Should Companies Do Most of Their Computing in the Cloud? (Part 3)

Cloud computing is the future of computing. Specialization and outsourcing make society more efficient and scalable, and computing isn't any different.

But why aren't we there yet? Why don't we, in Simon Crosby's words, "get on with it"? I have discussed some reasons: loss of control, new and unquantifiable security risks, and -- above all -- a lack of trust. It is not enough to simply discount them, as the number of companies not embracing the cloud shows. It is more useful to consider what we need to do to bridge the trust gap.

A variety of mechanisms can create trust. When I outsourced my food preparation to a restaurant last night, it never occurred to me to worry about food safety. That blind trust is largely created by government regulation. It ensures that our food is safe to eat, just as it ensures our paint will not kill us and our planes are safe to fly. It is all well and good for Mr. Crosby to write that cloud companies "will invest heavily to ensure that they can satisfy complex...regulations," but this presupposes that we have comprehensive regulations. Right now, it is largely a free-for-all out there, and it can be impossible to see how security in the cloud works. When robust consumer-safety regulations underpin outsourcing, people can trust the systems.

This is true for any kind of outsourcing. Attorneys, tax preparers and doctors are licensed and highly regulated, by both governments and professional organizations. We trust our doctors to cut open our bodies because we know they are not just making it up. We need a similar professionalism in cloud computing.

Reputation is another big part of trust. We rely on both word-of-mouth and professional reviews to decide on a particular car or restaurant. But none of that works without considerable transparency. Security is an example. Mr Crosby writes: "Cloud providers design security into their systems and dedicate enormous resources to protect their customers." Maybe some do; many certainly do not. Without more transparency, as a cloud customer you cannot tell the difference. Try asking either Amazon Web Services or Salesforce.com to see the details of their security arrangements, or even to indemnify you for data breaches on their networks. It is even worse for free consumer cloud services like Gmail and iCloud.

We need to trust cloud computing's performance, reliability and security. We need open standards, rules about being able to remove our data from cloud services, and the assurance that we can switch cloud services if we want to.

We also need to trust who has access to our data, and under what circumstances. One commenter wrote: "After Snowden, the idea of doing your computing in the cloud is preposterous." He isn't making a technical argument: a typical corporate data center isn't any better defended than a cloud-computing one. He is making a legal argument. Under American law -- and similar laws in other countries -- the government can force your cloud provider to give up your data without your knowledge and consent. If your data is in your own data center, you at least get to see a copy of the court order.

Corporate surveillance matters, too. Many cloud companies mine and sell your data or use it to manipulate you into buying things. Blocking broad surveillance by both governments and corporations is critical to trusting the cloud, as is eliminating secret laws and orders regarding data access.

In the future, we will do all our computing in the cloud: both commodity computing and computing that requires personalized expertise. But this future will only come to pass when we manage to create trust in the cloud.

This essay previously appeared on the Economist website, as part of a debate on cloud computing. It's the third of three essays. Here are Parts 1 and 2. Visit the site for the other side of the debate and other commentary.

Posted on June 10, 2015 at 3:27 PM • 20 Comments

Comments

winterJune 10, 2015 3:49 PM

"and -- above all -- a lack of trust."

It is strange that this has to be repeated here again.

Human society and economy are determined by trust. Without trust, no commerce. Actually, without trust there is no economy.

I really cannot understand how it is possible that educated people like those in the intelligence and law enforcement community do not know this.

On the other hand, we now read almost daily reports about USA police officers who break the very foundations of trust between law enforcement and the public. So maybe I just should look at them as examples of US "public servants" culture?

Jacob DunnJune 10, 2015 4:51 PM

Go back and read AWS agreements from several years ago regarding private encryption - you were required to share keys with them. I have followed the private keys scenario closely and it is not what it seems to be. SpiderOak tried to market the advantage of maintaining your own keys for years and it failed to rocket them past the other storage providers. Even Box, as an example, years ago there was nothing to prevent you from encrypting your file and then uploading it. It's not like they detected unreadable content and blew some kind of whistle. The fact is, all the problems that encryption presents, along with all the key management problems, are actually magnified once you take the private key path. It's not a cloud problem as much as an encryption problem.

