Schneier on Security
A blog covering security and security technology.
« Why Is Terrorism so Hard? |
| Secret Government Communications Cables Buried Around Washington, DC »
June 4, 2009
This year's overhyped IT concept is cloud computing. Also called software as a service (Saas), cloud computing is when you run software over the internet and access it via a browser. The Salesforce.com customer management software is an example of this. So is Google Docs. If you believe the hype, cloud computing is the future.
But, hype aside, cloud computing is nothing new . It's the modern version of the timesharing model from the 1960s, which was eventually killed by the rise of the personal computer. It's what Hotmail and Gmail have been doing all these years, and it's social networking sites, remote backup companies, and remote email filtering companies such as MessageLabs. Any IT outsourcing -- network infrastructure, security monitoring, remote hosting -- is a form of cloud computing.
The old timesharing model arose because computers were expensive and hard to maintain. Modern computers and networks are drastically cheaper, but they're still hard to maintain. As networks have become faster, it is again easier to have someone else do the hard work. Computing has become more of a utility; users are more concerned with results than technical details, so the tech fades into the background.
But what about security? Isn't it more dangerous to have your email on Hotmail's servers, your spreadsheets on Google's, your personal conversations on Facebook's, and your company's sales prospects on salesforce.com's? Well, yes and no.
IT security is about trust. You have to trust your CPU manufacturer, your hardware, operating system and software vendors -- and your ISP. Any one of these can undermine your security: crash your systems, corrupt data, allow an attacker to get access to systems. We've spent decades dealing with worms and rootkits that target software vulnerabilities. We've worried about infected chips. But in the end, we have no choice but to blindly trust the security of the IT providers we use.
Saas moves the trust boundary out one step further -- you now have to also trust your software service vendors -- but it doesn't fundamentally change anything. It's just another vendor we need to trust.
There is one critical difference. When a computer is within your network, you can protect it with other security systems such as firewalls and IDSs. You can build a resilient system that works even if those vendors you have to trust may not be as trustworthy as you like. With any outsourcing model, whether it be cloud computing or something else, you can't. You have to trust your outsourcer completely. You not only have to trust the outsourcer's security, but its reliability, its availability, and its business continuity.
You don't want your critical data to be on some cloud computer that abruptly disappears because its owner goes bankrupt . You don't want the company you're using to be sold to your direct competitor. You don't want the company to cut corners, without warning, because times are tight. Or raise its prices and then refuse to let you have your data back. These things can happen with software vendors, but the results aren't as drastic.
There are two different types of cloud computing customers. The first only pays a nominal fee for these services -- and uses them for free in exchange for ads: e.g., Gmail and Facebook. These customers have no leverage with their outsourcers. You can lose everything. Companies like Google and Amazon won't spend a lot of time caring. The second type of customer pays considerably for these services: to Salesforce.com, MessageLabs, managed network companies, and so on. These customers have more leverage, providing they write their service contracts correctly. Still, nothing is guaranteed.
Trust is a concept as old as humanity, and the solutions are the same as they have always been. Be careful who you trust, be careful what you trust them with, and be careful how much you trust them. Outsourcing is the future of computing. Eventually we'll get this right, but you don't want to be a casualty along the way.
This essay originally appeared in The Guardian.
EDITED TO ADD (6/4): Another opinion.
EDITED TO ADD (6/5): A rebuttal. And an apology for the tone of the rebuttal. The reason I am talking so much about cloud computing is that reporters and inverviewers keep asking me about it. I feel kind of dragged into this whole thing.
EDITED TO ADD (6/6): At the Computers, Freedom, and Privacy conference last week, Bob Gellman said (this, by him, is worth reading) that the nine most important words in cloud computing are: "terms of service," "location, location, location," and "provider, provider, provider" -- basically making the same point I did. You need to make sure the terms of service you sign up to are ones you can live with. You need to make sure the location of the provider doesn't subject you to any laws that you can't live with. And you need to make sure your provider is someone you're willing to work with. Basically, if you're going to give someone else your data, you need to trust them.
Posted on June 4, 2009 at 6:14 AM
• 56 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Cloud Computing is one example of "Level 4" SaaS. There are less advanced alternatives - Wikipedia has a good article.
