Concerns over the widespread adoption of cloud computing deepened after Michael Calce alias ‘Mafiaboy’ – a reformed black-hat hacker who bought down top e-retail Websites in 2000 – in a recent webcast alarmed the second coming of the hackers will be through cloud apps.

“The Internet will collapse as enterprises put all their information in a little sandbox, which is easier to access,” said Calce in his observation on the perils of cloud computing. Calce is not alone. Another cyber security big Matthew Parrella shares similar concerns about cloud computing.

“As companies accelerate their plans to distribute software and store their data on the Web, cyber criminals will follow this migration,” says Matthew Parrella, Chief, Computer Hacking and Intellectual Property Unit of the US Attorney’s Office.

Last April, several NeuStar customers including Amazon.com, SalesForce.com, advertising.com and Petco.com, were knocked offline for several hours by a Distributed Denial of Service (DDoS) attack. NeuStar is a major provider of high-availability DNS services to e-retailers as well as high-tech companies such as Oracle and Juniper. Without DNS, nothing works; no web, e-mail, VoIP, IM, file sharing, etc.

“Routing and DNS security threats in a cloud computing environment are quite common,” says Amit Nath, Country Manager, India and SAARC, Trend Micro. The situation is worsening with personal details going public in no time. For instance, early this month, a hacker got access into the personal Web services accounts of Twitter co-founder Evan Williams and used that access to make off with a pile of confidential company documents. The hacker then distributed the information on the Web.

Companies like Amazon, Microsoft, Google, EMC, VMware, IBM, Sun, Dell, Akamai, SalesForce.com and NetSuite have emerged as some of the major players in the cloud computing space with each trying to grab a pie of this emerging service model.

According to Merrill Lynch, the volume of cloud computing market opportunity will amount to $160 billion by 2011, including $95 billion in business and productivity apps (e-mail, office, CRM, etc.) and $65 billion in online advertising.

Lack of transparency

The fact that the cloud computing model allows applications to be launched through the Internet makes it vulnerable to any form of attack. According to few CIOs, enterprises should understand their IT ecosystem before they move their entire IT solutions or specific functions on a cloud model.

Initially, some of the enterprises would adopt this service as a test tool so that they could place their non-critical applications on to the cloud model before migrating to mission-critical applications. “Since a cloud model is based on infrastructure sharing, security will remain a major concern for most CIOs.

Though service providers guarantee data security and regulatory compliance, it is the CIO who would be held up for any data breach. It will take at least a couple of years to adopt cloud computing within large enterprises,” says Rajendra Deshpande, CTO, Intelenet Global Services.

Gartner suggests that customers must demand transparency and avoid vendors that refuse to provide detailed information on security programs. CIOs should ask questions related to the qualifications of policy makers, architects, coders and operators; risk-control processes and technical mechanisms.

“The next-generation cloud-client content security infrastructure is designed to protect customers from Web threats including data-stealing malware,” informs Nath. Another concern for cloud security is the lack of standards on how data is secured and stored.

Many CIOs opine that IT buyers must have all the right to understand a cloud provider’s operations and policies related to data integrity, recovery, backup and privacy, especially when data is stored across national boundaries.

“At present, there are no standards for cloud computing, but in the next one year, we hope that some standards would be in place as major players like Oracle, Google, Microsoft and Amazon have entered into this space with their offerings,” says Diptarup Chakraborti, Principal Research Analyst, Gartner.

From a security point of view, this means that enterprises should follow a security audit-like approach to ascertain if the cloud service provider is using all the necessary data protection controls. For example, if they are processing credit card details, it is important to find out if the cloud provider is following the payment card industry standard.

Focus on recovery too

Cloud computing security should not only focus itself on prevention. Ample resources should also be employed on recovery if any unfortunate event strikes. Even before the disaster happens, certain plans have to be in place to ensure that data recovery is not affected. The plans do not have to be focused on software attacks alone – certain external disasters such as weather conditions should have separate recovery plans.

When everything has been recovered, developers and the company handling the application should have the means to investigate the cause of the problem. Through investigation, certain conditions that lead to the event could be identified and insecurities could be discovered. As per industry reports, the cloud is growing and along with it the volume of emerging Web and email threats that can harm company servers, workstations, and networks.

Security experts predict over 25,000 new threats per hour by 2015, driving vendors to develop newer, faster paradigms to effectively protect their clients. “The security threats do not imply that enterprises should stay away from the cloud. It is the responsibility of the vendors to offer a secure platform and allow pilot tests to their offerings,” opines Chakraborti.