If vendors preferred you don't encrypt, it would probably because then they can compress your stuff, and store delta only. Cheap. But now many are hawking private keys and it's not to boost sales by alleviating fears. It's more than not, to abdicate responsibility and provide for absolution when the feds serve them with a subpoena. They want out of it and they can't even move storage offshore to escape this either.

Perhaps the biggest reason not to use online storage of any files that you would want to encrypt, even if you kept the keys, is because of the nightmare that your keys are compromised. It's not like you can quick - change the keys, and all your files are magically re-encrypted with the new keys. And how many keys do you need? One for each file or one for each container? Yikes. And you can't just bury the keys in a vault somewhere. They need to be used on a regular basis, typically. Worse still, if someone decrypts your files you will not know it. It's actually worse than a break-in.

Visit the Cloud Security Alliance website for a lot of good information about cloud security. These are people who think about this all the time and they're submerged in these issues, it's not a little thing. Umpteen columns in magazines haven't made a dent in commercial sentiments. All the claims that the waters fine and come on in, are paid for by people like Dropbox, etc. Meanwhile other vendors like Venafi have a few white papers about encryption keys and certificates that serve as a wakeup call - the NSA is the least of your problems.

65535June 10, 2015 4:58 PM

For non-mission critical things like pictures, movies, games, and other junk the so-called Cloud is fine.

But, for mission critical things the cloud is more like a foggy mine field. One mistake your data is vapor.

On the darker side of things I think of plenty of uses for the Cloud by malefactors of all stripes. Spam, booby-trapped code or urls, and much worse. The list of negative or dual-purpose items is quite long.

Tom BortelsJune 10, 2015 5:17 PM

As is so often the case - encryption (well done) solves for much of this. Encryption transfers your need to trust from your provider to your encryption software.

Worried they will mine your data? Good luck if it is an encrypted, opaque blob.

Worried that the government will copy your hard drive? ditto.

Is this a usable solution, today? Yes. No. Maybe. kinda. It depends. If you are very smart, and very lucky, and very careful about how you handle things, yes. Many many many who are not in that group think they are, and that's where the fun is. But - the barrier to entry gets lower and lower, and requires less and less specialized knowledge to be safe as the technologies improve. The weak link is, and likely always will be, human beings.

Is it possible to have perfect privacy this way, today or ever? Nope. But you don't have that now, by a longshot. It is weird to have to repeat this (as I do, frequently), but nobody has any real, reasonable expectation of privacy on the internet - those who do are deluding themselves. Your privacy is only as good as you make it, and a really good way to increase that is to stay off the internet! and yes - that is incompatible with other goals, it is a sad fact that the most secure computer (encased in a concrete, lead-lined vault - powered off) is also the least usable.

Nick PJune 10, 2015 6:48 PM

@ Bruce

"Cloud computing is the future of computing. Specialization and outsourcing make society more efficient and scalable, and computing isn't any different."

That cuts both ways. Vendors could (and somewhat do) specialize in making personal clouds low cost with all needed funcationality and configuraiton tools. I'm talking a combination of something like VMWare's infrastructure products with virtual appliances representing cloud functionality (i.e. Dropbox, Google App Engine). Combine that with colo's for keeping low costs such as physical and transfer.

I still think Nitix was exemplar in this space. Did everything users needed with high availability, backups, easy config, and so on $2,000-3,000 per small business. Add the cost of IT admin or occasional consultant. Like AS/400's, although cheaper, you just set it up for your basic IT stuff and mostly didn't think about it. IBM eventually bought them out to merge into their product line. Today, we have things such as virtual appliances, Owncloud, and so on. Yet, I think modern companies could do well to create variants of their products with Nitix-like low cost of ownership and decentralization.

"I have discussed some reasons: loss of control, new and unquantifiable security risks, and -- above all -- a lack of trust."

Add lack of reliability: major cloud services have gone down several times. There's many businesses that don't want downtime. They use careful design of multiple sites running systems and software designed for fail-over. Some use specialist tech such as mainframes, NonStop, and so on. Track-record is still better than the cloud. If it sounds insignificant, remember that downtime has sometimes cost companies six-digits an hour. It's why those six-digit machines/clusters with great performance, management and *uptime* were such a good deal.

