Data encryption and the Cloud

Disagree with Mr Jones @Symantec

ISPs like BT/Phorm, TalkTalk/Huawei, and Vodafone Bluecoat are systematically compromising the confidentiality/security/integrity of their networks, and selling commercial intelligence to third parties.

A communications channel without essential characteristics like confidentiality/security/integrity isn't a trust worthy communication channel.

Thus passing any unencrypted commercially valuable data over an untrustworthy network infrastructure is madness.

Secure infrastructure is key, only then can you be sure your information is secure.

If you then choose to use cloud services offered by BT/Google with commercially sensitive information, there's no hope for you. You've gifted your business to your competitors.

Therein lies the inherent weakness of cloud computing. Untrustworthy communication networks. Untrustworthy hosting providers.

Wha??????

"Encryption technologies track where it is going" What??? How does that work?

The actual elephant in the room is if you encrypt at the data layer how do you then perform any processing on the resulting cyphertext? If you had a working homomorphic encryption algorithm you might be able to but not with a "normal" heteromorphic one.

Assuming...

...we can eliminate the slow Internet access speeds to the Cloud and get it working like an internal Gigabit network, the only other thing I need is the Cloud as a bubble. Everything in that bubble and access to it should be mine and under my control. If I want to encrypt the contents of that bubble, parcel it up into discrete pieces or restrict access to protect my data then so be it. The provider should only care about giving me the space and / or resources I need. What I do with it is non of their concern.

It is like renting a house from a landlord; same principle. If I come home from work and find a stranger laying on my couch reading one of my books cuz the landlord let them in, I would not like that one bit.

Providers having access to my info unimpeded is the Achilles Heel of the Cloud setup. I can barely keep ahead of my companies needs for security without having to continually validate and assess my providers IT staff and security.

Nobody knows anything.

And they're all idiots.

Honestly, this distributed storage/computing thing has been bashing around for decades and several fundamental problems were never solved:

* Yes, security, and all the complexity thereof

* A wonderful MAGICAL network, Lisa! That never fails and is always available!

* How do you do generic coding? Clusters can't, they need specialized daemons written to be purpose specific? Java? Pffft. Yeah right. Python? Ok, viable, but how do you sandbox it without a million programming caveats? What is your distribution model in this 'cloud'? Are all services cluster....oh! sorry!....'cloud' aware? No? What do you do about that?

Let's all just put our suits on, turn up and give a 1 hour presentation of utter, utter bunkum to some morons from rich families in more suits, say 'cloud' a lot (and maybe 'paradigm' and 'leverage' a few times), collect our $2000 fee and head home to the spa and ho's. Who's with me!

Why focus on Encryption?

I'm apparently an Information Security Professional. And concerned about Cloud; not because of the technology or technical impacts - just like PKI - it all seems to be fine. I'm more concerned about the non technical aspects: risk, accountability, reliability, legal and privacy implications (just what killed off "Big PKI").

I have one of my auto-rants around this topic at http://www.pingudownunder.com/2011/05/04/simon-harveys-answer-to-what-are-common-concerns-about-adopting-cloud-computing/ and and more than happy to stand corrected.

A recent CIO.com article quoted this is the cruicial point: "This is what shared responsibility implies—both parties have to step up to the security aspects in their control, and failing to do so means the application is not going to be secure. Even if the CSP does everything correctly for portions of the cloud application within its control, if the application owner fails to implement its security responsibility correctly, the application is going to be insecure. "

My issue is that given the immense hype, marketing and over-simplistic sales pitch by Cloud/IT Vendors, they ignore their own responsibilities. And the market they are selling to - CEOs - incorrectly assume that security is no longer their issue. At least with traditional IT Outsourcing, the Rs & Rs was clear - contractually - about who is responsible for what. I have yet to see this in the Cloud world.

Looking at the Amazon Web Services downtime over Easter, the default compensation from AWS to customers was 10 days hosting credit. I wonder if this fully compensates the the business loss incurred by their customers - and how many of them had DR/IT BCP plans in place.

Don't get me wrong ... similar to other "innovations" like SOA, BPO, BPM, Outsourcing, NearSourcing, Offshoring, NearShoring, and so on; I do like the promise of "Cloud" and can see many benefits; i just don't like its execution by the IT Industry.

And I strongly believe that you cannot assume, or belive the marketing hype, that Security becomes a non-issue. Ultimate responsibility for security and risk management remains that of the Customer - and they need to select the appropriate CSP which provides them with the most appropriate level of controls to their needs (insurance, contractual limtations/compensation, technical and policy monitoring/evaluation, etc).

Case in point: El Reg's reporting of the Virgin Blue downtime seems to indicate that they have good contractual obligations on Navitaire - i.e. the airline is due to be fully compensated for actual losses, including compensation given to VB's customers, plus additional charges on their IT Service Provider. I can't see anything approaching near this in the "Retail Cloud" space (e.g. Amazon, Google, Rackspace") ...