* Level 1 - Ad-Hoc/Custom
* Level 2 - Configurable
* Level 3 - Configurable, Multi-Tenant-Efficient
* Level 4 - Scalable, Configurable, Multi-Tenant-Efficient
I would never trust one of these services for anything more important than WoW (and dont technically trust them, but the loss is inconsequential if it fails). Apparently noone is able to figure out that the customer needs to, if not come first, at least be near the top of the list.
I have always said mainframes are like cats. They may deign to give you a small amount of their time, but its on their terms and you have to be satisfied with it. Whereas PCs are like dogs. Their entire attention is focused on you and you call the shots. Cloud computing is similar to the "network is king" mentality in that it is converting PCs back into cats - you no longer have the ability (or authority) to customize your desktop exactly the way you want, you have to use the application(s) that the IT dept provides, rather than one(s) that meet(s) your requirements, they keep adding more bulk of overhead software and when THEY fail it's YOUR problem not theirs.
In a nonfiction book by Clive Cussler (I think he was looking for the CSS Hunley, but I could have it confused with another) he told a story about how he was getting lackluster treatment by the crew he had hired on the ship he had chartered so he called a meeting and said "In the event of an emergency, the most important thing on this ship; the thing you have to save first is - my right hand". The crew sneers and asks why he is so important so he answers "because my right hand SIGNS THE CHECKS for everything that happens here". And service improved dramatically after that. He is a fiction writer but it makes a good story so I'd like to believe that a) it happened and b) it worked...
There's some broken HTML in the "You can lose everything" link, causing some of the subsequent text (until the next link) to be invisible in at least some browsers (if not all).
There is a html tag not closed at "because You can lose everything". The link does not work and the next link is not available.
"You have to trust your outsourcer completely. You not only have to trust the outsourcer's security, but its reliability, its availability, and its business continuity."
Well... yes, and?
When you buy tomatoes with an organic label on them you don't take a test kit to them at home.
So when you give someone money to do a job, you're hoping that they can do it at a better price/performance point than if you did it yourself. That is not new at all, and cloud computing doesn't change that at all in my opinion.
You don't want your critical data to be on some cloud computer that abruptly disappears because You can lose everything .
You don't want your critical data to be on some cloud computer that abruptly disappears because [new text:]its owner goes bankrupt. You don't want the company you're using to be sold to your direct competitor. You don't want the company to cut corners, without warning, because times are tight. Or raise its prices and then refuse to let you have your data back. These things can happen with software vendors, but the results aren't as drastic.
There are two different types of cloud computing customers. The first only pays a nominal fee for these services â and uses them for free in exchange for ads: eg Gmail and Facebook. These customers have no leverage with their outsourcers. You can lose everything.
I think the second paragraph misses the idea of cloud computing using a large number of machines, often spread out over a wide area. Google's distributed search database, as well as Amazon's S3 and EC2 services, are the largest and most obvious examples of this. I don't think that changes the security implications addressed here, but it probably introduces others.
I think this is a looking at the problem the other way around a bit. Cloud computing in this iteration is being driven primarily not by technological concerns, but by more social and workplace concerns. The drive at present is for information and tools to be available from anywhere, at any time. The prevailance of networks and computers makes the possible. So although technolgoically it looks the same as timesharing from days gone by, it's more the reasons behind why we want these services. As such, security research should take these considerations into place, and work towards solutions that can be implemented. A large part of this is technological solutions to enable trust (authentication et al), but equally large are the social considerations (audit and responsibility).
A potential solution, and one that many IT professionals I know use, is to have a home server, where they only then have to trust themselves. Then applications can be run locally, but the data pulled externally (or, of course, provide web interfaces for the majority of tools). However very few ISPs allow home servers on their networks; and there isn't really a wide spread use of easily deployable server solutions (it's certainly taken me months to set up my own server). Here, again, the computing community can provide solutions.
The "You can lose everything" link in the next to last paragraph is broken. Looks like the anchor tag isn't properly closed off, and the last part of the sentence is included in the link instead of displayed as text.
