Op-Ed: New MS Office for Cloud unveiled, but what about security?

Posted Jul 17, 2012 by Paul Wallis
Microsoft is now selling the new Office due for release next year. It’s basically an “Office Mobile” setup to be used as a Cloud app, with Skydrive saves direct on to a server. Fine, but why is nobody talking about security?
Microsoft CEO Steve Ballmer
Microsoft CEO Steve Ballmer
The new Office is admittedly looking pretty strong as a much-improved, very flexible platform. The problem is that the value of the user created content is much higher for working documents, particularly for professionals and business. If Cloud materials aren’t secure,(and there’s no reason as yet to believe they’ll be any safer than normal online operations, protected by passwords), there are risks galore.
This is a very different ball game, and the Cloud idea’s been staggering along in various ways, not necessarily getting much traction from consumers despite the hype. Cloud computing means that all the functions of a computer are available online, as are all the saved materials. To work, you need Cloud access and to function you need the online operating systems which effectively replace the normal computer operations. Google’s Chrome computer was the first, somewhat tepidly received, all-Cloud computer. Google docs is about as close to a functional Cloud system now in operation as anything.
The normal use of Office products is based on what’s effectively an in-house operational mode. There are only so many places these things are likely to go. Confidential information, works in progress, edits, and similar functions are usually person to person things. What eventually winds up online gets there after oversight and content checking. The online information, in whatever form, is the public face. A lot of information isn’t put online with good reason- It’s too sensitive.
Working documents, particularly Word docs, Excel spreadsheets, and commercial PowerPoint materials, are business docs. The amount of commercially sensitive information which could be obtained is gigantic. Some information, if acquired by other parties, could be damaging.
Private information is even more sensitive. The most likely reasons for obtaining private docs are potentially pretty grim:
1. Targeting individuals
2. Stalking
3. Blackmail
4. Extortion
5. Theft of information or professional products
Think about the materials you would prefer to keep out of reach of other people, and you’ll come up with quite a long list, for various good reasons.
The Cloud credibility gap
While Microsoft is notoriously security-conscious, almost too much so, some would say, the level of risk cannot be overstated for materials of these types. The Cloud also suffers from being a fundamentally different approach to private working docs, even if people are used to the “pseudo Cloud” of databases, internal networks, etc.
Convincing people that their private docs and business secrets are safe in the current security environment is likely to be a hard task. There is currently a cyber war going on around the world, with massive volumes of attacks on corporations and in some cases individuals. The big botnets can do a lot more than generate spam and Denial of Service (DOS) attacks, and they’re also pretty powerful systems with millions of compromised computers, able to create major issues for servers.
Scenario 1: Someone decides to attack the Cloud servers “on principle” as a typical faux-Luddite sledgehammer DOS attack on technology. Result, chaos, if the servers can’t handle the attack.
Scenario 2: Bogus/redirecting servers are connected to the Cloud. Like fake websites, these very nasty possibilities could do untold damage. This is about as difficult as buying new batteries for your remote.
Scenario 3: Security issues arise in server protocols, and these protocols are externally manipulated. Every administrator on Earth could see that coming.
Scenario 4: Real hackers, (not the drama queens), go to work on finding vulnerabilities in the Cloud’s systems.
Scenario 5: A major Cloud crash shuts down businesses around the world. This could be a “natural” crash, or an engineered crash. Backup systems or no backup systems, there are too many variables and too many possible lawsuits for lost data, etc.
Scenario 6: The Cloud turns out to be a natural breeding ground for new malware which can spread from servers back to users. (This is a very short jump from the existing self-propagating malware in use for many years, but the Cloud is a very big Petrie dish, compared to the net and malware hits could increase drastically.)
Scenario 7: Espionage becomes a lot more profitable as a result of the existence of large amounts of valuable data on the Cloud. Highly motivated and well-funded stealth attacks become a more effective cyber operation.
Scenario 8: The Cloud creates major streaming operations for internet TV, and “TV viruses” become a new issue.
Scenario 9: The Cloud creates evolution of home operating systems which create new vulnerabilities. This is the “reverse cycle” security issue we’ve been seeing for years, but on a global basis.
Is there a credibility gap, given that it took me 20 minutes to come up with these scenarios just using basic ideas? The broad picture is that the Cloud, in its infancy, will be Sitting Duck #1 simply because it’s a challenge for hackers and malware freaks.
Making the Cloud safe for baby
The Cloud is obviously the way of the future. It’s a good idea, and it can create major efficiencies. It’s also likely to make the internet more efficient, removing the bulk of the data loads into high speed operations. It’s a natural evolution of the net as a whole. That said, the thing must work properly and anticipate risks.
1. Encryption options as standard Cloud packages. These things are very easy to use, and can help reduce natural worries about security.
2. Sensitive servers. The servers themselves should be highly adapted to spotting behaviours which could constitute risks.
3. SSL type scrambling. Very easy to set up for businesses and not much more difficult than email encryption.
4. “Opt out” selective options for materials. By definition, saving on the Cloud has to be done as a separate save. Creating an opt out capability, whereby the Cloud and/or internet is effectively blocked from accessing selected materials, would be a good DIY added level of security.
The upside to the Cloud is vast. It could completely transform the way the world operates, even more so than the original computerization did. It’s the downside that has to be accurately predicted and shut down before it happens.