Sweden warns firms of cloud computing risks

Hundreds of Swedish companies have lost out on large international contracts after their secrets were leaked to competitors due to security breaches as a result of the explosion in cloud computing.

• Half of young Swedes 'face raped': survey (28 Jan 11)
• Site 'stole' pics to rank Swedish teen girls (12 Nov 10)
• Most Swedes hit by internet crime: survey (8 Sep 10)

Companies, particularly those in the IT industry, that use cloud services, in which applications and files are stored with large data centres instead of on their own computers and accessed through the internet, are especially at risk.

The Swedish Fortifications Agency (Fortifikationsverket) is warning companies to take extra precautions if they rent data storage space from external providers.

"It's something we've discovered and we want people to be aware of, but it's not normally our job to look at companies' security like that. It's not really our thing to actually go through companies and see what their security levels are like," Catharina Millmarker, press secretary of the agency, told The Local on Wednesday.

"When we look at companies, like when we build new estate areas, we always check to see if the information is safe with them. We don't use those companies where it is not. We see a trend where a lot of companies do this, so we had to say something about it," she added.

The governmental authority, which is one of the largest landowners in Sweden and whose largest client is the Swedish Armed Forces (Försvarsmakten), specialises in protection technology, secure underground facilities and special purpose buildings.

"Information leaks have always been a problem since companies started to send information on the internet. It's been a problem for many years, but it will be an increased problem because of the numbers of users using cloud computing," the agency's security protection director Henrik Thernlund told The Local on Wednesday.

The agency engages in nearly 2,000 security-protected transactions each year to see how they handle the classified information that they receive.

Thernlund has observed that companies trying to procure information no longer have to hack into systems, but can simply pay for trade secrets, according to a Svenska Dagbladet (SvD) report on Wednesday.

"Company executives have no idea how poorly they manage their business-critical data. They are starry-eyed and lose business because of it," Thernlund told the newspaper.

Cloud computing began to take off two to three years ago when the bandwidth made it possible to store data online for certain applications.

The countries that are most cited in engaging in state-funded industrial espionage are Russia, China, Iran and even Britain, which has reportedly invested more resources on collecting data for economic and commercial purposes.

Other markets cited include both France and Germany, as well as India and North Korea, according to SvD.

The agency has noticed about 20 cases a year in which there is a direct threat against a Swedish company and its business-critical information. In another 50 cases, companies are exposed to "significant and serious" risks, according to the report. This pertains to both large and small companies.

Thernlund advised companies not to place all its data on cloud servers.

"No, absolutely not. For instance, if you have a new patent that you have not registered yet, it is very bad to put it on the internet. Keep it at the company before you get the patent. There are advantages with cloud computing, we're not saying ban it at all, but just for some information," he said.

As to why companies have been caught off guard, Thernlund said, "For a smaller company, it is a question of competence, they don't have the competence in-house. For a bigger company, it's cheaper than having your own server."

He added that it is difficult to estimate how much companies lose from cloud computer leaks.

"The advantage for the attacker is that you don't even know if you have lost information. It's not like a book on the shelf where you see the book is missing," said Thernlund.

"Someone else can produce the product you have a patent for, or they will make an offer you were after. You cannot point to a company and say, 'You stole this from me,'" he added.

Thernlund believes that both governments and companies must become more vigilant in this area to beef up their cloud computing security. Often, it is the state that owns the databases and rents out storage space to companies.

According to security software manufacturer Symantec, all information stored on cloud servers should be encrypted, but even this is not enough to ensure that the data is secure depending on which country the cloud company's servers are located.