What Rob Funk said. One possible security implication of EC2/S3 is that if you have private data in that cloud, you are sharing hardware/networks with potential competitors in rather close proximity, which is why for some folks building "clouds" they seem to be largely just virtualization-heavy internal deployments. Still, I think it's pretty interesting if we can get those models to work. -- if you can successfully get companies out of the business of having to build out and manage their own datacenters. This may have a ways to go though, and definitely opens up some security questions. Attacks on the cloud manager infrastructure and other services within the cloud could be very profitable, and perhaps easier than external attacks? Could be interesting to explore.
You are missing a double quote in a anchor tag around the "the lose everything" line which chops a few of your sentences. Oddly it still makes sense...
One other thing that you lose is auditability. I recently tried the Amazon EC2 cloud with our software to see if it would work. It does, and fairly nicely. We'll likely never use it though, because we get audited on a regular basis that our processes show good control over the access to our customer's data. Can we go audit Amazon to see if their controls are sufficient? Maybe, but I rather doubt it. Meanwhile, the control is out of our hands, and Amazon employees and perhaps others have potential access to touch our data without our knowledge. That's not a great basis to trust your entire business model on.
The benefits and risks of cloud computing are two sides of the same coin.
You don't have to purchase, maintain, or upgrade the hardware, software, network, backup, redundancies, etc.. You don't pay the salaries of the people who do so. You don't have to make the decisions about how it is managed or protected, or about what features are enabled or customized. This can be a huge cost savings in some cases.
The flip side is that you don't control any of those things, so if they are not managed the way you would want them to be, too bad. That means everything from software security, to language filters, to the attitude of the support staff. This can be a huge risk in everything from viruses to litigation issues.
You have the same risks when you do it in-house, but you are the one making the choices about how to manage/limit those risks, and you have the ability to customize your solutions and your software to suit your particular business needs and philosophies. And you pay the salaries of the people who carry this out for you...and they know who you are.
Pick your poison. The risks are the same. The only difference is where the blame goes when something fails.
One concern I have with trusting providers is that I can never know if what I delete is really deleted. It could be on their servers, it could be on a backup somewhere. Even if I encrypt, sometimes I don't even want a file to exist anymore. At least on my equipment, I can use secure deletion software.
Just one of a seemingly infinite number of considerations.
A lot of talking going on in small garage.
It would be interesting to see some real facts and risk analysis on all the scenarios that have been mentioned in both the original post in the user comments. Anybody that has links to such information?
The other consideration is that they're better at things than you are.
Security is hard. Keeping systems up 24/7 is hard. Backups are hard (people have lost data they thought was backed up, plenty of times). Scalability is hard. In all of these, providing resources and expertise comparable to what Amazon or whoever can provide is a considerable expense. It's feasible for a large company (although their track records are hardly perfect), but not for a small company or hobby site.
I would recommend that all cloud users keep their own backups, and I'd suggest that if the service is financially important there should be a contractual agreement.
Cloud computing isn't for everybody, but for many purposes it's a considerable improvement over running your own site.
Anyone contemplating the idea of putting their business-critical data and processes into the cloud should have a quick look at Michael Connelly's latest thriller, The Scarecrow. Of course the human element is the most important in security, and it's hard to think of a better way of giving up more control of the human element more quickly than by going cloud. Service level agreements and legal contracts are fine, but who is actually going to be in control of your data where the blade meets the slot?
I was amused to see the lack of "secure" content in this article while it almost missed the key point of cloud computing.
Cloud computing is being successful because work paradigm has changed. I haven't felt my work is at my desk in my office for a long time. It's where I want it to be - where I am and desktop computers and corporate networks can't provide it. They are near useless.
From the security PoV my big objection with much of 'cloud computing' is that your data is likely to end up in countries which operate under different legal jurisdictions to those in which you're operating your business. Which potentially opens up a whole nest of fire-ants when as a UK-based business your cloud-computing-provider's servers get seized by the Feds/the Indian police/the KGB, or *you* receive a court-order requiring you to disclose specific data but can't comply because the data is held somewhere else.
The whole issue of trans-legislational data protection law is truly a nightmare.
Another problem about which I'm concerned with cloud computing involves legal and compliance issues. How do investigations and discovery change when the data resides on a third-party's computers? How do I ensure compliance for data under HIPAA or PCI? How do I and my cloud vendor deal with inevitable bugs / security lapses?
