Cryptography pioneer: Whitfield Diffie, a cryptographer and security researcher, and visiting professor at Royal Holloway, University of London.
David Talbot
Cryptography solutions are far-off, but much can be done in the near term, says Whitfield Diffie.
Cloud computing services, such as Amazon's EC2 and Google Apps, are booming. But are they secure enough? Friday's ACM Cloud Computing Security Workshop in Chicago was the first such event devoted specifically to cloud security.
Speakers included Whitfield Diffie, a cryptographer and security researcher who, in 1976, helped solve a fundamental problem of cryptography: how to securely pass along the "keys" that unlock encrypted material for intended recipients.
Diffie, now a visiting professor at Royal Holloway, University of London, was until recently a chief security officer at Sun Microsystems. Prior to that he managed security research at Northern Telecom. He sat down with David Talbot, Technology Review's chief correspondent.
Technology Review: What are the security implications of the growing move toward cloud computing?
Whitfield Diffie: The effect of the growing dependence on cloud computing is similar to that of our dependence on public transportation, particularly air transportation, which forces us to trust organizations over which we have no control, limits what we can transport, and subjects us to rules and schedules that wouldn't apply if we were flying our own planes. On the other hand, it is so much more economical that we don't realistically have any alternative.
TR: The analogy is interesting, but air travel is fairly safe. So how serious are today's cloud computing security problems, really?
WD: It depends on your viewpoint. From the view of a broad class of potential users it is very much like trusting the telephone company--or Gmail, or even the post office--to keep your communications private. People frequently place confidential information into the hands of common carriers and other commercial enterprises.
There is another class of user who would not use the telephone without taking security precautions beyond trusting the common carrier. If you want to procure storage from the cloud you can do the same thing: never send anything but encrypted data to cloud storage. On the other hand, if you want the cloud to do some actual computing for you, you don't have that alternative.
TR: What about all of the interesting new research pointing the way to encrypted search and even encrypted computation in the cloud?
WD: The whole point of cloud computing is economy: if someone else can compute it cheaper than you can, it's more cost effective for you to outsource the computation. It has been shown to be possible in principle for the computation to be done on encrypted data, which would prevent the person doing the computing from using your information to benefit anyone but you. Current techniques would more than undo the economy gained by the outsourcing and show little sign of becoming practical. You can of course encrypt the data between your facility and the elements of the cloud you are using. That will protect you from anyone other than the person doing the computing for you. You will have to choose accountants, for example, whom you trust.
An authority on Web security believes your data might be safer in the cloud.
IBM security tool searches for and destroys malicious code in the cloud.
New research reveals how to find would-be victims within cloud hardware.
I find Cloud Computing secure, since you don't have to depend on computers and hard disk to store your data.
It prevents your data from crashing as well as from computer and internet viruses.
Who Has Access & What They Have Access To
Diffie raises a good analogy, "know who hire" for you know not what they do when they have access to your data. Choosing the cloud computing supplier should consider at least the following:
Contract that permits the customer to audit, on-request but no less than once per year:
1. all virtual and physical access to the physical environments where your data are kept (SAS70 at least)
2. background screening of any employee or contractor who has had responsibility for back-up or restore of your data, with a hold-harmless to you if something is found and prosecuted
3. right to pursue permissible legal action for any supplier employee or contractor wrong-doing if found by the cloud supplier or your audit team
4. notification, within the context of applicable law (state/federal), of your legal department for any confirmed breach into your data (query or removal)
5. cloud computing supplier maintains security monitoring logs of all access to your data and documents access as routine, random audit, or suspicious leveraging their prescribed scripts and operational procedures as the basis for all audit, for no less than 7 years
6. off-site back-up for disaster recovery and or business continuity must be encrypted and all vendors must subscribe to ALL security measures above, without exception, including the audit
Diffie begins to surface the most misunderstood issue about security for the cloud - those who have access must be trusted. As Reagan said, "Trust, but verify" can't be minimized here as the passion to reduce cost and improve efficiencies must guard our most basic liberties, including protection of identity for consumers/patient.
I also believe that the phrase "swamp computing" is truly a better description of the potential snakes and gators who may cause serious harm in the Cloud due to lack of personal or corporate safeguards.
I trust the cloud-owners security more than my neighbors...
Overcoming a cloud’s high walls is difficult, hacking a weak, personal computer to become an insider is far easier. The Software Protection Initiative (spi.dod.mil) has found that unmanaged end-nodes (e.g. the millions of users connecting from wide range of questionable devices) pose the greatest risk to the cloud.
So what to do? SPI has developed a range of solutions; the most widely used being the free LPS-Public (http://spi.dod.mil/lipose.htm). LPS-Public creates a temporary, trusted Internet end-node from pristine media on almost any computer. For almost a decade, SPI has been the US Department of Defense’s program responsible for R&D to instill trust into common, commercially available systems.
Feeling secured about Cloud Computing
I was highly confused to be added with cloud computing. Having gone through so many articles from different sources on net now i feel free as it has become clear to me that the seamy side is negligible.This review site is a great help, readers can also find information on http://www.techyv.com/article that was useful to me.
Manufacturing in the United States is in trouble. That's bad news not just for the country's economy but for the future of innovation.
This document is part of the “How-To Guide for Most Common Measurements” centralized resource portal. This tutorial provides a detailed guide for measurement and device considerations to take temperature measurements using thermocouples. Get an introduction to thermocouples, which are inexpensive sensing devices widely used with PC-based data acquisition systems. Also review some specific thermocouple examples and learn how thermocouples work and ways to integrate them into a data acquisition measurement system.
View full PDF >
Listen to story > 
Our list of the 50 most innovative companies, including the following:
On Twitter
Become a Fan on Facebook
Subscribe to the Feed
ArcAnge1M
1 Comment
Security Solution
Check out M2MI for a comprehensive cloud security solution.
Reply