Year of the cloud? Not until it can shield world's Mitnicks

We need to talk about Kevin

High performance access to file storage

CEE Kevin Mitnick has a problem. As the world's number one hacker and the first to be sent to prison for hacking - a whopping sentence for his crimes - his website is an obvious target for script kiddies looking to make their mark.

Back in 2009, AT&T dumped Mitnick from its mobile services because, according to him, they couldn't secure his account. At the same time, his webhost HostedHere.net also decided to lose his custom after sustained attacks on his website took the site out twice and caused an outage for the provider.

"Kevin is a high-profile target," David Wykofka, IT director at HostedHere said back then. "When vulnerabilities come out in third-party vendor software, he is one of the first targets on their list. This is just one of the perils of being Kevin Mitnick. If you're Barack Obama, you don't get webhosting at GoDaddy."

So you wouldn't really expect any of the much-vaunted, but still relatively fledgling, cloud service providers to be getting in on any Mitnick action, considering the difficulties of protecting him from the legions of itchy-fingered hackers just waiting to take down his site.

Which is no doubt the reason that FireHost CEO Chris Drake brings him up in his talk at Cloud Expo Europe (CEE). FireHost is expanding into Europe with data centres in London and Amsterdam and it wants to talk up its secure cloud hosting. And there's nothing like a good story about a celebrity hacker to make an impression.

"When we announced that we were hosting Kevin Mitnick, we had 40,000 hack attempts in one day, legitimate hack attempts," Drake tells The Register. But the hosting seems to be holding up, since Mitnick is willing to give the firm a testimonial in its marketing blumpf:

"I've made it clear to every hosting company that's ever approached me that protecting my sites from hackers is an extraordinary job. FireHost is the only secure hosting company able to show me that they actually do have the goods to get the job done," he's quoted as saying.

Drake said the cloud company has had all sorts of attacks on Mitnick sites, including social engineering attacks.

"We've had Kevin Mitnicks calling in with Russian and Chinese accents, speaking different languages, trying to fake that it's him [to get information]," Drake laughs.

The Mitnick story is all about the human factor, because that's where Drake sees the biggest threats for cloud security.

Security is a pain in the a**

Mostly people get hacked because they change the rules to make their lives easier or so that they can mess around with the programming.

"We protect Kevin from Kevin, because he's a programmer, he'll go into the server, play around and create vulnerabilities," Drake said. But with the regular folk, they change security protocols because they're a pain in the a**.

"Security is not convenient, you do interfere with lives and that kind of annoyance is really where the human factor starts kicking in and they try to bypass it," he said. "So they say, I'm the security person in charge and the CEO is really complaining, I'm going to do a special exception, because he/she is the CEO, right?"

Take two-factor authentication. Your bank account sends you out a wee calculator-looking thingy that's an authentication device, so when you sign into your bank online with your username and password, they send you a code that you also have to enter – that being the second factor of the authentication.

Which is great, as long as you always have the wee calculator-looking thingy with you. When you're in an airport in Guatemala and you get a text from British Gas telling you your bill is twice as high as you thought it was going to be (because clearly the family didn't listen to you telling them to economise on the heating while you're away) and the direct debit will be coming out in two days and you need to transfer some funds – not so handy.

Of course you don't have the wee calculator-looking thingy with you, and you now have to fight with a customer services representative over the phone for the privilege of handling your own money.

This is where security becomes an encumbrance that normal people will naturally work to get around.

A slightly better idea is to do the two-part authentication with mobile phones, as FireHost does, but even this has it's issues.

Drake avoids the keypads and dongles of other providers and opts for sending the code to your phone, because he reckons your phone is something you always have on you and you'd know if it was missing. Which is true, but people do still change their numbers and getting their bank/security provider to believe the new number really is theirs usually takes time. Also, batteries run out, reception is not always guaranteed and for some reason, people often drop their phones into toilets.

Education, education, education

Security isn't easy for cloud companies, and that's one of the reasons that the much-hyped "year of the cloud" still hasn't happened.

"The cloud's growing at 40 per cent a year and that's incredible growth, especially in this economic environment. But until security and trust is happening, it won't be the year of the cloud," Drake said.

Jeffrey Samuels, chief marketing officer at GoGrid, agrees, but he thinks that the customer is the one that needs to build in security and redundancy.

"There's a misconception that I've put it in the cloud, it's all safe! It's going to be 100 per cent redundant, reliable, etc. It can be that, but you have to architect it that way," he told The Register at Cloud Expo.

"The cloud is not a product in itself, it is a means to build the right solution."

GoGrid is also expanding into Europe and also setting up its HQ and data centre in Amsterdam. The company provides infrastructure-as-a-service and let's the customer build its solutions on top.

Samuels also feels that the cloud's time has yet to come.

"I think it's the continued evolution of the cloud. You can see at a show like this, the market is still ridiculously small compared to the total addressable market."

The cloud may not be all it could be yet, but it's definitely growing. Bean-counters at Gartner said last week that a third of businesses were either already using or planning to use the cloud or software-as-a-service (SaaS) for core business intelligence functions.

"SaaS and cloud-based business intelligence is perceived as offering a quicker, potentially lower-cost and easier-to-deploy alternative, though this has yet to be proven," James Richardson, research director at Gartner, said.

"It’s evident that, despite growing interest, the market is confused about what cloud/SaaS BI and analytics are and what they can deliver."

It's a sentiment that a lot of the cloud firms at the Expo agree with - cloud can't really take off until more businesses are more educated about what it can do. Along with that whole security issue of course. ®

High performance access to file storage

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
European Court of Justice rips up Data Retention Directive
Rules 'interfering' measure to be 'invalid'
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Cisco reps flog Whiptail's Invicta arrays against EMC and Pure
Storage reseller report reveals who's selling what
Bored with trading oil and gold? Why not flog some CLOUD servers?
Chicago Mercantile Exchange plans cloud spot exchange
Just what could be inside Dropbox's new 'Home For Life'?
Biz apps, messaging, photos, email, more storage – sorry, did you think there would be cake?
IT bods: How long does it take YOU to train up on new tech?
I'll leave my arrays to do the hard work, if you don't mind
prev story


Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.