It's not that cloud-specific, really, depending on how you define cloud. Almost all my data is currently backed up in either Mozy or Carbonite anyway - but more than that, how can I be sure my "local" data isn't leaking out anyway? We've just heard how Microsoft slipped what amounts to a back door into Firefox as part of a recent .Net update; that, or any other update, could just as easily have sent the contents of your system off to a server elsewhere. Or, for that matter, opened up your machine as a server itself: how many PCs out there have unsecured Windows shares letting the world and their worm in?
Trusting third parties with your data is really nothing new: unless your machine is permanently offline, or has a seriously paranoid firewall monitoring every packet, you can't be sure your data isn't out there already. To be realistic, the average person's data is surely safer in a Google data centre with skilled staff rather than on their half-patched Windows 2000 system with an expired trial of some random AV product!
Let's reverse this issue -- if you don't use "an outside organization" to handle software, most folks are trusting an "inside organization".
Is there any reason to believe that your internal IT organization is more trustworthy? Yes, you do have more power over them, if you happen to be at the top of the organization. But unless you're very well versed in the software issues, that power is useless -- since incompetents or folks with their own agendas can easily trick you.
And for most members of your organization (you know, the ones doing the work), they're probably more helpless in the face of internal incompetence than an external vendor.
The lawyers will have fun with rare and primarily fictive situations, but in terms of day to day operation... I think the issues are really the upside down ones.
"The first only pays a nominal fee for these services -- and uses them for free in exchange for ads: e.g., Gmail and Facebook. These customers have no leverage with their outsourcers. You can lose everything. Companies like Google and Amazon won't spend a lot of time caring."
This is mind-numbingly ignorant. Google doesn't care about their users because their users only see ads rather than pay them service fees? Absurd. Without users, Google would make no money. Without a good reputation, Google would have no users. I'm confident that Google spends more money in a month ensuring the security and stability of their service and their users' data than most businesses spend in a year, and I'm confident they spend that money more effectively.
Incentives matter. Google has a huge incentive to "care" about you and your data. That incentive doesn't have to be contractual to be actual.
@ sooth sayer
> Cloud computing is being successful because work paradigm
> has changed. I haven't felt my work is at my desk in my
> office for a long time. It's where I want it to be - where
> I am and desktop computers and corporate networks
> can't provide it. They are near useless.
That's fine for high-security minded people. For the average worker, this is a mess. How much of your corporate data is sitting on a computer that's part of a botnet? Probably not your computer, you're reasonably paranoid or you wouldn't read this blog. We're edge cases; there's a reason botnets are so huge. Most people don't take care of their computers.
Cloud computing does have advantages. It also has disadvantages. It's certainly the hype of the moment. I've had lots of people ask me about disk in the cloud, which still makes me shudder. (http://padraic2112.wordpress.com/2008/03/11/ahem-folks-it-aint-that-cheap/).
Anyone who relies solely on cloud storage for disaster recovery is mistaken. There's this big long cable between your business and your data, called your ISP link, and if it goes down and stays down, you have a disaster. Even if your local computers are up, and your storage service is up, you can still be down.
I'd pick a simple carpenters cup, for the 1 and 0 are very slippery and magically important.
Finally someone said there is nothing new under the sun and the emperor has no clothes. Anyone who has worked with outsourced resources at a data center knows how much you are at the mercy of the outsourcer. Security issues can be egregious as well. I worked for a very well know bank who was hosting some apps at a very well known IT companies data center. they assured me our infrastructure was completely isolated from their other customers which was not true at all. They shared network devices and even disk! trying to get things like this fixed usually involves a hell of a lot of trouble and threatening to pull contracts etc for not abiding by SLA's. I have NEVER seen a case where an outsourced data center violated uptime or other SLA's and fixed the problem just because we fond out about it. Every time it involves raising hell to get them to do what is agreed upon in the contract. It is specially bad if they know it would take a lot of time, effort, and money to pull your resources out. Plus wait until contract time rolls around because they will stiff you big time with new costs and fees. I have seen all of this over and over and it is far worse when the data center is not in the U.S. A certain amount of outsourced hosting etc. makes sense for specific situations but the way the armchair IT analysts write about cloud computing its the second coming. IT executives who don't know any better are looking at this as a way to save costs without thought for the long term implications.
"Anyone who relies solely on cloud storage for disaster recovery is mistaken. There's this big long cable between your business and your data, called your ISP link, and if it goes down and stays down, you have a disaster. Even if your local computers are up, and your storage service is up, you can still be down."
