That cloud computing is risky probably doesn’t surprise you. You hand off your data to someone else, and the cloud provider might hand it off to someone else, from whence it might go somewhere else. Little details -- like where it’s being stored, who’s touching it along the way, and what safeguards are being taken -- aren’t always clear.

“The most significant issue for cloud computing is the simple fact that data storage falls outside the control of a company’s security infrastructure,” says Larry Ponemon, founder of the Ponemon Institute, which specializes in information security practices and privacy risk management.

A New Mountain to Climb

"[T]he cloud” has a big target painted on its side. For certain types of hackers, it’s an opportunity for new exploits, a new wall to climb, the thrill of sneaking into the servers of a very huge company. For other types, there’s the potential for a big data score. “Sophisticated cybercriminals are likely to see more value in cracking the cloud, which might contain data from a wide range of organizations,” Ponemon says.

You don’t see confirmed detailed reports, but cloud providers are attacked routinely. “Attacks are getting much more sophisticated, and more numerous,” says the CEO of one cloud services provider. “I can watch the firewall and sometimes there are a thousand probes a day into the grid infrastructure. I talk to other ISPs and hear that this is not uncommon. If you have an unprotected machine in the datacenter, it will be compromised within 10 minutes.”

“In the cloud or grid, everybody’s in the same datacenter, and this makes the security situation much worse than in a traditional environment,” says Dave Durkee, CEO of ENKI, a cloud services and virtual datacenter provider. “Everybody’s in the soup together. Cloud providers have to understand the threats and build better defenses. Too many cloud services today give their customers a software firewall and that’s it. Certain types of attacks can overwhelm a software firewall easily.”

 “Cloud is almost synonymous with shared,” says John Engates, chief technology officer for Rackspace, the big IT systems hosting company with its own cloud division, Mosso. “Historically, shared has been a bad word in hosting and IT. Shared meant that you had only logical (software) security boundaries between customers and companies rather than the traditional physical boundaries you get with dedicated gear.” He added that today’s virtualization technologies have helped to mitigate certain security and resource-contention issues.

One of the biggest problems of that shared space is sharing resources from the communal pool. Companies who store files in the cloud need to be concerned about data leakage, says Craig Balding, technical security lead for a Fortune 500 company and a man so concerned about cloud security he started cloudsecurity.org. “Cloud storage gets recycled. The storage you freed an hour ago becomes my storage when I write my files,” Balding says. “The published API calls for cloud storage are pretty high-level … thus, on the surface, the opportunity for abuse, for devious data recovery, seems low. However, my gut feeling is that there will be incidents of data leakage -- through tricky or undocumented API usage or simply through failures of isolation. This will get solved over time, but there will be casualties.” 

Dominique Levin, executive vice president of marketing and strategy for LogLogic, which makes network management/surveillance tools, says “there is nothing unique about cloud computing from a security point of view.” But don’t take a lot of comfort in that sentiment. “The consequences of a security breach could be much more severe when the data of many customers is aggregated in the cloud,” Levin says. “Rather than just impacting one organization, a security breach at a cloud provider could potentially impact many customers. This in itself attracts more accidental hackers and organized crime. … It may also be more tempting for rogue employees to monetize some of their legitimate access to customer data.”

Mihai Christodorescu, a researcher in computer security at IBM’s TJ Watson Research Center (who does not speak for IBM), says he sees two significant issues around cloud computing: (1) “[t]he provider has unlimited, unauthenticated and unaudited access to the data of a cloud computing customer”; and (2) “[m]ultitenancy: cloud-computing providers often aggregate multiple customers onto the same physical machines, possibly exposing customers' data to each other.”

And don’t forget the classic security gap: human error. “The hackers from Uzbekistan get the most press, but what we see in our monitoring is that 98 percent of security breaches are human error,” says Tamar Newberger, vice president of marketing for Catbird, a provider of monitoring and management tools for virtual and physical networks. “I can’t tell you how many times we see SSL certificates that have expired. Letting your SSL certificates expire is alarming. You have to make sure your security model for the cloud is sensitive to human error.”

Who? Where?

When you store data in the cloud, you don’t really know where it’s being stored. It could be in a datacenter on the other side of the country, it could be in another country. While this might not be a security concern for some cloud users, companies governed by certain federal data requirements, such as HIPAA and Sarbanes-Oxley, will need to know where their data is physically located.

“Enterprises considering using the cloud are less concerned about getting hacked than about auditing and compliance requirements,” says Thorsten von Eicken, chief technology officer at RightScale, a company that helps customers run and manage scalable applications on Amazon Web Services. “They want to make sure the cloud provider understands and can assist with these audits.”

As for who is handling or has access to your valuable data, you won’t necessarily know. Your provider might seem totally reliable, but who are they relying on? This reliance on lower-level providers -- what Balding calls “outsourcing of trust” -- is a “potential landmine.” “Layered cloud services rely on lower levels to function correctly,” he explains. “As a high-level cloud service provider, my security rests on the layer below me. What due diligence did I do?  How accurate is my understanding of their security?  Do I just 'trust' what they tell me?”

Virtual Problems

The virtual machines that populate the cloud carry the same dangers as their metal-and-plastic counterparts. “A virtual machine, after all, is just a virtualized version of a physical machine, with all the same risks. You have to assess the risks and take precautions,” says Catbird's Newberger.

But the virtual environment does raise two significant concerns, she says: (1) it can be very easy for a person to launch rogue machines into the network; and (2) because there apparently have been no successful compromises yet, the hypervisor that controls the environment is “a juicy target for hackers.”

The hypermobility of VMs also raises complications. What if regulated data is migrated to an unprotected rack? What about a machine image that’s been lying in some obscure location in the cloud, can you be sure it’s secure when it reappears on the network? Does it have the latest patches?

Just the Beginning

Nearly everyone interviewed for this astory pointed out that these are “the early days” of cloudward migration and that new threats and new defenses will develop. “Despite security issues, cloud computing is cheap, efficient, and likely to grow in importance over the next few years,” security expert Ponemon says. “Companies need to find ways to enjoy the benefits of cloud computing without sacrificing too much control over security.”

“To really take the cloud to where it can go, and to increase the value it can give customers, cloud service providers need to get much more serious about protecting cloud assets of their clients,” ENKI’s Durkee says. “They need to offer the same security services they'd have in their own datacenter. It has to improve, but people will have to first go into a loss state or a fear state -- they'll have to lose something or fear something.”