Cloud computing services, such as Amazon’s EC2 and Google Apps, are booming. But are they secure enough? Friday’s ACM Cloud Computing Security Workshop in Chicago was the first such event devoted specifically to cloud security.
Speakers included Whitfield Diffie, a cryptographer and security researcher who, in 1976, helped solve a fundamental problem of cryptography: how to securely pass along the “keys” that unlock encrypted material for intended recipients.
Diffie, now a visiting professor at Royal Holloway, University of London, was until recently a chief security officer at Sun Microsystems. Prior to that he managed security research at Northern Telecom. He sat down with David Talbot, Technology Review’s chief correspondent.
Technology Review: What are the security implications of the growing move toward cloud computing?
Whitfield Diffie: The effect of the growing dependence on cloud computing is similar to that of our dependence on public transportation, particularly air transportation, which forces us to trust organizations over which we have no control, limits what we can transport, and subjects us to rules and schedules that wouldn’t apply if we were flying our own planes. On the other hand, it is so much more economical that we don’t realistically have any alternative.
TR: The analogy is interesting, but air travel is fairly safe. So how serious are today’s cloud computing security problems, really?
WD: It depends on your viewpoint. From the view of a broad class of potential users it is very much like trusting the telephone company–or Gmail, or even the post office–to keep your communications private. People frequently place confidential information into the hands of common carriers and other commercial enterprises.
There is another class of user who would not use the telephone without taking security precautions beyond trusting the common carrier. If you want to procure storage from the cloud you can do the same thing: never send anything but encrypted data to cloud storage. On the other hand, if you want the cloud to do some actual computing for you, you don’t have that alternative.
TR: What about all of the interesting new research pointing the way to encrypted search and even encrypted computation in the cloud?
WD: The whole point of cloud computing is economy: if someone else can compute it cheaper than you can, it’s more cost effective for you to outsource the computation. It has been shown to be possible in principle for the computation to be done on encrypted data, which would prevent the person doing the computing from using your information to benefit anyone but you. Current techniques would more than undo the economy gained by the outsourcing and show little sign of becoming practical. You can of course encrypt the data between your facility and the elements of the cloud you are using. That will protect you from anyone other than the person doing the computing for you. You will have to choose accountants, for example, whom you trust.