What you have to do is have two connections each a separate connection to the backbone. Very costly and most companies don't go to the effort.
Terry: IT executives who don't know any better are looking at this as a way to save costs without thought for the long term implications.
But you see the problem now? You can't trust your (some) IT executives to make this decision wisely -- but then you give that very same IT executive control over your data "internally".
You're now no better off than you were by not trusting the IT executive, because you still have to trust him. And if you fire him, you'll end up hiring another incompetent.
The problem isn't the "cloud computing" or any other buzzword. The essential problem is that most organizations have woefully incompetent IT staffs making decisions -- so any decision made is going to be the wrong decision for the context.
The finger on security and all other IT problems is primarily pointed in the wrong direction -- it's not about particular processes, tools or technologies. It's about folks in over their heads.
It's always about the people. Always, always, always. Hire smarter people, pay them more -- the only solution.
I believe it was Feynmann who was asked how they avoided accidents in the early piles, while today endless safety regulations are in place and yet folks still screw up. His response? They had smart people running it.
Bruce makes two points:
1. Cloud computing is not new.
2. Cloud computing has some serious vulnerabilities.
I've been thinking about this for a couple years. I plan to keep my own files on my personal computer. I have no control over my employer but it's probably not doing a great job of protecting data - few do.
It's similar in many ways to the problems and solutions we already have, and we must ask ourselves many of the same questions, we just have a different technologies to consider.
When should we own, when should we rent?
When should we accept the risk, when should we transfer the risk to someone else (purchase insurance, for example)?
When should we do it ourselves, or when should we pay (and trust) someone else to do it?
I see cloud as both a plus and minus for availability. It is a plus because the availability at any location is someone else's responsibility. However, the minus is that it depends on whether or not you have an internet connect. WHen you travel and don't have data you want, the cloud is nice. When a disaster cuts your internet connect, having your own servers providing data is nice.
The benefits may be someone else's problem, but the consequences may be out of your control to fix.
A book could be written about this, but the simpest formula I can think of is: Is the control I lose worth making the amount of work someone elses' problem?
The fundamental issue I have with cloud computing is credentials. Why would I trust some company with my data if they might be in a different country (cloud computing does that to most non-Americans) and operate under laws I'm not even familiar with? How do I know what they actually do with my data? Of course, still nothing new but new dimensions to an old problem. As always, there is no secure data other than the one that do not exist!
The idea that you have your own system and data in-house and will always have access to it (until the hardware dies) is actually fairly new. I had many a VMS system turn into a pumpkin on my desk because the sysadmin neglected to pay DEC the OS license renewal.
Beautifully written Bruce. Thanks!
This all reminds me of the buzz around LoudCloud in 2000. The issues I identified with pentests in those early cloud environments are barely different from those hyped today. Risk management is similar to any other service - decide scope of responsibility, clarify ownership of assets, formalize liability for failure, and setup a process to audit and verify for compliance.
> When should we own, when should we rent?
We rent when three things are true:
1) What the organization needs is not something that gives us a significant competitive advantage.
2) The vendor can be bonded and insured to cover the risk more effectively than the organization.
3) What we need is fairly well understood and mature.
We partner when the following is true:
A) What we need is cutting edge, not well understood, immature, and completely outside the expertise of the organization, but opens a new market or gives us a competitive advantage.
The problem is right now that, for the most part, cloud computing options can give us #1 and #3, but not #2 and most people think it can give them A risk free.
RE: EDITED TO ADD (6/5): A rebuttal.
Thinly-veiled ad hominem attacks are so effective (sarcasm). I can appreciate an opposing viewpoint but the author loses me in the preamble.
I think this is all very silly, and too bad many will fall for it. Cloud computing is a response to a need, but not one of the customer. This is demand creation via marketing, a rather old game. Every vendor on earth wants that subscription money to somehow come in -- what a sweet business model for them.
They're not better at much of anything than you'd be if you had what it takes to make sure they're doing their job anyway. Should I repeat that? Depending on them for critical expertise will lead to disaster. You'd still need to know how well they're really doing their job, and by the time you do that, you've paid to do it yourself, and you know how. Full stop!
