Year of the cloud? Not until it can shield world's Mitnicks

We need to talk about Kevin

HP ProLiant Gen8: Integrated lifecycle automation

CEE Kevin Mitnick has a problem. As the world's number one hacker and the first to be sent to prison for hacking - a whopping sentence for his crimes - his website is an obvious target for script kiddies looking to make their mark.

Back in 2009, AT&T dumped Mitnick from its mobile services because, according to him, they couldn't secure his account. At the same time, his webhost HostedHere.net also decided to lose his custom after sustained attacks on his website took the site out twice and caused an outage for the provider.

"Kevin is a high-profile target," David Wykofka, IT director at HostedHere said back then. "When vulnerabilities come out in third-party vendor software, he is one of the first targets on their list. This is just one of the perils of being Kevin Mitnick. If you're Barack Obama, you don't get webhosting at GoDaddy."

So you wouldn't really expect any of the much-vaunted, but still relatively fledgling, cloud service providers to be getting in on any Mitnick action, considering the difficulties of protecting him from the legions of itchy-fingered hackers just waiting to take down his site.

Which is no doubt the reason that FireHost CEO Chris Drake brings him up in his talk at Cloud Expo Europe (CEE). FireHost is expanding into Europe with data centres in London and Amsterdam and it wants to talk up its secure cloud hosting. And there's nothing like a good story about a celebrity hacker to make an impression.

"When we announced that we were hosting Kevin Mitnick, we had 40,000 hack attempts in one day, legitimate hack attempts," Drake tells The Register. But the hosting seems to be holding up, since Mitnick is willing to give the firm a testimonial in its marketing blumpf:

"I've made it clear to every hosting company that's ever approached me that protecting my sites from hackers is an extraordinary job. FireHost is the only secure hosting company able to show me that they actually do have the goods to get the job done," he's quoted as saying.

Drake said the cloud company has had all sorts of attacks on Mitnick sites, including social engineering attacks.

"We've had Kevin Mitnicks calling in with Russian and Chinese accents, speaking different languages, trying to fake that it's him [to get information]," Drake laughs.

The Mitnick story is all about the human factor, because that's where Drake sees the biggest threats for cloud security.

Security is a pain in the a**

Mostly people get hacked because they change the rules to make their lives easier or so that they can mess around with the programming.

"We protect Kevin from Kevin, because he's a programmer, he'll go into the server, play around and create vulnerabilities," Drake said. But with the regular folk, they change security protocols because they're a pain in the a**.

"Security is not convenient, you do interfere with lives and that kind of annoyance is really where the human factor starts kicking in and they try to bypass it," he said. "So they say, I'm the security person in charge and the CEO is really complaining, I'm going to do a special exception, because he/she is the CEO, right?"

Take two-factor authentication. Your bank account sends you out a wee calculator-looking thingy that's an authentication device, so when you sign into your bank online with your username and password, they send you a code that you also have to enter – that being the second factor of the authentication.

Which is great, as long as you always have the wee calculator-looking thingy with you. When you're in an airport in Guatemala and you get a text from British Gas telling you your bill is twice as high as you thought it was going to be (because clearly the family didn't listen to you telling them to economise on the heating while you're away) and the direct debit will be coming out in two days and you need to transfer some funds – not so handy.

Of course you don't have the wee calculator-looking thingy with you, and you now have to fight with a customer services representative over the phone for the privilege of handling your own money.

This is where security becomes an encumbrance that normal people will naturally work to get around.

A slightly better idea is to do the two-part authentication with mobile phones, as FireHost does, but even this has it's issues.

Drake avoids the keypads and dongles of other providers and opts for sending the code to your phone, because he reckons your phone is something you always have on you and you'd know if it was missing. Which is true, but people do still change their numbers and getting their bank/security provider to believe the new number really is theirs usually takes time. Also, batteries run out, reception is not always guaranteed and for some reason, people often drop their phones into toilets.

Education, education, education

Security isn't easy for cloud companies, and that's one of the reasons that the much-hyped "year of the cloud" still hasn't happened.

"The cloud's growing at 40 per cent a year and that's incredible growth, especially in this economic environment. But until security and trust is happening, it won't be the year of the cloud," Drake said.

Jeffrey Samuels, chief marketing officer at GoGrid, agrees, but he thinks that the customer is the one that needs to build in security and redundancy.

"There's a misconception that I've put it in the cloud, it's all safe! It's going to be 100 per cent redundant, reliable, etc. It can be that, but you have to architect it that way," he told The Register at Cloud Expo.

"The cloud is not a product in itself, it is a means to build the right solution."

GoGrid is also expanding into Europe and also setting up its HQ and data centre in Amsterdam. The company provides infrastructure-as-a-service and let's the customer build its solutions on top.

Samuels also feels that the cloud's time has yet to come.

"I think it's the continued evolution of the cloud. You can see at a show like this, the market is still ridiculously small compared to the total addressable market."

The cloud may not be all it could be yet, but it's definitely growing. Bean-counters at Gartner said last week that a third of businesses were either already using or planning to use the cloud or software-as-a-service (SaaS) for core business intelligence functions.

"SaaS and cloud-based business intelligence is perceived as offering a quicker, potentially lower-cost and easier-to-deploy alternative, though this has yet to be proven," James Richardson, research director at Gartner, said.

"It’s evident that, despite growing interest, the market is confused about what cloud/SaaS BI and analytics are and what they can deliver."

It's a sentiment that a lot of the cloud firms at the Expo agree with - cloud can't really take off until more businesses are more educated about what it can do. Along with that whole security issue of course. ®

Reducing security risks from open source software

More from The Register

next story
Sysadmin Day 2014: Quick, there's still time to get the beers in
He walked over the broken glass, killed the thugs... and er... reconnected the cables*
SHOCK and AWS: The fall of Amazon's deflationary cloud
Just as Jeff Bezos did to books and CDs, Amazon's rivals are now doing to it
Amazon Reveals One Weird Trick: A Loss On Almost $20bn In Sales
Investors really hate it: Share price plunge as growth SLOWS in key AWS division
US judge: YES, cops or feds so can slurp an ENTIRE Gmail account
Crooks don't have folders labelled 'drug records', opines NY beak
Auntie remains MYSTIFIED by that weekend BBC iPlayer and website outage
Still doing 'forensics' on the caching layer – Beeb digi wonk
BlackBerry: Toss the server, mate... BES is in the CLOUD now
BlackBerry Enterprise Services takes aim at SMEs - but there's a catch
The triumph of VVOL: Everyone's jumping into bed with VMware
'Bandwagon'? Yes, we're on it and so what, say big dogs
Carbon tax repeal won't see data centre operators cut prices
Rackspace says electricity isn't a major cost, Equinix promises 'no levy'
prev story


Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.