"Mr. Crosby to write that cloud companies "will invest heavily to ensure that they can satisfy complex...regulations," but this presupposes that we have comprehensive regulations. "

True. It also ignores how many companies treat compliance as a game with predictable results. Leads us back to your arguments about trust.

"Without more transparency, as a cloud customer you cannot tell the difference. "

Bingo. Whereas many commercial and FOSS solutions have been evaluated thoroughly by experts for various strengths and weaknesses. We have more to leverage in making a judgement call.

" It is even worse for free consumer cloud services like Gmail and iCloud."

A number of celebrities are nodding their heads at this point... while continuing to use the products.

"We need open standards, rules about being able to remove our data from cloud services, and the assurance that we can switch cloud services if we want to."

Vitally important.

"Corporate surveillance matters, too. Many cloud companies mine and sell your data or use it to manipulate you into buying things. "

I didn't see you mention (or clarify) the more important risk: espionage. Governments across the world getting access to data to pass onto companies in their own countries. Companies have known about this for some time now. Combine it with their data being in clouds there and now the risk is through the roof. A real risk as loosing I.P. to the competition often equals lost market share. Have people look up the results of Huwei's espionage on Cisco, for example.

"In the future, we will do all our computing in the cloud: both commodity computing and computing that requires personalized expertise."

I disagree: specialized devices still beat cloud for many things and network links still aren't reliable/cheap enough to full-on replace local installations. Even data transfer of some large scientific projects moved back to shipping hard disks by mail because it was cheaper and faster (lol). There's also all the technology that supports various cloud services at endpoint and network layer. Those will be COTS devices with plenty of competition.

Cloud alternatives will loose market share in the near, maybe long-term, future. The other stuff isn't going away, though, as much of their results just can't be replicated by cloud alternatives. Remote desktop is not the smooth, consistent experience of a desktop. A Roku can't compare to a media center PC set up right. Barely-supported VMS clusters still outdo AWS in availability (5-20 years uptime). Games on consoles are better than online games. Native apps on local machines outperform web apps in so many categories. And so on.

Both cloud and the better things before it are here to stay. The use cases will just split between them based on which is better.

Alternative SolutionJune 10, 2015 6:54 PM

For me the cloud is not a practicable option as upload speeds are too slow.

Cheap hard drives are easy to come by nowadays and providing you follow the '[backup] rule of 3' it's quicker, more convenient and offers greater security and flexibility.

I too sacrifice convenience for security/privacy and only use the cloud for storing the most critical of my data (absolutely cannot lose)

That said prior to uploading I will manually encrypt the file and then sign it with my PGP key. Then, in the event that I require access, I can establish its integrity (i.e. that it hasn't been tampered with) and I can be as confident as reasonably possible that the data hasn't been compromised.

I don't trust solutions like (the new incarnation of) Boxcryptor as there are issues with key management. A much better solution is to upload an encrypted volume using Truecrypt (or AxCrypt for individual files/or to encrypt a 'compressed folder').

A more elegant method is SecureZIP from PKWARE. It integrates with Outlook, Word, PowerPoint and Excel or can be accessed from the context menu or application.

With a solution like SecureZIP you can sign and/or encrypt the file using PGP, S/MIME or a conventional passphrase. They support AES: 128, 192, 256 or 3DES (168).

Personally speaking I think that encrypting a file with a certificate (self-generated or otherwise) is a much better way to secure your data. Using a passphrase alone, unless exceptionally long, won't be sufficient for AES 256. They used to offer a free version for personal use which is no longer advertised (but still available). Or you can hand over $40, support their work and get the latest version.

WinZip integrate Box, OneDrive, Dropbox, Google Drive etc. but don't offer the ability to use PGP or X.509 certificates. They also limit the useful functions to the more expensive 'professional' edition.

I know that Microsoft are introducing BYOK (Bring Your Own Key) for cloud data and emails. That'll be very interesting (some businesses are already using it) but this will also limit device interoperability (smartphones, tablets). The keys are kept on Thales HSMs so should be reasonably secure. Transfer of the keys can be done using a designated program, by post or in person.

But until the complex legal, jurisdictional, commercial, privacy and security issues are resolved I'll continue to manage my own encryption.

