January 15, 2010

China, Google, and Trusting the Cloud

Greetings. Some of the initial dust is starting to settle just a bit in the wake of Google's announced change in China-related operational policies, and it's fascinating to observe the range of reactions.

One almost immediate result of my posting that strongly supported Google's decision has been a number of people asking if I still stand by my previous statements of support for the concept of cloud computing. Don't the Chinese attacks on Google and other companies, that triggered Google's policy changes, demonstrate a weakness in cloud services?

I still am enthusiastic about cloud computing, and I still feel that there are some important areas of cloud services where more work needs to be done. But more on that in a moment.

While I believe it's fair to say that most reactions to Google's announced China-related changes have been extremely positive, there have been some negative voices.

China of course officially is far from thrilled. My favorite official statements from Chinese officials on the matter so far include: "Properly guiding internet opinion is a major measure for protecting internet information security" -- and a warning that Internet businesses must adhere to "propaganda discipline."

Propaganda Discipline. Now that's a nifty turn of phrase if ever I've heard one.

Well, it's pretty clear where official China stands on this, anyway.

An accusation has been floating around suggesting that Google's only real motivation for the China changes was to give Google cover to extract itself from its "underdog" search status vis-a-vis Baidu.

Fiduciary responsibility alone would suggest that Google considered the financial ramifications of actions with the potential of drastic effects on their China-based operations. But there's no rational reason why Google would want or need to "cover" a straightforward business decision in the manner some folks are suggesting -- that's nonsensical. And to argue that Google would purposely create an "international incident" of this sort on such a basis is assuming a degree of functional sociopathy around the level of Norman Bates. Sorry, I just don't buy the paranoid argument.

Another concern being bandied about relates to the (unconfirmed at this point) rumor that part of the attack on Google involved access to a couple of Gmail accounts via a Google "law enforcement compliance" system.

Some observers have expressed outrage that such a system would even exist -- but frankly I'd be surprised if something at least functionally equivalent was not in place. Given that Google must respond to legal demands for information from law enforcement, a system dedicated in some way to that end would seem at least logical. And the header-type data obtained by certain of the (apparently) Chinese attacks (as opposed to message contents that were reportedly not accessed in this context) are the sort of "pen register" type of data that is commonly associated with certain common types of law enforcement information demands.

Whether or not such a compliance system was in play in these attacks, we know that certain aspects of security at Google and elsewhere were compromised. And this brings us back to the question of cloud computing safety.

But to answer that question, we have to consider the security implications of non-cloud systems as well.

Both from security and privacy standpoints in a perfect world (including pretty much unlimited free Internet bandwidth and lots of otherwise free time on your hands as well), it could be argued that keeping all personal data, e-mail, etc. on your own local computers would be a nifty setup.

However, we of course don't live in a perfect world. Maintaining your own mail servers -- and the security of those systems -- in today's Internet environment can be tough work. I know -- I build and operate my own servers, and even on a relatively small scale it can be challenging to keep attacks and other problems at bay. And let's face it, most computer users have not one iota of interest in spending their days (and sometimes nights) maintaining such systems.

If you want to provide remote access to your own services or collaborative environments -- via ssh or other tools -- even more work is involved and additional security considerations come into play. And then there's the issue of system backups. Sad to say, vast numbers of computer users have no usable backups of their data of any kind!

One reason why Google applications like Gmail have become so popular is that they offload so many of these issues onto Google's shoulders (in fact, Gmail has now switched over to using https: by default -- a major and extremely worthwhile boost for what I call "opportunistic encryption.")

But yes, a cloud service can be an attractive target, by offering the potential attacker at least the theoretical possibility of breaching large numbers of accounts in one fell swoop.

So as with so many other aspects of technology, we see that there's little black or white to these situations, but lotsa shades of gray. To judge any given cloud computing or cloud data storage environment involves not only the capabilities of those services, but also by contrast your own capabilities and desires in terms of operating your own systems and associated infrastructure to perform those same services.

For many individuals, companies, organizations, and even cities or larger entities, moving some or all information technology functionality to the cloud may make good economic and security sense, especially compared with what they could do in these areas on their own locally.

This calculus should be conducted in each case with the understanding that no systems -- locally operated or in the cloud -- will have perfect security, and that security breaches of some sort can eventually occur. One advantage of the cloud is that in most cases it is usually much faster to effectively roll out security updates across the entire population of cloud users than when dealing with non-cloud, locally-operated computing environments.

We can certainly assume that Google and the other organizations impacted by these recent attacks will be taking due steps to further secure their systems based on what has been learned. Computer security improvements tend to be more evolutionary than revolutionary, but like in so much else of life we tend to learn the fastest when challenged the hardest, and ultimate perfection is a pipe dream, not a practicality.

The decision to use -- or not use -- cloud services is an individual one. But my stand on the topic hasn't changed at all as a result of these recent attacks. Cloud computing shows enormous promise and is extremely valuable for all sorts of applications today. But we're in the infancy of this technology, and there's a great deal of important and exciting work yet to be done as this area advances. That work will undoubtedly include security and privacy enhancements as key aspects, and much of what we learn from intrusions will often significantly impact these development efforts in positive and useful ways.

Perhaps we should be publicly thanking the Chinese attackers for their "contributions" to the evolution of our cloud computing projects?

Uh, no!


Posted by Lauren at January 15, 2010 12:35 AM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein