secure access to their server farms – no entry without a pin and a card.
He says protecting traffic in transit can be important for some customers. Encryption can be used for significantly more expense – private networks built where no other companies use the fibre optic cable carrying your data between particular servers.
Colt runs private connections between 25 European stock exchanges, including London's main exchange, and banks and hedge funds trading on them. The networks are not only secure, they allow information to be sent and received more quickly, shaving valuable fractions of seconds off the time it takes to make a trade.
"You provide the appropriate risk profile for the appropriate application," says Hughes. "It's not one cloud fits all."
Colt runs pairs of data centres in 10 European countries, so that if one goes down or is under attack genuine traffic can be transferred to the other without leaving the country. Because European data protection rules vary by nation, keeping information from crossing borders can be important for companies handling sensitive personal information.
For many firms, just working out what is being stored and where is a challenge. Chris Russell, vice president of engineering at Swivel Secure, says it is important to keep track: "The first thing to remember is even if you are pushing your data out to another party to look after, the responsibility for protecting that data stays with you."