And for storing properly encrypted data, the cloud is great.

timJune 10, 2015 7:28 PM

@65535

But, for mission critical things the cloud is more like a foggy mine field. One mistake your data is vapor.

This is a silly argument. If you have a mature and professional operations organization than this is not an issue. Its just like any other ops environment. If you don't - then it doesn't make any difference if its OnPrem or in the Cloud. You have equal amount of chance of "vaporing" you data either way.

LessThanObviousJune 10, 2015 7:34 PM

I have a suspicion that cloud computing is going to lead us down a path further toward zero accountability. When companies and public sector networks are hacked and lose data they generally play the victim and don't have any reason to acknowledge they could have made any better choices about security. As we outsource the care and feeding of data I believe they will also outsource accountability. It will be easy to just say, "We chose a secure cloud provider in good faith, we couldn't be expected to be responsible for the end to end security, we were the victim of a sophisticated cyber attack, I assure you steps will be taken to ensure this type of breach doesn't happen again".

We should not let all all accountability go by the wayside. The outsourcing of responsibility must not remove accountability.

GeorgeLJune 10, 2015 7:54 PM

@ LessThanObvious

At some point, these cloud providers may become too big to fail. As an industry matures, consolidation is a probable endgame, until anti-trust measures kick in. Then too big to fail becomes the single provider of failure. The benefits of cloud as you described I think it's best categorized as legal conformity. As Clive has pointed out, punting the blame is a game to be played exclusively among corporate top execs, who are very well paid to make these types of decisions. If history is any indication, the inevitable is in our future. Thus, the question remains, how best compromise can we make?

Earl KilianJune 10, 2015 10:21 PM

I think you need a finer grain look at cloud services. For example, using cloud storage is not necessarily handing your data over to the government if you encrypt it before it leaves your premises (assuming that the government hasn't penetrated your network, and if they have all bets are off). Agile's 1Password does this, for example. On the other hand, using a cloud service such as GMail has limited opportunity for encryption since the user interface doesn't support encrypted data that Google itself cannot read (unless you use only IMAP access with S/MIME or GPG). The situation is even worse for calendar and contact syncing. Vendors (e.g. Apple) could have implemented encryption so that it was just random bits being stored in the cloud (with the encryption keys never know by the vendor), but they didn't. Someone should convince the EU to mandate encrypted user data in the cloud. Oh wait, France just passed Patriot Act like legislation, so I guess that's out.

NateJune 10, 2015 11:24 PM

@Earl Killian: "using cloud storage is not necessarily handing your data over to the government if you encrypt it before it leaves your premises'

Definitely. I draw a HUGE line between 1) "cloud storage" (filesystem-like hosted storage where you have the ability to upload arbitrarily large blocks of data and encrypt it on your own hardware first") and 2) "cloud computing" (IaaS, 'Infrastructure as a Service', where the provider gives you a virtual machine where their hypervisor has full access to your machine's RAM and the credentials / cryptography keys it holds, and the ability to undetectably clone your machine, RAM, HD and all, at any time).

The first theoretically CAN be kept secure, because you don't give them the keys. The second - even in theory - CANNOT be. It's like DRM on a DVD: you just handed your eavesdropper both your data and your keys, together.

WinterJune 11, 2015 1:56 AM

@Nate
"The second - even in theory - CANNOT be. It's like DRM on a DVD: you just handed your eavesdropper both your data and your keys, together."

Not necessarily. It is theoretically possible to process encrypted data without learning anything about the data using Homomorphic encryption:

Applying Fully-Homomorphic Encryption (Part 1)
http://outsourcedbits.org/2012/06/26/applying-fully-homomorphic-encryption-part-1/

Applying Fully-Homomorphic Encryption (Part 2)
http://outsourcedbits.org/2012/09/29/applying-fully-homomorphic-encryption-part-2/

There is more on this blog.

NbkJune 11, 2015 4:53 AM

"Cloud computing is the future of computing."

If we think about cloud computing as a way to join different resources to reach a common goal, yes, it's the future.

