The cloud is a powder keg

This post is about computer security.  Before your eyes glaze over, let me say that – without using any security jargon – I’m going to try to convince you there is a significant security issue on the horizon that will affect every almost every business that stores valuable data on computers.

Willie Sutton was a bank robber who, when asked “Why do you rob banks?” replied “because that’s where the money is.”  This quote is famous enough that some people call it Sutton’s law.  On the internet, Sutton’s law means the bad guys will try to hack where the valuable data is stored.

One of the major trends in the technology world is “cloud computing” or a related concept “Software-as-a-Service (Saas)”.  The idea is instead of installing software within your company’s own network it is hosted by a service provider and you access it via a web browser.   SaaS applications are popular because they are much easier to use, install, maintain, and access.  The most prominent examples are probably Salesforce and Google Apps.  But the SaaS revolution is happening to almost every corporate application – HR, accounting, project management, bug tracking, and so on.

As a result, there is a giant migration of data going on.  We are moving from a world where everyone kept valuable data within their network to a world where all of their data is in SaaS providers’ databases.

Sutton’s 2nd law is that where there is lots of money, bad guys find a way to get to it (ok I made up the name for this law – but it should have a name).  When kings had piles of gold in their castles, people found a way across the moats and through the gates.   The same is true of people robbing banks, and the same will be true of SaaS providers’ databases.  It could be an inside job, someone leaving a “door” open, or just clever hacking – but you can rest assured if with a giant pile of gold sitting there, the bad guys will get it (in fact it’s already started).

We have gone from a world where everyone hid money under their mattress and protected it with an alarm system and shotgun to a world where all the money is in just a few places, run by people who have no particular expertise providing security, who for the most part deny there is any risk.   SaaS providers like Salesforce just dismiss the security risk, saying, in essence, that they have alarms and shotguns too.

It’s a powder keg waiting to explode.

Disclosure:  I invested in a stealth mode security company that addresses this problem.  Perhaps that makes me biased.  I prefer to think of it as evidence that I believe what I’m writing here.