Security In the Ether

theodp writes "Technology Review's David Talbot says IT's next grand challenge will be to secure the cloud — and prove we can trust it. 'The focus of IT innovation has shifted from hardware to software applications,' says Harvard economist Dale Jorgenson. 'Many of these applications are going on at a blistering pace, and cloud computing is going to be a great facilitative technology for a lot of these people.' But there's one little catch. 'None of this can happen unless cloud services are kept secure,' notes Talbot. 'And they are not.' Fully ensuring the security of cloud computing, says Talbot, will inevitably fall to emerging encryption technologies."

Whom are we securing it from?

[bschorr]

Part of the problem is that with Cloud Computing you have a much broader set of "enemies" to secure your data from. It's naturally in the interests of cloud/SaaS providers, who are selling an increasingly commodity product, to look for ways to cut their costs. They have price pressure from consumers and competitors so like any business you can bet they're looking for the cheapest providers they can for the services they require. Unfortunately that cost-cutting and corner-cutting will lead to new and different security challenges.

For example: all but the largest will be outsourcing their data centers. And when they outsource that storage will they find the same sort of pricing structures, perhaps on a different scale, that everybody else does - it is attractive, from a price perspective, to off-shore that data to places where it's just cheaper to run. One of the strengths of the Internet is how it shrinks the planet in that regard. But there has recently been a big debate about whether or not the 4th Amendment in the U.S. protects hosted e-mail from search and seizure by the U.S. government. What does the 4th Amendment in Malaysia protect against?

What if your biggest competitor in your particular industry is a Chinese company and your Cloud provider decides to store your data on a server located in China. Do you suppose the Chinese gov't might be able to access (or monitor) your data and provide any of it to their company?

Even if your data stays on a domestic server and your business is entirely legitimate - most Cloud providers are multi-tenant (that's the economy of scale that helps them keep prices down). What if one of the other tenants on that server is doing something naughty and the government decides to seize the server to go after them. Will your data be safe and protected? They're the government, right? OF COURSE your data will be handled properly. :-) Uh huh.

Another big topic is document retention. You want to keep documents as long as you need to and then expire those documents. Will your SaaS/Cloud provider respect your document retention policies? Or are you going to discover, hopefully not after being served with a discovery request, that they actually have copies of your expired documents in cache or on backups somewhere that they never destroyed?

There are a LOT of new security issues that come up when you essentially put your data at arm's length with no real idea of where it's physically stored or who has access to those servers. I'll close with a quote:

"If (CIO) Randy Mott told me 'Put the general ledger up in the Cloud' I'd say 'Go back to work, we're not doing that."
            -Mark Hurd, CEO of Hewlett Packard-

Re:Emerging encryption tec

Full homeomorphic encryption is, contrary to IBMs press team, still far from useable. In fact, there is no method in sight that could do the job.

What you Linux lovers really want is full homoerotic encryption. So you can hide your gay porn.