Lyons: Why Cloud Computing Isn't So Secure

We're all moving to the clouds—that's what tech pundits keep telling us. By this they mean cloud computing, a system in which we store data on remote servers rather than on our desktop computers. The cloud offers some advantages, chief among them the fact that you don't have to keep track of which files are on your personal MacBook Pro and which ones are on the Dell at the office. But there is one big, glaring problem with cloud computing, and it just got laid bare in Google's recent problems with China: your stuff isn't safe.

Google insists that cloud computing is perfectly secure. But of course Google says that—it's trying to build a business out of it. The company sells a suite of online programs called Google Apps, including a word processor and a spreadsheet, which store users' data on its servers. It pitches Apps as a better and cheaper alternative to Microsoft's Office suite. Google also pushes Gmail as a cheaper and better solution than running your own e-mail servers.

But if Google is so secure, how come Chinese hackers broke into its corporate servers and stole its intellectual property? Google won't say exactly what information got filched, but if the company can't protect its own intellectual property, how can it protect yours? A corporate spokesman claims the attacks have made customers more confident in Google: "We've spoken to many of our largest Apps customers, and they were pleased not only with our ability to handle such a sophisticated attack but also with the transparency we provided."

Pretty much every big tech shop wants a piece of the cloud. Google has already won over more than 2 million businesses, including Motorola and the City of Los Angeles. IBM, EMC, and Oracle have cloud initiatives. Amazon operates a booming cloud-computing business called Amazon Web Services. Microsoft and HP are pushing cloud computing too, announcing a $250 million initiative on Jan. 14.

The idea is that these tech giants will rent out computer power and data—storage capacity over the Internet. That way companies won't have to run their own data centers anymore and instead will purchase IT services the way they buy electricity from a utility. That comparison between electricity and IT (at one time every company ran its own power plant, but then they moved to centralized utilities) has been the overarching metaphor for cloud computing, promoted in books like The Big Switch by tech pundit Nicholas Carr.

Carr is a brilliant guy, but there is one obvious problem with his analogy: information is not at all like electric power. Electricity is a cheap, dumb commodity. Nobody wants to steal your electricity, and even if someone did, who cares? Information, on the other hand, may be the most precious thing your company has.

Carr argues that while Google and other cloud providers can't guarantee perfect security, they probably do a better job of fending off hackers than most companies can do on their own. On the other hand, Carr says, pooling millions of companies into a single big provider creates bigger individual targets. A hacker who cracks into a cloud can get at everybody's stuff. Ironically, in a messy, fragmented system where every company runs its own data center and uses its own mix of protection schemes, the messiness and fragmentation could be a form of protection in and of themselves.

Google Apps has already proved to be easily cracked. Twitter was keeping top-secret internal documents on Google Apps and last year got hacked by someone who leaked the documents to a tech blog, which published some of them, including embarrassing boasts and future growth projections. Sadly, the attack wasn't even difficult to pull off. Someone just got into the personal e-mail account of a Twitter administrative employee and from there learned how to gain access to Twitter's documents on Google Apps. Twitter says the breach was its fault, not Google's. But the episode did not build confidence.

When Google insists its cloud service is safe, it's worth keeping in mind that Google has a history of saying whatever suits its needs at the moment—another fact that has been made clear by the China imbroglio. Back in 2006, Google said going along with China's censorship demands was the right thing to do. Today it says censorship is evil.

These are the guys you should trust with your company's most precious assets? After the China fiasco, some companies may start thinking twice.

Daniel Lyons is also the author of Options: The Secret Life of Steve Jobs and Dog Days: A Novel.