December 27, 2009

Securing the Cloud -- and the Trade-Offs Therein

Greetings. A few days ago, I briefly discussed my belief that "cloud computing" has and will have enormous promise, but I also expressed the concern that some fundamental security and privacy issues -- while solvable -- may not be sufficiently developed today to satisfy the requirements of all potential users.

I received quite a few comments, mostly asking in what circumstances I believed that cloud computing is or isn't appropriate for any given application.

That's a difficult question to answer succinctly, since user requirements vary so widely, and the very concept of "cloud computing" (as the term tends to get tossed around) covers a great deal of territory -- storage, e-mail, real and virtual machines for general purpose remote computing, and so on.

So right now I'll just touch on a couple of points. As always, there are lots of trade-offs involved in the selection of information technologies.

One basic issue is the degree of privacy that you desire or require, vs. the costs you're willing to pay. For example, since most Internet users have neither the capability nor inclination to run their own mail servers (though significant numbers would do so if their ISPs didn't forbid it!) it's common to host (at least part of the time) your e-mail "in the cloud" -- e.g., on ISP servers, Google's Gmail, or whatever.

Such remote e-mail hosting, whether accessed via POP, IMAP, Web browsers, or other means, is different in key ways from local mail storage.

First off, as long as the e-mail is on remote servers, it's likely better backed-up than if it was just sitting on your own computer. On your own machine, statistics suggest that your mail and other data likely isn't backed-up well or at all. On the other hand, e-mail not under your immediate control will likely incur a different (and in some respects generally weaker) set of legal (privacy) protections than e-mail in the cloud.

Does this really matter in practice? The easy answer is yes -- but that wouldn't be entirely accurate. For many people, the trade-off between reliable remote storage and comprehensive (e.g. Gmail) mail handing functionalities, vs. theoretical privacy concerns, may skew heavily toward the cloud. This may particularly be true for services like Gmail that offer the option of full-time TLS (https:) secure connections between user browsers and Google servers. However, there are other users who wouldn't want to store their e-mail remotely under any conditions, for any period of time longer than required for transit and delivery (with server-to-server crypto at least of the STARTTLS variety when possible).

The honest analysis is that these sorts of decisions are very much personal ones. The key is to try be sure that you fully understand the implications -- both positive and negative -- of these choices, and not choose your applications and services paths solely based on the say-so of either boosters or detractors.

When you're mostly concerned with remote storage rather than remote computing and processing per se, the situation can sometimes be a bit more straightforward.

If you simply wish to store data securely and reliably "in the cloud," then there's no obvious reason why the service provider would typically need access to the plaintext data or the means to decrypt encrypted data.

Various interesting work has been proceeding in this area.

The open-source Tahoe-LAFS project shows particular promise for providing a cloud-based, encrypted, reliable remote system for storing data -- much like a secure, distributed RAID environment.

With the increasing sophistication of client-side applications operating in advanced browser-based, server-supported cloud environments, it seems likely that a range of applications beyond "simple" storage will increasingly be able to function in modes where the actual data will not need to be plaintext accessible to the cloud provider.

But here again, there will be trade-offs. Some functionalities will likely perform more comprehensively or faster with server-based processing requiring plaintext data availability. Some valuable and popular services that may be viably provided for free when users allow plaintext scanning (e.g., of e-mail for ad displays) might not exist or might need to be fee-based without such scanning.

In the future, it's possible that both the free and fee service models will coexist in new contexts that don't exist widely today, perhaps based on both service capabilities and user-selected privacy paradigms.

It's undeniable that the future of computing is in the clouds. But the shape of Internet clouds, like the clouds fleeting across an azure sky, are a process rather than a fait accompli. Our sky gazing at cloud computing has only just begun.


Posted by Lauren at December 27, 2009 06:07 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein