The Cloud Is Hype, the Conversation the Same, Transparency Is Key

By Dahna McConnachie
Technology & Business
March 31, 2009

Security guru Bruce Schneier says that whatever cloud computing is, the security issues and conversations around it are nothing new. The key, he says, always comes down to trust and transparency.

Cloud computing is all the buzz. Amidst all the noise, a lot of the discussion has been about what cloud computing actually is. Some say it is anything you consume outside the firewall. Other definitions are that it is an updated version of utility computing: that the cloud is comprised of virtual servers made available over the internet. Sun Microsystems' Asia Pacific Chief Technologist and Principal Engineer Ken Pepple says that in many ways, cloud computing is simply a manifestation of the principle that has guided Sun for the past 25 years: that 'The Network is the Computer.'

Moving on from defining the cloud, other discussions have focussed on security and what threats cloud computing brings to privacy and data security. We thought we'd bring Internationally renowned security guru, Bruce Schneier in on the discussion.

Everyone out there seems to have a slightly different slant on what cloud computing is. What is your personal take?

I wouldn't have a clue. It's a buzz word. The meaning depends on what the marketing droids say it is. You will have to tell me what your definition is. It is not one of my own marketing terms.

So you belong to the camp that thinks it is just a marketing buzzword then?

Yeah, I do, so the question is, which marketing buzzword will we actually use?

Well, lets run with the basic definition of Cloud computing being a dynamically scalable service offered over the web, whether it is software as a service, or platform as a service, or infrastructure as a service, or a combination of these.

So not much different to what we used to do in the 60's.

Well, one of the main undebatable changes is that there is a lot of hype around about the cloud now, and there are a lot of new and varying services being offered under the cloud computing banner. Does this increased offer of cloud computing services equate to an increased security risk?

There are concerns associated whenever you trust someone else, so whether it is with your data or something else, you need to trust someone. One of the problems we have is with transparency, and this is not only with cloud computing, this is with anything. EPIC (Electronic Privacy Information Center) has recently sued Google because they are not transparent on their security policy. Their policies matter and they are very opaque. Nobody knows what they are. So the biggest risk is the opacity of the system, and I think that is a big deal.

What about Richard Stallman's comments in the press that if you hand your data over to the cloud you are losing control. He said it's just as bad as using a proprietary program if you use a proprietary program or somebody else's web server, you're  defenceless. You're putty in the hands of whoever developed that software. Do you agree with this?

Well, you know, you lose control when somebody else writes your operating system. It's just a matter of degree, right? If you want control you have to build your own hardware out of chips you have designed yourself, write your own operating system and write your own applications. It's just another step along that line. I mean, how much control do you have when Microsoft controls your Excel files? Control is all about understanding who is doing what and where the responsibilities lie.

What about the possibility of criminals using the power of cloud computing. Is this a concern?

Criminals will use cloud computing and they'll eat at restaurants and drive cars and use telephones. Of course. But so what? Infrastructure is used by people to do good things and bad things. There exists no example of infrastructure that only the good guys use. Of course they will.

So Cloud computing won't generate different types of Internet attacks

That's a different question entirely. Of course it will. Everything done will generate different types of attacks. Doing cloud computing will generate different types of attacks. Not doing cloud computing will generate different types of attacks. New and different types of attacks will always be generated and that will never stop, at least not in the foreseeable future. New complexities will bring new risks. This will always be true.

Are DDOS and DOS attacks more likely as a result of cloud computing?

This is certainly possible. Yes.

Are there any particular safeguards against such attacks that people should use in a cloud environment and are there specific security frameworks, data sanitization methods or encrytption tools that potential cloud buyers should be looking for in a provider?

Probably. Whenever you buy something from anybody, there are things you need to watch out for. Will it be the same next week as it is this week? Maybe – it depends. There are a whole lot of levels of noise, but yes, if you are a consumer you need to watch out for things and this is why transparency is so important. Right now, you can't call Google for example and ask them about their service protection. There is no place to make that question. It doesn't matter if you ask it, you won't get an answer because there is no transparency. It is easy to come up with a list of risks and they are all real. None of this is wrong.

So in addition to the need for transparency and communication from a provider, are there any specific practices consumers should look for, in your opinion?

Probably, but I am not going to say you should use this thing or that thing. That's all deep down in the noise. I don't really have a ready answer for that. It depends. Designing security systems is hard and complicated. You can't do it in sound bytes. So yes, there are specific things you should do and you should do the research, figure out what they are and do them. That is true for all security.

I am guessing that you will have a similar answer when talking about privacy?

Yep, that's right. These things are important. If you are concerned, ask the questions, but these are the same questions as you would ask about using gmail. I mean why weren't we having these discussions when gmail first showed up. DOS attacks, provicay concerns, security concerns, who has access to my data. What happens when bad things happen. This is no different to a conversation about gmail. It is actually no different to a conversation on a shared account on a bulletin board system. We could have had this conversation 25 years ago. These really are the same conversations. What is different are the method of access and the technology and protocols, but from a human level and a security level – they are the same issues. You know, I use an ISP: are they vulnerable to DOS attacks? What are the privacy measures they have in place? How do I know that no one else can read my email?

earlier story: "We Focus on Defending Against Tactics Rather than Threat"
later story: Q&A: Schneier Warns of Marketers and Dancing Pigs
back to News and Interviews

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..