Cloud control and security
In this article from September, the issue of control versus ownership is examined with respect to information in the cloud. The author makes the following point:
Traditionally, control of information flows directly from ownership of the underlying platform. In the traditional security model location implies ownership, which in turn implies control. You build the layers of trust with the root of trust anchored to the specific piece of hardware. Virtualization breaks the link between location and application. Cloud (at least “public cloud”) further breaks the link between ownership and control.
Basically, the author’s main issue is that physical control over the location of the data is no longer synonymous with security with public cloud-computing (the word public in relation to cloud systems is one that we will discuss next). Sure, data is intangible, but at least we used to know that the location of that really important Excel spreadsheet on you computer’s hard disk drive meant that was where it actually was. However, now that all that data is in some Google Docs spreadsheet up in the cloud, who knows where it actually is and how secure it is?
The main issue is that with public cloud computing, the user is not in ownership, and therefore not in control, of the infrastructure on and over which data lives and travels. Public indicates that the cloud service provider is a multi-tenant solution (as is the case with the major players of Microsoft, Google, Yahoo, Amazon, etc) and therefore you are essentially dealing with the difference between being a private home-owner with a nice yard and driveway versus owning a sleek condo in a high-rise building downtown that offers great accessibility but you still do share a building, lobby entrance, and security guard with a bunch of unknown weirdos.
We can exert control and secure the information through a combination of encryption, contracts with service-level agreements and by (contractually) imposing minimum security standards on the providers
So as my rough analogy sort of gets at, there is no reason that a condo in a high-rise is any less secure, but it definitely isn’t more secure than a private home, is it? I supposed that all remains to be seen.
In a related article that is linked through the opening paragraph, it is discussed how security is (maybe was, since the article is from April of this year?) one of the major issues delaying widespread adoption of cloud computing systems,
“One of the biggest security concerns about cloud computing is that when you move your information into the cloud, you lose control of it. The cloud gives you access to the data, but you have no way of ensuring no one else has access to the data. How can you protect yourself from a security breach somewhere else in the cloud?”
I hope to address this issue as we get deeper into the semester, but the overarching issues of cloud-computing seem to be that while it is cheaper to move into the cloud (no more owning infrastructure and paying the relevant IT staff associated with it), it offers less control and increases abstraction. It seems that until there is a unified system of security measures and process audits, there will be many CIOs ill-at-ease with the notion of cloud computing.