Recent Cloud critics, including Wozniak, intensify debate

A variety of service providers have come out passionately defending their industry

Cloud computing has taken some heat this week. First, over the weekend Apple co-founder and tech icon Steve Wozniak said he's worried about the "horrendous" problems cloud computing could cause as users yield control of their data to service providers.

Then, early this week, Mat Honan, a reporter at Wired magazine, revealed how hackers manipulated the customer service departments of Apple and Amazon to ultimately compromise his Google and Twitter accounts. This led to all of his personal and professional data being lost and bigoted updates to be aired from his social media accounts. In a gut-wrenching first-hand account of the incident, Honan warns of a "looming nightmare" stemming from "vital security flaws" that exist in the cloud computing industry.

But what exactly is the problem Wozniak is warning about and who was really at fault in Honan's situation? In response to the flurry of criticism being spread about the Cloud, a variety of service providers have come out passionately defending their industry, pointing out that the cloud can potentially be a haven for hackers, but that if architected properly with the right protections in place, it can be as safe as users make it.

BACKGROUND: Is the cloud really ready for prime time?

TREAT YOURSELF: 25 Awesome gadgets for $50 or less

"We have to respectfully disagree with Mr. Wozniak," says Rob May, CEO of Backupify, which provides a secondary backup solution for cloud users. Wozniak's criticism centers around the idea that users cede control of their data when they ship it off to a cloud provider. May says there's an easy solution to that: Keep a second copy of your data with another provider, or use a federated approach to avoid putting all your eggs in one basket.

Others say controlling your data isn't about backing it up, it's about encrypting it. "Use of an encryption gateway ... provides an ideal way for people to control their data from a security, privacy and data residency standpoint," says Kevin Bocek, VP of marketing for CipherCloud, arguing as a solution to address Wozniak's concerns that data needs to be not just backed up, but instead encrypted so that no one else can access it.

Mark O'Neill, CTO of cloud broker Vordel, says there's another simple solution: Perhaps a company's most sensitive data may not be ready to be put up into the cloud yet. Companies can selectively choose which data is stored in the cloud, allowing users to "hedge your investments," he says.

The back-and-forth between the cloud critics and the cloud defenders is only natural. Ultimately, the fundamental arguments made by both Wozniak and Honan are about trust, which are "absolutely legitimate concerns," says Andi Mann, vice president of strategy for CA Technologies. "The cloud is not magic," Mann reminds users, noting that it still requires a plan on the end user's part to ensure the systems are secured effectively.

The move to a cloud-computing dominated IT is a slow and steady process that is still in its early days. Think back, Mann says, to a decade ago when consumers and businesses would have thought online banking would not be safe, and today it's commonplace. But many CIOs are still concerned about the public cloud, reinforcing Wozniak's point. If a business hosts sensitive data in the cloud and its provider has a breach, that's a problem the customers will end up dealing with. It's up to the end users to put protections in place themselves when using the cloud, Mann says.

The takeaway from Honan's incident and ensuing criticisms stem from basic human error and a lack of common sense by both customer service support staff at major companies and end users, says Alan Shimel, managing partner at The CISO Group. Honan describes how the perpetrators allegedly socially engineered the attack by gaining access to his accounts and resetting his passwords through a customer service representative. Honan even admits himself that he could have had more hardened security and backup procedures in place.

Shimel isn't buying all of the solutions cloud service providers are offering. "Federating across multiple providers won't stop a disaster," he says, noting that Honan had multiple accounts hacked simultaneously. And if cloud service providers hold the keys to the encryption code, than the encryption is worthless, he says.

It comes down to using common security sense, and providers eliminating human and process errors that allow hackers to exploit users. Reports this week indicate that Amazon and Apple have amended their security practices, particularly related to password security in customer service calls.

If a hacker can call into Amazon and get a password reset by answering questions that could be found out about a person on the interview or through a five-minute conversation with them at a bar, there is something wrong with the system in general, Shimel says. "We need to move beyond passwords," he says. One step, on the personal cloud computing end, is to use two-factor authentication, as Shimel argues in a recent blog post, which ultimately is a protection end users put in place themselves, not relying on their providers to do it for them.

Network World staff writer Brandon Butler covers cloud computing and social collaboration. He can be reached at and found on Twitter at @BButlerNWW.

Join the CSO newsletter!

Error: Please check your email address.

More about Amazon Web ServicesAppleCA TechnologiesGoogleISOMannVordel

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Brandon Butler

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place