Zero chance off site security will be any better than yours, even if yours stinks. Because if they let your (you don't know who) disgruntled employees access it, it still has all of that class of leaks and troubles. Plus it's now open to them failing, man in the middle, and every other hack that can be added due to a cracker being able to break their security without having to break your physical security, no matter how good that might be. And history shows they either won't notice, or won't care, and surely won't inform you on their own initiative.
Anyone who goes for cloud computing for important things deserves what they will surely get.
A: a new bill you dare not stop payment on, wow.
B: worse security (but maybe you won't know till too late)
C: another point of failure of all kinds.
D: dependency on someone else, and loss of internal expertise to replace them when inevitably that is required.
I could go on (and on at length), but the alphabet is kind of short for all the reasons this is stupid for anyone other than the cloud computing vendor.
I guess people are still willing to believe that if they get this toothpaste or that deodorant that they automatically get the cute chick in their arms, and she's nice besides. Meh!
(Note, if that was all it takes, how dependable would she be in the case of a better toothpaste etc becoming available anyway?)
Bruce is correct in what he says about "cloud computing is the new time share" if you look at it as "renting resources".
However there are other aspects to cloud computing that "time share" never provided.
It is these new aspects that are going to cause the biggest headaches for those looking at cloud computing.
As a very rough measure as to if your organisation is ready to migrate to cloud computing ask yourself the question,
Do we have the ability to be able to provide the same resources as the cloud computing supplier is offering and if not why not?
It is likley to tell you a lot about your organisations strengths and weaknesses and therfore highlight the oportunities and threats involved.
And of course the multi-million dollar question,
What is the cost of the second migration, and how is it to be done?
That is it is all very well selecting a supplier of service to outsource to but what is involved with moving to a second or third supplier of service. Are there even second or third suppliers of service?
Answering this before going to the first supplier will enable you to judge what it is you are putting at risk by using the supplier when the inevitable happens (and it will).
Putting your data etc in an easily migratable form for multiple suppliers may be slightly more difficult or expensive initialy but the extra flexability and resiliance it gives you will usually be worth the cost.
Some good comments have been made. Just my simple summary:
Learn the history of Unix and computing.
Also, K.I.S.S [Keep It Simple S*]
There is some serious LSD coming out of parts of computing today, nothing new. Hype only makes sense for those on drugs.
From a privacy standpoint ( http://www.privacyinternational.org/... ) the U.S.A. is on par with China and Russia : Â« Endemic surveillance society Â». So if your concern on cloud computing is about how private you data is if hosted in another country, you might want to reevaluate your position!
You cannot create value for your customers by being really good at choosing vendors. You need to have good people and spend the time to make them better. If you are caught short, it makes sense to get outside help, but I don't think it will work in a long term situation.
Mr.Schneier, i'm performing a search on cloud computing's security, i am looking for articles, theses, which help me.You would have some good indication that i helped. Beacuse i need to finish writing my work of the university!
this is my e-mail's address: firstname.lastname@example.org
now grateful for the attention
Bruce says "but, hype aside, cloud computing is nothing new . It's the modern version of the timesharing model from the 1960s, which was eventually killed by the rise of the personal computer". Duh! In that case PCs were not new when they appeared because we had computer since the time of mainframes! That is not true, PCs were new in many aspects further than paradigm of data processing. PCs freed the computing power from the data centers through small offices and homes.
Then Bruce says about cloud computing, "it's the modern version of the timesharing model from the 1960s, which was eventually killed by the rise of the personal computer". Duh! Just the modern version of the old timesharing model? Hey Bruce, to get access to that old timesharing model we need to wait for the piles of printed stock forms with luck for the next day or have an ibm 3270 terminal at the office connected by modem to the mainframe, which cost more thant $10K in those days besides the communication's costs. The cloud computing is much and also goes further the old paradigm of data processing, Saas freed the computing power from the data centers through small offices and homes, no matter where in the world they are, no matter their size and no matter wich other partner need to be connected with them.
I think that with these premises Bruce demonstrate that he is not understanding the implications of this new paradigm. To understand it and to evaluate it you have to look SaaS under this new paradigm.
NIST has a very good definition of Cloud Computing. I think that's the best place to start.
Somewhat discussed was the ISP link but overall no one seems to be even thinking about what might happen enroute to the cloud.
