When Steve Jobs walked onstage last week to introduce the iCloud, the feeling of anticipation was palpable. Apple's version of "the cloud," he said, would "demote the PC" and usher in the next big revolution.
Jobs said nothing about the cloud-based computing revolution that is already under way — the one taking place in the company boardroom and IT department. Google, Amazon and IBM, among others, are serving a burgeoning market for business-oriented cloud services, which offer corporate clients the promise of cost savings and new capabilities.
Experts, however, have concerns for businesses moving to place their sensitive data in the cloud. It's still vulnerable to crashes and attacks and is likely to open up a whole new realm of legal problems.
Simply put, the cloud allows the storage and retrieval of information from a remote server via a network, rather than an individual PC. The advantages include on-demand network access to information by way of PCs, tablets, smartphones and other computing devices. The idea is not entirely new — web-based email systems such as Hotmail, which has been around for years, can be thought of as a use of the cloud.
Eugene Spafford, a computer science professor who specializes in cybersecurity at Purdue University, said all the hype has obscured a dangerous disconnect.
"Many of the cloud providers are saying that the security of the data is up to the customer. They're just providing the spinning disk and the hardware, whereas the customers are thinking that the cloud provider is going to be providing extra security," Spafford said.
"That's going to have to evolve or we're going to see some really big disasters," he said.
Disasters In the Making?
You don't have to look far for examples of such disasters. Two years ago, Google Apps — which include the widely used Google Docs and Google Calendar, as well as Gmail for Business — was attacked. A hacker reportedly obtained hundreds of documents pertaining to Twitter's business affairs that the social media provider had stored in Google Apps.
More recently, Amazon's Web services went down after a "configuration error" that occurred during a network upgrade crashed its system. It took five days to restore vital service to the social media sites Foursquare, HootSuite and Reddit, virtually shutting them down in the interim.
The outages have highlighted some of the dangers of cloud-based computing. Last week's attack on Citigroup wasn't a cloud hack (nor was it the first time Citi has been the target of hackers), but the exposure of 200,000 North American credit card accounts serves as a stark reminder of just what is at stake.
While CitiGroup and other large companies are likely to opt for their own private cloud, for smaller companies, the pull of cloud services provided by a third party is strong, especially as they look to save money on IT in the middle of a recession
It's a case of short-term savings causing businesses to overlook the long term, Spafford says.
Despite his skepticism, though, Spafford acknowledges the vast potential of cloud-based computing. He says that smaller companies that "make good choices" could actually wind up with more secure data as a result. He reasons that many of these firms lack the resources to secure and back up their data and that placing it with a responsible third party might be the best option.
Data storage and the need to install applications on every computer costs businesses billions of dollars every year. The cloud promises to do away with those costs.
That's helped drive what the technology consultancy the Gartner Group estimates will be a $150 billion business by 2013.
According to a survey published last month by The Open Group, an IT consortium, that cost efficiency is the biggest factor driving the move to the cloud, while security is the No. 1 concern. Of the IT professionals surveyed, 82 percent said they expected the cloud to have a "significant" impact on one or more business practices, but only 28 percent said their companies are ready for the change.
Have Data, Will Travel
Some IT professionals are worried about the difficulty of moving their company's data from one vendor to another.
Think cellphone service. If you don't like provider X, you can switch to provider Y. But you expect to be able to move your contact list to your new phone. And what happens when a company is unhappy with its current cloud provider?
"If you have a very large amount of data, there is no particular obligation for them to provide a high-bandwidth connection for you to transfer it or to assist in transferring it or any of the things that might help in moving it," Spafford said.
Such disputes could land in court. It's just one example of the brave new world opened up for the lawyers by cloud-based computing, says Matthew Sarrel, a network security expert who heads his own IT consultancy and is a frequent contributor to PC Magazine.
What is the legal recourse for a company that suddenly loses access to its data stored in the cloud?
"There are different levels of service-level agreements, but they are typically pretty weak when it comes to the subject of remedies," says David Smith, a vice president at Gartner Inc. who counts himself among cloud advocates. The company provides information technology research and advisory services.
"If your business was down for an hour and you lost $2 million, getting a small credit on the lost service isn't going to be very satisfying," he acknowledges.
And what if a cloud provider goes bankrupt?
"What if someone repossesses the physical server because they were leased and your data was on them? That could very easily be harvested and sold to your competitors," Sarrel said.
An Old Solution To A New Concern
Companies still need to back up their data — either the old-fashioned way or by contracting multiple cloud providers — which means they will still need some internal IT infrastructure, says Smith.
"You need to ask how reliant are you on one provider and what your exit strategy is," he said.
Should a company facing Chinese competitors be worried if its confidential information lives on a server in Shanghai?
"Probably," said Purdue's Spafford, but he adds that he's seen more corporate hand-wringing over nosy governments than nosy competitors.
"Many companies in Europe are concerned about their data being on cloud servers in the United States because the Patriot Act allows the government to snoop on records," he says.
There are yet other legal ramifications to storing information outside the security of a company's own data server.
If you're running an application in the cloud and another company sharing the same server gets into legal trouble, "the entire physical server could be subpoenaed, which would mean that you wouldn't even know what happened," says Sarrel. "It would just be gone."
The question of where the data reside is something that needs to be discussed with clients upfront, when service agreements are being hammered out, says Pamela K. Isom, an IBM global business services executive, who is the author of the book Is Your Company Ready for Cloud?
"If we need to host a cloud out of a particular region, we can do that," she said.
But Sarrel, who said he is "less of a skeptic" about the cloud than he was a few years ago, believes companies are starting to get it.
He sees a future of hybrid clouds, where sensitive data will be kept in-house on a private cloud, while companies will want some of their information available on a public cloud — not unlike the way many corporations use the Web today.
"You might run some systems in the public cloud because you don't care, but then the mission-critical stuff — the stuff you really need to run the company — will be kept internally," he said.