I see a lot of misguided talk about cloud computing and its security as the New Big Thing. I was reminded of this the other evening when the local brewpub hosted a talk by Gene Spafford, the director of Purdue University’s CERIAS, the Center for Education and Research in Information Assurance and Security. Spaf spoke on trends in cybersecurity and the constancy of those trends. Moore’s Law still holds. Since about 1980 it has always been true that about 50 high-end desktop computers could store the entire Internet of 10 years before. Growth means new data, users, and connections, but there is a constancy. Some things, like the growth itself, have been around for decades. It’s the same with cloud computing and its security concerns.
Imagine an environment with multiple processing and storage platforms distributed across the network. You do not need to know where your data is at any moment or worry about individual machine or network failures. Isn’t this a new product from Amazon, Google or Microsoft?
This was the subject of Spaf’s Ph.D. thesis, which he defended in 1986. The project was named in 1984. And that name? CLOUDS.
CLOUDS stood for Coalescing Local Objects Under Distributed Supervision. But of course the resulting name was the point—if you combine two clouds, you get a cloud. If you take some material away from a cloud, you still have a cloud. And when you try to look closely, you can’t specify the cloud’s boundary.
CLOUDS involved a specialized distributed operating system kernel, written in assembler for the VAX platform. The first Ph.D. in that research group went to Jim Allchin for an earlier attempt at writing this kernel. He went to Microsoft and took charge of its operating system development, retiring on Vista’s release day.
So, no, cloud computing is not new. But what about cloud security? Surely that’s new, right?
The technology itself is entirely the same. Information security is still CIA: Confidentiality, Integrity, and Availability. A broad array of encryption and key management technology is used as preventative protection, attempting to preserve confidentiality. Hash functions give detective protection, warning us about violations of data or system integrity. Ciphers and hashes are math functions, and math works the same way locally and in the cloud. As for availability, Amazon and Google can far out-spend most of us on backup generators and multiple high-bandwidth network connections. Plus they routinely replace (and destroy) disk drives used in multiply redundant storage arrays.
Cloud security is quite different in some ways, however. On the negative side, biometrics can’t practically be used. Neither can a smart card like the U.S. DoD CAC be plugged into the server. But on the positive side, passwords, terribly weak authentication technology, aren’t even a choice on the most commonly used IaaS platforms. The biggest issue with cloud security is the simple fact that some work must be turned over to the provider. You don’t even get to watch them. You frequently get little more than “Trust us, we are very careful.” And if you aren’t comfortable with that? Thanks for inquiring, but this is how our service works. Feel free to search for a provider that provides far more hand-holding, but don’t be shocked at the price.
As for what you can do, it’s the same technology that you should be applying already to your in-house operations. What about the division between what you do and what you must turn over to a cloud provider? That depends on how you use the cloud. You must consider this very carefully to decide if this transfer of control and visibility is acceptable.
Learning Tree’s course on cloud computing and security can describe those fundamental security technologies and then show you where the control and visibility split.