What goes through the net becomes part of the net. With warrantless wiretapping at ISPs, I'd think twice before sending any critical information, even encrypted, to the cloud. We already know how much spine ISPs have when it comes to government surveillance.
Thecloud service providers will likely rollover, too, when the FBI/CIA/NSA comes knocking on their door.
If the data and services are important enough to PAY for, then you need someone to defend them. Until the courts support digital privacy and content control in the service provider environment, your records will not belong to you once they enter the cloud, no matter how much you pay.
As a database administrator for a medical center, I have several major critiques of cloud computing, the least one of which is the availability of the data and the viability of the service provider. We simply cannot tolerate lack of access to data for any reason, so the only way we would use a third party to host our critical systems is if they could prove that their mitigations for failure exceed our own. Cost is not the principal consideration in the decision because any cost savings can be eliminated many times over by one wrongful death lawsuit.
The primary point I make whenever anyone suggests that healthcare data should be stored in a cloud-based database is that whether or not we violate the conditions of the Healthcare Insurance Portability and Accountability Act becomes completely dependent on people outside our organization once the data leaves our control. The penalties are quite stiff and can be levied on a per-incident basis, which means a penalty per patient affected. The cost to the organization's prestige and the loss of the trust in it by the community has been estimated in previous credit card information thefts to be far greater than any other cost. Healthcare organizations require their patients to trust them with the ultimate responsibility of taking care of their bodies, and losing that trust is severely damaging. The risk of that happening alone is far too great for any reward offered by cloud computing run by third parties.
There are logistical impediments in the way of adoption of a cloud on a wide-area network for large databases too. Consider how long it takes to download 1 GB of data from a web site now, and multiply by 1000 to understand what it would take to update even a small data warehouse. Step back and think about how you would do identity verification with single sign-on through Windows or how you would limit access to your piece of the cloud based on location or specific computer. How do multiple applications communicate, authenticate, and share their information with each other? For our environment, how would you allow a patient to share his records in our database with a doctor in another hospital, perhaps even in another country? How do you audit every single access to every single piece of information to ensure employees are using only the data they are authorized to see? When there are 10's of thousands of employees with 10's of thousands of computers working with millions of patient visits per year, the logistics of just *how* to make cloud computing work becomes quite challenging.
I just don't think the infrastructure to meet the challenge is there yet, and I don't think we are anywhere close to jumping the hurdles involved in trusting someone else to safeguard our data and our livelihood.
What I do expect in my working lifetime is for companies to create their own clouds. The benefit of a computing environment that is tolerant of faults in hardware and in communications is quite great for organizations which depend on computers for patient care. The flexibility in location of the servers makes disaster recovery much easier to design and much less expensive to implement. By managing the cloud with in-house staff, an organization can reap the benefits without the risks of trusting someone else.
Cloud computing seems to be getting a lot of attention these days. I am in the financial indusrty and I use Egnyte to store data, share files, and backup my computer. Egnyte is a great solution and I use the software regularly with ease. What sets Egnyte apart for me is the local cloud option which allows you to always have access to files, work off line and work faster on large files
I see Cloud Computing the same way I see outsourced business. People will go for cloud computing as it's cheaper than buying a new physical server, software for it, and someone to admin it.
IBM, for example, supports many small businesses, who don't see the point in employing a fully qualified tech support agent who'l sit on his ass for 80% of his time, not by his own fault, but rather for lack of stuff to do.
Then look at Cloud Computing: instead of buying some software that costs several thousand to buy, and won't make business sense, as it will only be used every quarter to do audits and various reports, being able to run said software on a day-by-day basis, it'll appeal to the small-to-medium businesses.
Not having to have a room out back for the servers, not having to employ someone who can admin said servers, businesses may see Cloud Computing as a god-send, as it'll save them money.
Of course, they may not find out until it's too late that if, as said above, the company is bought by a rival, or simply runs out of money and closes, they're up sh|t creek with a hole in the boat.
Personally, I've heard of people thinking this will be good for the gaming world. On the one hand, having a standard machineto code for (example: consoles) that will forever be up to date (slap in more RAM, a faster CPU, etc, as time goes on), will ensure that people will always be able to play the latest games without a hardware update. On the other hand, if the shhhhh... machine that the cloud is based on hits the fan, everysingle person will be left without much to do. Imagine every WoW nerd found out that WoW would be down for the next week? Sure, they'll play other games. But if they played everthing that they had through a virtual machine on the web, the clouds tech line will stay busy for some time to come.
