Year of the cloud? Not until it can shield world's Mitnicks
We need to talk about Kevin
CEE Kevin Mitnick has a problem. As the world's number one hacker and the first to be sent to prison for hacking - a whopping sentence for his crimes - his website is an obvious target for script kiddies looking to make their mark.
Back in 2009, AT&T dumped Mitnick from its mobile services because, according to him, they couldn't secure his account. At the same time, his webhost HostedHere.net also decided to lose his custom after sustained attacks on his website took the site out twice and caused an outage for the provider.
"Kevin is a high-profile target," David Wykofka, IT director at HostedHere said back then. "When vulnerabilities come out in third-party vendor software, he is one of the first targets on their list. This is just one of the perils of being Kevin Mitnick. If you're Barack Obama, you don't get webhosting at GoDaddy."
So you wouldn't really expect any of the much-vaunted, but still relatively fledgling, cloud service providers to be getting in on any Mitnick action, considering the difficulties of protecting him from the legions of itchy-fingered hackers just waiting to take down his site.
Which is no doubt the reason that FireHost CEO Chris Drake brings him up in his talk at Cloud Expo Europe (CEE). FireHost is expanding into Europe with data centres in London and Amsterdam and it wants to talk up its secure cloud hosting. And there's nothing like a good story about a celebrity hacker to make an impression.
"When we announced that we were hosting Kevin Mitnick, we had 40,000 hack attempts in one day, legitimate hack attempts," Drake tells The Register. But the hosting seems to be holding up, since Mitnick is willing to give the firm a testimonial in its marketing blumpf:
"I've made it clear to every hosting company that's ever approached me that protecting my sites from hackers is an extraordinary job. FireHost is the only secure hosting company able to show me that they actually do have the goods to get the job done," he's quoted as saying.
Drake said the cloud company has had all sorts of attacks on Mitnick sites, including social engineering attacks.
"We've had Kevin Mitnicks calling in with Russian and Chinese accents, speaking different languages, trying to fake that it's him [to get information]," Drake laughs.
The Mitnick story is all about the human factor, because that's where Drake sees the biggest threats for cloud security.
Security is a pain in the a**
Mostly people get hacked because they change the rules to make their lives easier or so that they can mess around with the programming.
"We protect Kevin from Kevin, because he's a programmer, he'll go into the server, play around and create vulnerabilities," Drake said. But with the regular folk, they change security protocols because they're a pain in the a**.
"Security is not convenient, you do interfere with lives and that kind of annoyance is really where the human factor starts kicking in and they try to bypass it," he said. "So they say, I'm the security person in charge and the CEO is really complaining, I'm going to do a special exception, because he/she is the CEO, right?"
Take two-factor authentication. Your bank account sends you out a wee calculator-looking thingy that's an authentication device, so when you sign into your bank online with your username and password, they send you a code that you also have to enter – that being the second factor of the authentication.
Which is great, as long as you always have the wee calculator-looking thingy with you. When you're in an airport in Guatemala and you get a text from British Gas telling you your bill is twice as high as you thought it was going to be (because clearly the family didn't listen to you telling them to economise on the heating while you're away) and the direct debit will be coming out in two days and you need to transfer some funds – not so handy.
Of course you don't have the wee calculator-looking thingy with you, and you now have to fight with a customer services representative over the phone for the privilege of handling your own money.
This is where security becomes an encumbrance that normal people will naturally work to get around.
A slightly better idea is to do the two-part authentication with mobile phones, as FireHost does, but even this has it's issues.
Drake avoids the keypads and dongles of other providers and opts for sending the code to your phone, because he reckons your phone is something you always have on you and you'd know if it was missing. Which is true, but people do still change their numbers and getting their bank/security provider to believe the new number really is theirs usually takes time. Also, batteries run out, reception is not always guaranteed and for some reason, people often drop their phones into toilets.
Education, education, education
Security isn't easy for cloud companies, and that's one of the reasons that the much-hyped "year of the cloud" still hasn't happened.
"The cloud's growing at 40 per cent a year and that's incredible growth, especially in this economic environment. But until security and trust is happening, it won't be the year of the cloud," Drake said.
Jeffrey Samuels, chief marketing officer at GoGrid, agrees, but he thinks that the customer is the one that needs to build in security and redundancy.
"There's a misconception that I've put it in the cloud, it's all safe! It's going to be 100 per cent redundant, reliable, etc. It can be that, but you have to architect it that way," he told The Register at Cloud Expo.
"The cloud is not a product in itself, it is a means to build the right solution."
GoGrid is also expanding into Europe and also setting up its HQ and data centre in Amsterdam. The company provides infrastructure-as-a-service and let's the customer build its solutions on top.
Samuels also feels that the cloud's time has yet to come.
"I think it's the continued evolution of the cloud. You can see at a show like this, the market is still ridiculously small compared to the total addressable market."
The cloud may not be all it could be yet, but it's definitely growing. Bean-counters at Gartner said last week that a third of businesses were either already using or planning to use the cloud or software-as-a-service (SaaS) for core business intelligence functions.
"SaaS and cloud-based business intelligence is perceived as offering a quicker, potentially lower-cost and easier-to-deploy alternative, though this has yet to be proven," James Richardson, research director at Gartner, said.
"It’s evident that, despite growing interest, the market is confused about what cloud/SaaS BI and analytics are and what they can deliver."
It's a sentiment that a lot of the cloud firms at the Expo agree with - cloud can't really take off until more businesses are more educated about what it can do. Along with that whole security issue of course. ®