@451, Nbk

MikeAJune 11, 2015 12:56 PM

Regulation in many other fields (e.g. Building and Electrical codes) started with the insurance companies. Even now, local governments mostly just include the "industry" (insurance) codes by reference. This is arguably better than having some bureaucrat whose appointment arose from family connections decide how deep your foundation should go, and how much rebar it needs. Of course, the insurance companies are not so directly saving lives as making sure they can collect from someone else, and the sort of massive breaches that will continue to occur lead to a high probability of bankruptcy, first of the cloud provider (once the insurance payout limits are reached), then the insurer, then one or more re-insurers. See the domino effect of the bad-mortgage crash.

Still, some standards are better than no standards, _IFF_ the standards are written by knowledgeable people with few(er) ulterior motives than I've seen in ones like ISO9000 and 14000, the "full employment for rule-gamers" schemes.

WarrenJune 11, 2015 1:32 PM

Part 3 has a significant focus on regulation.
The examples of regulation and licensing given are comparatively slow moving industries. A standard written 15 years ago and agreed to 10 years ago is appropriate to be applied now. We have centuries of food preparation experience. Similarly in banking and insurance. Computing has been around for ~60 years, cloud computing ~10 years. In a fast evolving industry, I'm not convinced we can regulate or license an appropriate solution. Unfortunately I don't have a viable alternative to suggest.

mysterianJune 12, 2015 8:48 PM

"...it never occurred to me to worry about food safety. That blind trust is largely created by government regulation. It ensures that our food is safe to eat,"

No, it ensures that at the time of "inspection" the food was prepared in the "sanitary" environment the rules required.

NateJune 15, 2015 9:50 PM

@Winter: Homomorphic encryption is intriguing, yes, and I am aware that it exists at the early theory stage and makes claims for being practically achievable. But from what little I've seen, I'm still very dubious.

Not that I'm any crypto expert, but... it seems to me that breaking encrypted data into small enough units to do useful processing would surely weaken the encryption. Even though it's nominally still 'encrypted', if you've only got 10 bytes in your ciphertext (say the 'home phone number' field) instead of 100000, wouldn't that make it much easier to brute-force or look for recurring known values? At some point you've got to retrieve plaintext data; how can you guarantee that an attacker can't just go look up their own record, ask for the phone number, compare plaintext against ciphertext and start cracking from there?

Also, just because you can multiply and add encrypted values doesn't mean you can compare them; can you really implement a Turing-complete language on end-to-end encrypted data without some kind of compare mechanism?

At the VERY least, even if FHE does work and can be scaled up to the cloud, I would assume that it's a LOT slower than doing operations in the clear and having trusted security boundaries like 'I own this hardware'.

Unfortunately I find both of these articles almost totally opaque with regards to the questions I want to ask. Phrases like '... had to build his scheme using sophisticated techniques' also don't yet make me hugely confident that this is a set of mathematical primitives which are well understood and proven to be resistant to attack in a real-world environment.

For comparison: BitCoin was described as 'secure' by its boosters, and is based on known-good crypto primitives -- yet there are HUGE number of problems not only in the architecture and implemention of its core protocol, but in the security assumptions around it. (Such as the '51% attack' problem combined with the economic forces creating centralisation of mining pools.) It's technically 'cryptographically secure' within narrow lab parameters but it turns out that that doesn't buy you much in the real world.

But I've been wrong before. If FHE does work, I would find it fascinating to see if someone could build a simple distributed data-manipulation machine language based on it.

@NateJune 21, 2015 2:03 PM

Yes, all these things are indeed possible (read Craig Gentry's thesis or the excellent 12 pages strong paper explaining the basic idea). As FHE offers semantic security, a chosen plaintext can't be used to attack the scheme. Arbitrary computation is indeed possible, as long as the server never actually gets to decrypt the end result. It's magic, but rigorously checks out if you look at the details. Way cool stuff!!!

@NateJune 21, 2015 2:03 PM

And yes, it's orders of magnitude slower than direct computation. But you care about data ownership, right?

Jim WalshJuly 1, 2015 12:31 PM

Part of the trust for cloud computing is written in the service level agreements by cloud providers. For example, both Google and Microsoft guarantee 99.9% uptime on all of their cloud services. Because cloud providers are responsible for huge amounts of often sensitive data, they know that the need to do anything it takes to keep their client’s data accessible and secure.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.