Photo credit: A. Dombrowski/Flickr

The cloud remains a double-edged sword. Its main appeal also represents its greatest drawback - the storage of all of a company's data, information and files in one centralised system which is accessible from anywhere via the Internet and on a wide range of devices. While this is an extremely attractive prospect for businesses, it is also a potential goldmine for hackers.

Just this week Nokia joined the ever growing list of big name companies who have fallen victim of hackers. In April of this year Sony's PlayStation Network was hacked, too, with around 77 million customer accounts being compromised. The private information of these users was left open to access, tampering and theft while the users themselves were left completely in the dark over the system's breach.

But Sony had to fess up. If it didn't, it would have faced even more of a PR crisis than it had on its hands anyway.

But how did it happen?

It is thought, although important to note that it hasn't been proved, that the hackers may have used Amazon's cloud services, through which they were able to tap into the cloud-based systems of other organisations. In other examples it can be a case of breaking through security barriers with passwords to get inside an organisation's centralised storage system.

The threat of such breaches remains a major obstacle for government departments considering entering the cloud. The idea that their highly sensitive data could be accessed by outsiders will more than likely keep many intelligence and defence organisations out of the cloud for a little while yet.

In The Cloud Circle's recent survey for the 1st Industry Trends Report, 65 per cent of enterprises expressed that security was their primary cloud concern. The breaches of such high profile companies as Sony and US government departments will only have exacerbated those concerns.

In May of this year Reuters wrote an article which warned that “some businesses are rethinking plans to move to cloud-based computer systems” as a result of these high profile hackings. When even the big players in the cloud computing community are having their private files and data hacked into, why would a business risk exposing their own sensitive information to the same treatment?

The hackers

So who is committing these acts of cyber crime? And why?

One of the computing world's most notorious and high profile hacking groups, Lulz Security, or LulzSec, has claimed responsibility for many of the most high profile hackings over the past few years. Its list of victims includes Nintendo, the CIA and the US Senate. But as for its objective, bragging rights and a sense of 'sticking it to the man' seems to be the only logical conclusion. Despite prying its way into very valuable data and information, the group did seemingly little once inside.

“Vigilantes? Nope. Cyber terrorists? Nope. We have no political motives - we do it for the lulz,” the group Tweeted recently (lulz being Internet lingo meaning to laugh at the expense of others).

The other most prominent group of hackers in recent years is a group known, conveniently enough, as Anonymous. Whereas LulzSec claims to motivated by how humorous it finds exposing security deficiencies, Anonymous aims to initiate active disobedience across the Internet. Anonymous is a different breed of hacker group in that sense. Commonly known as 'hacktivists', the group is motivated by its moral and ethical convictions which it aims to defend by targeting those who threaten them. Attacks on the payment systems of the likes of Mastercard, Visa and Amazon have all been attributed to Anonymous.

This is not to say, of course, that all hackers are acting out of an anarchical sense of humour or an over-active moral compass rather than personal or financial gain. There are obviously many things that can be gained by getting your peepers on a company's sensitive information and files, both in terms of intelligence and the potential financial benefits.

The hacked

In June this year the hotel chain Travelodge admitted that its customer database, stored on the cloud, had been hacked and that customer information had been compromised. Customers reported receiving spam email after booking with the company. Travelodge later sent an email apologising for this security breach.

In a statement, Guy Parsons, Travelodge chief executive, wrote: “Our main priority is to ensure the security of our customers’ data, which is why I wanted to make you aware that a small number of you may have received a spam email via the email address you have registered with us. Please be assured we have not sold any customer data and no financial information has been compromised.

“The safety and security of your personal information is of the utmost importance to us and as a result we are currently conducting a comprehensive investigation into this issue.”

The Travelodge example is relatively typical of incidents of cloud hacking. The hackings of companies like Sony and Amazon followed similar patterns. Their stored data was accessed by what were clearly some highly competent hackers and information was compromised but when it came to tracing the culprit, or culprits as is more likely the case, there appears to have been little progress. What the breaches will have done, however, is bring about a retrospective exploration of each company's own security measures.

So why the cloud?

While writing this feature I spoke with Raj Samani, Strategic Advisor of the Cloud Security Alliance (CSA), about the threat of hackers to cloud security. He explained that the main issue when it comes cloud security is “a lack of transparency.” In short, companies simply don't know where their data is being stored. “Unlike when you store you files and data on site,” he said, “you can't just go downstairs in your offices and see the security guard sat outside your server or the key cards you need to gain access to that room.”

People like the peace of mind of knowing exactly where their data is being held and what safety measures are in place. This is just not a practical option when it comes to cloud security. That should not to deter people from taking the leap into the cloud, though. Ultimately, your data is still at risk of security breaches whether it is stored inside or outside the cloud, albeit in different ways.

Raj Samani used the analogy of banking to show the pros and cons of cloud computing. Some people will always feel safer having their money stowed away under their mattress, he explained. But most would realise that it is safer and far more practical to have it saved in a bank. No, you may not be able to trace the exact location of your money but you able to access it from any location, whether it be through the bank's branches, cash machines or online.

The flip-side of this is that when many people are storing their data in one centralised location then the hacker can access a massive pool of files at once. So although your company's information may not be the target it could still be compromised if the server it's stored on was accessed while the hacker was hunting for another company's flies and data.

One of the major problems that the cloud faces, because of the speed at which it is growing, is that the legislation is simply not able to keep up. There are no international laws in place to safeguard against breaches of the cloud. Instead, data stored on the cloud is subjected to constantly changing rules and regulations depending on where it is being accessed or stored. This geographical nightmare makes acts like the EU and US Safe Harbour Act particularly important – this is the closest thing in existence to legislative protection for data crossing international boundaries. The safe harbour act is, however, still not enough and more far reaching measures need to be introduced.

Firm and concrete laws will, Raj Samani hopes, soon be implemented for the cloud. It is something that the CSA are striving towards and hacker groups, like Anonymous and LulzSec, are merely reaffirming the need for this cloud security evolution.

The result

With cloud computing still in its relative infancy, security issues are an unwanted yet inevitable problem that must be overcome. Only with time and experience will cloud providers be able to build and develop systems which prove thorough enough to keep the hackers at bay.

But the hackers themselves should not be too quickly lambasted as the devil incarnate. Though any company which has had its private data accessed will have every right to feel more than a tad aggrieved, the bi-product of these acts of cyber crime is more stringent security measures.

'If it ain't broke, don't fix it', is how the old motto goes. Well, most people would have a hard time arguing that the cloud's security measures aren't broken and the hackers only help to highlight where, and in what ways, the system needs improving.

The threat from hackers to a company's private and sensitive information stored on the cloud will linger on for some time yet, that much seems clear even in the eyes of the most optimistic amongst us. There is cause for hope, however. With the cloud growing all the time, the demand for improved security will catalyse progress. It comes as no surprise, therefore, that companies such as Microsoft and Google make security an absolute priority of their respective cloud services.

Like Darwinism in action, cloud security will certainly evolve and improve as people come to grips with the challenges it faces. Likewise, the hackers and cyber criminals, too, will adapt and become more advanced. This game of cat and mouse will go on but those looking to make the transition into the cloud must not allow for security fears to blight their progress. Yes, the threat from hackers is there. But it seems, and as all signs would suggest, this is a case where the pros greatly outweigh the cons.