Technology Review - Published By MIT
Technology Review  in English | en Español | auf Deutsch | in Italiano | 中文 | in India
Advertisement

How Secure Is Cloud Computing?

Cryptography solutions are far-off, but much can be done in the near term, says Whitfield Diffie.

By David Talbot

Monday, November 16, 2009
smaller text tool iconmedium text tool iconlarger text tool icon

Cloud computing services, such as Amazon's EC2 and Google Apps, are booming. But are they secure enough? Friday's ACM Cloud Computing Security Workshop in Chicago was the first such event devoted specifically to cloud security.

Cryptography pioneer: Whitfield Diffie, a cryptographer and security researcher, and visiting professor at Royal Holloway, University of London.
Credit: David Talbot

Speakers included Whitfield Diffie, a cryptographer and security researcher who, in 1976, helped solve a fundamental problem of cryptography: how to securely pass along the "keys" that unlock encrypted material for intended recipients.

Diffie, now a visiting professor at Royal Holloway, University of London, was until recently a chief security officer at Sun Microsystems. Prior to that he managed security research at Northern Telecom. He sat down with David Talbot, Technology Review's chief correspondent.

Technology Review: What are the security implications of the growing move toward cloud computing?

Whitfield Diffie: The effect of the growing dependence on cloud computing is similar to that of our dependence on public transportation, particularly air transportation, which forces us to trust organizations over which we have no control, limits what we can transport, and subjects us to rules and schedules that wouldn't apply if we were flying our own planes. On the other hand, it is so much more economical that we don't realistically have any alternative.

TR: The analogy is interesting, but air travel is fairly safe. So how serious are today's cloud computing security problems, really?

WD: It depends on your viewpoint. From the view of a broad class of potential users it is very much like trusting the telephone company--or Gmail, or even the post office--to keep your communications private. People frequently place confidential information into the hands of common carriers and other commercial enterprises.

There is another class of user who would not use the telephone without taking security precautions beyond trusting the common carrier. If you want to procure storage from the cloud you can do the same thing: never send anything but encrypted data to cloud storage. On the other hand, if you want the cloud to do some actual computing for you, you don't have that alternative.

Story continues below


TR: What about all of the interesting new research pointing the way to encrypted search and even encrypted computation in the cloud?

WD: The whole point of cloud computing is economy: if someone else can compute it cheaper than you can, it's more cost effective for you to outsource the computation. It has been shown to be possible in principle for the computation to be done on encrypted data, which would prevent the person doing the computing from using your information to benefit anyone but you. Current techniques would more than undo the economy gained by the outsourcing and show little sign of becoming practical. You can of course encrypt the data between your facility and the elements of the cloud you are using. That will protect you from anyone other than the person doing the computing for you. You will have to choose accountants, for example, whom you trust.

Tags

Amazon cloud computing cryptography Google operating system security

Related Articles

Comments
  • Security Solution
    Check out M2MI for a comprehensive cloud security solution.
    Rate this comment: 12345

    ArcAnge1M
    11/19/2009
    Posts:1
    Avg Rating:
    1/5
  • Cloud computing secure
    I find Cloud Computing secure, since you don't have to depend on computers and hard disk to store your data.

    It prevents your data from crashing as well as from computer and internet viruses.
    Rate this comment: 12345

    karmadir
    11/23/2009
    Posts:4
    Avg Rating:
    1/5
  • Who Has Access & What They Have Access To
    Diffie raises a good analogy, "know who hire" for you know not what they do when they have access to your data. Choosing the cloud computing supplier should consider at least the following:

    Contract that permits the customer to audit, on-request but no less than once per year:
    1. all virtual and physical access to the physical environments where your data are kept (SAS70 at least)
    2. background screening of any employee or contractor who has had responsibility for back-up or restore of your data, with a hold-harmless to you if something is found and prosecuted
    3. right to pursue permissible legal action for any supplier employee or contractor wrong-doing if found by the cloud supplier or your audit team
    4. notification, within the context of applicable law (state/federal), of your legal department for any confirmed breach into your data (query or removal)
    5. cloud computing supplier maintains security monitoring logs of all access to your data and documents access as routine, random audit, or suspicious leveraging their prescribed scripts and operational procedures as the basis for all audit, for no less than 7 years
    6. off-site back-up for disaster recovery and or business continuity must be encrypted and all vendors must subscribe to ALL security measures above, without exception, including the audit

    Diffie begins to surface the most misunderstood issue about security for the cloud - those who have access must be trusted. As Reagan said, "Trust, but verify" can't be minimized here as the passion to reduce cost and improve efficiencies must guard our most basic liberties, including protection of identity for consumers/patient.

    I also believe that the phrase "swamp computing" is truly a better description of the potential snakes and gators who may cause serious harm in the Cloud due to lack of personal or corporate safeguards.
    Rate this comment: 12345

    ontheboatont...
    12/27/2009
    Posts:2
    Avg Rating:
    3/5
  • I trust the cloud-owners security more than my neighbors...
    Overcoming a cloud’s high walls is difficult, hacking a weak, personal computer to become an insider is far easier.  The Software Protection Initiative (spi.dod.mil) has found that unmanaged end-nodes (e.g. the millions of users connecting from wide range of questionable devices) pose the greatest risk to the cloud. 

    So what to do?  SPI has developed a range of solutions; the most widely used being the free LPS-Public (http://spi.dod.mil/lipose.htm).  LPS-Public creates a temporary, trusted Internet end-node from pristine media on almost any computer.  For almost a decade, SPI has been the US Department of Defense’s program responsible for R&D to instill trust into common, commercially available systems.
    Rate this comment: 12345

    sweerek
    12/29/2009
    Posts:8
    Avg Rating:
    5/5
Reply

Log In

Forgot your password?     Register »
Advertisement

Top Stories Of The Day

Technology Review January/February 2010

Current Issue

Security in the Ether
Information technology's next grand challenge will be to secure the cloud--and prove we can trust it.
Advertisement

RSS Feeds

xml icon TR Top Stories
xml icon TR Editors' Blog
xml icon TR Video Blog
xml icon TR Video
Advertisement
Subscribe to Technology Review's daily e-mail update. Enter your e-mail address

TECHNOLOGY RESOURCES
Advertisement
MIT Massachusetts Institute of Technology © 2010 Technology Review. All Rights Reserved.