Microsoft announced that data contained within its Business Productivity Online Suite (BPOS) has been downloaded by non-authorized users, possibly making it the first major cloud-based data breach.
You'd better get used to this kind of thing because we'll be seeing a lot more of it in the future. All any of us can do is pray we're not a victim.
The knee-jerk reaction might be to blame hackers, but that's not so here. The breach was down to an unspecified "configuration issue" in Microsoft's data centers in the United States, Europe and Asia. The Offline Address Book component of BPOS, which contains business contact information, was made available to non-authorized users in "very specific circumstances," according to Clint Patterson, the poor guy at Microsoft who's having to apologize for the mistake.
The problem was fixed two hours after being discovered (how long was it open before that?), and to Microsoft's credit it has tracking facilities in place that allow it to clean up the mess by contacting those who downloaded the wrong data.
However, the whole affair will feel like a stomach punch for anybody considering cloud adoption in the coming year--especially those considering Office 365, Microsoft's major cloud offering that ties into its Office suite. As far as I can see, there are three basic threats that could lead to data leakage when it comes to cloud computing offerings from any vendor:
1. Misconfiguration of cloud service software, or bugs within the software; 2. Hackers stealing data, for fun or profit; 3. Employees being careless with data.
The third issue is nothing new, and employees with access to any sensitive data have always had the opportunity to pass it accidentally on to the wrong people. Think about all those e-mail disasters where the wrong attachment was sent, or where e-mails were accidentally forwarded to the wrong parties. Mix humans and computers together, and there will always be issues.
However, cloud computing presents unique opportunities to mess up royally. Many cloud services make it very easy to share data with either individuals or the entire Internet. This is part of the reason cloud services exist; they allow collaborative working. You can guess what might happen. It's late at night and a tired employee intends to share "Invite to Xmas party" with the world, but accidentally clicks the share button on the "Quarterly accounts 2010" document. What procedures are in place to monitor these kind of shares? Would it really be the case that the first you heard of it was when one of your clients held back the giggles and politely informed you?
Misconfiguratons and bugs are perhaps a minor concern because, hopefully, cloud software goes through massive testing before it's unleashed. And software companies never, ever make release buggy releases. Right?
Let's move quickly on.
The threat from hackers is undoubtedly the biggest concern. Hackers are the most intelligent and devious people on the planet. Nothing will stop them. Even hackers who aren't that intelligent or devious can cause a lot of trouble.
Having your data on your own servers, on your own premises, presented a physical barrier to hackers. Some hackers overcame even this, of course (Just Google the social engineering exploits of Kevin Mitnick), but mostly the situation was safe by design.
Encryption isn't the final word. Even encrypted data has a history of being compromised, usually due to bugs in the encryption software.
All of this means that, if your business is going to put data into the cloud, you will have to factor in the very real possibility it will be made public at some point. It will happen. It's just a matter of when, and what damage will be caused. It would be interesting to visit the offices of Microsoft, Google, and others to see if they eat their own dog food: Does Google rely on Google Docs for all of its hypersensitive business data? Somehow I suspect not, although I look forward to being proved wrong. There are laws in place covering data breaches, requiring companies to enforce reasonable security systems, but none of that amounts to a hill of beans once the data has escaped the cloud. And should stolen data be turned into a bit torrent, as appears to be the fashion at the moment, there's absolutely no chance of discreetly cleaning up by getting the data back from those who stole it.
So many issues hang over cloud take-up that it's hard to believe that some are referring to 2011 as the year cloud computing becomes mainstream.