The blog is oversimplified..
Trust games are very difficult in an enterprise especially when collaborating with external parties. there is nothing new here..
However, achievement of trust in cloud cases are even more difficult since you have to gain the trust very fast and maintain it with a much more generic (=vague) trust system than in normal outsourcing/service provisioning cases.
Also, with cloud cases it is so easy to someone to make the trust decision to some external provider on the behalf of corporate functions and information owners, which on the other hand may not trust the specific provider at all.
As trust cannot be inherited or passed, the cloud games are very difficult in major corporations.
One needs to create a simple & fast trust model for cloud cases separately.
The problem with buzz is that managers get caught up in the panacea aspect. Oh yhes this will solve all the problems we have with staff, hardware, software, world hunger, etc. The reality is that cloud computing, like anything, has a role and fills a niche. To run a large enterprise in a cloud is moronic. It is arguable if the scale can be achieved to make it better and more reliable than non-cloud data centers. Can an enterprise survive an outage in or to the cloud? In the end it is all about risk, can we trust that this provider won't fail or perform badly in a way that makes us bleed money.
The blog seems a bit ...simplified. Surely there are cloud services other than SaaS and not all SaaS are cloud services, given that
- dedicated ASP solutions are not what people tie to cloud computing
- there is an inherent assumption of being able to quickly reduce / add capacity (and pay with a credit card for B2C clouds) that does not match managed services.
Also, I don't quite agree with bundling managed services with clouds to the same basket. While managed services are included in the cloud approaches, most managed services providers support third party audits. Providing means to audit a cloud service seems to be another matter altogether.
Furthermore, the type of cloud (IaaS, PaaS, SaaS) and the inherent capability to scalethrough homogenous, physically distributed provides context for additioanal security challenges.
In terms of type of Cloud, the level of responsibility in terms of security moves between the service provider and customer. If one uses IaaS or PaaS, security for application remains with the customer. Compliance on the other hand depends on what one wants to comply with. I guess PCI is the most problematic one (but these would need to be discussed separately to go into nuts and bolts of the issues).
Scaling certainly leads to data-location issue eventually (which leads to trans-national data location problem).
Still, there could be a number of means a service provider could do to alleviate the issues that cause potential mistrust due to lack of transparency to operation and service lifecycle.
Service provide could at least indicate location and compliance related responsibilities and limitations in the service description / contract.
The contract should also indicate termination related responsibilities, e.g. does it cost something and to what extent is data and possibly configuration related information exportable from the cloud service. And what would the price be.
Along with a proper SLA, service level objectives (SLOs), sanctioning if used and means of measuring the objectives (something that seems also obvious) can be included in the contract. Capability to use third party monitoring service to verify SLOs would also add to the perception of the service provider.
In terms of the future, means of cloud users to indicate to each other the experiences they have of the given cloud provider e.g. through a (third party) reputation system would similarly add to the level of trustworthiness.
Just to note a few fairly evident issues. Its one thing to say that trans-national data location, compliance and trust establishment are challenges and another to actually discuss these. Simply noting "choose wisely" seems like... self-evident (doesn't it apply to everything?)
Beyond the crude notes, there is Cloud Security Alliance and their security guidance on clouds. Its most likely to be of interest to those dabbling with clouds and trying to decide just how critical functionality and data can be processed through cloud services.
In most tests it proves to be just as secure if not more so than conventional in house data networks as most small companies can't afford the security that larg cloud hosting providers have access to. Although so far there does tend to be a lack of standardization on security issues.. As time progresses, the many benefits inherent to cloud computing will ensure that it remains the focus of the IT security industry.
Just an ironic note on the bio picture: Is your data/work at risk sitting by a city window with the laptop display turned outward?
Hi Bruce, been reading your blog for some time now. I must say, that I agree with Philippe. Your data is only as secure as the standards the country it is maintained in, mandates.
And you are right, people are treating Cloud Computing as some new up and coming endeavor. Comshare (RIP) and ADP have been doing this for DECADES!
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.