An article about Cloud Computing in the German weekly ZEIT made me think of a recent blog post on data security in the cloud. Although the article is quite positive and describes Cloud Computing as a disruptive technology that will have a huge impact on the IT world, what really caught my interest were the comments: they were very skeptical. I will translate (and eventually summarize) some of the opinions:
#1 Comment (blariog)
Schäuble [German Minister of Interior] and other surveillance fanatics will be pleased: All they have to do is go into a data center a quickly scan the data. Then we don’t even need the Bundestrojaner [refers to a law that gives the German Ministry of Interior the right to infect private computers with a trojan horse in order to collect data for criminal prosecution] any more.
And CIA, KGB, FSB & Co. can conduct industrial espionage whenever they want – Brave new world.
#2 Comment (toucheturtle) [Short summary]
Companies won’t trust Google with their data. This is why only few companies use Google Apps. The data must be encrypted on the server but then it would not be feasible to use them in an application.
#5 Comment (whauertmann) [Short summary]
The scenario is unrealistic. Mobile devices are turning into more and more complex machines. A more realistic scenario would be that these devices are interconnected and share their storage and processing capacity. [...]
#7 Comment (discha)
We have already had the same discussion a couple of years ago with the Net PC. This vision did not come true and I think Cloud Computing won’t either. The trend is towards more security, not less.
#9 Comment (Chemical Brother) [Short summary]
What about gaming? People will still need a PC for that (not a fan of console games).
#22 Comment (blurred) [Short summary]
The analogy to water and electric utilities is very superficial. People have turned from a decentralized water supply system to a centralized one due to water quality. With respect to the electric grid the question is whether a decentralized system would not be a better solution for the future. For computers this means, a P2P model would make much more sense. [...]
[... and so on ...]
I counted 29 negative comments, 11 neutral or off-topic and 2-3 more or less positive ones.
The main critique points:
No trust in Cloud Computing
The critique focuses on data protection and security concerns. Either people say that they don’t trust the Cloud Computing provider or they argue that an attacker might compromise their Cloud Computing account (or the Ministry of Interior might go and get your data).
There are better ways to deliver computing capacity
Other voices point to different mechanisms to realize Utility Computing, like sharing resources across different machines, devices, organizations, etc. (similar to P2P and Grid Computing).
My objections
Most comments name some valid points but seem prejudiced towards the Cloud. It is true, the Internet is insecure (due to design decisions from the early days, when other things were more important, like end-to-end communication, connection of heterogeneous networks, robustness, fate-sharing, etc.). But we do use the Internet today, and many people already store masses of pictures online, use E-Mail communication and Instant Messaging, Online Banking, and so on. I do not understand how people can seriously argue they won’t go into the Cloud. They are already there.
Imho this shows a big misunderstanding of Cloud Computing. It is not so much about SaaS (people already use Webmail, Google Docs, Salesforce, etc.). It is about virtualized hardware resources provided for developers as services on a pay-per-use basis. Cloud Computing is a developer-facing business.
July 29, 2008 at 5:23 pm |
I agree that the we are already living in the cloud. Shelly Palmer provides a good example in his latest blog article where he points to Amazon, who is rapidly transitioning from an online retailer to a tech company. Amazon offers Simple Storage Service (S3), Elastic Compute Cloud (EC2), Simple Queuing Service and SimpleDB. Businesses won’t have an option not to go with them, regardless of security, especially small and medium sized businesses who can’t afford, or don’t need, their own data center.
http://www.shellypalmermedia.com/2008/07/25/amazon-transitioning-into-a-technology-and-cloud-services-company/
Mike McGregor
Advanced Media Ventures Group
July 30, 2008 at 2:20 pm |
Markus — I think you nailed it with your final analysis. Very often the skepticism directed against “cloud computing” is really a general criticism towards “the Internet” or “web applications” or even “corporate data centers”. For example, I don’t understand how comment #2 applies to cloud computing or Google App Engine. The same is true for any remote server and it’s obviously a problem that has been overcome.
Geva Perry
GigaSpaces
http://gevaperry.typepad.com
July 31, 2008 at 7:35 am |
Markus – I agree with the fact that this is the current overall perception of Cloud Computing security. Can you elaborate on how big was the “no trust” concern? Would these critics use cloud computing if they can be assured that neither an attacker nor government agencies can compromise their data?
Regards,
David Habusha
July 31, 2008 at 7:54 am |
David,
I think that these comments express a general fear of attackers/government agencies on the one hand and mistrust towards the cloud provider on the other hand.
So, even if you could assure that the data is save, people would probably argue that they cannot trust the cloud provider, like Google. However, I believe this fear is somewhat irrational compared to the real usage behavior of people in the net (they usually trust their ISP, or do not care about being logged, fishing Websites and bot nets are big business).
Security is a relative term. It must be weighed against other aspects, such as usability, deployment times, etc. In many scenarios the latter aspects show to be more important (do you usually encrypt your E-Mails when communicating with friends?). But of course if you develop applications in an enterprise context, this will be much more important.
My 2 cents.
Markus
August 1, 2008 at 11:15 am |
Hi Markus. I think businesses are right to be cautious of “cloud” data services. If you’re making the financial future of your business dependent on somebody else doing their job well, of course it pays to be cautious. It’s one thing sending unencrypted email (which we all know is insecure) to your friends, because nobody really cares about this data. But it’s another thing to have all your company’s data and documents held at an unknown location by a third party supplier with far more financial and commercial power than you.
We have already seen plenty of problems with outsourcing, and these issues will become more significant if you move from having specific agreements e.g. with data centres and individual service providers, to having a “one size fits all” agreement whose terms are essentially determined by the more powerful partner. How do you keep track of where they put your data e.g. to ensure confidentiality and security rules are applied? Data in the EU, India, Russia, China or the USA is subject to different laws, so which laws apply, and how do you enforce them when you may not even know where your data is? Do you simply give up and accept that the cheapest host’s rules will apply? What if your data ends up in China or Russia, where you may not be able to protect its confidentiality at all? The first person to hack into Google’s data stores will become rich enough to afford some excellent lawyers!
What if your business becomes dependent on these services, then the service provider changes their terms of business – how much power do you have over a company like Google or Amazon, and how much time/effort/money will it cost you to find an alternative provider?
Don’t get me wrong – I think Google is a great company with an innovative approach to technology in business, but that doesn’t mean I want to hand every piece of data over to them and hope they look after it wisely. Remember Murphy’s Law: whatever can go wrong, will go wrong!
August 1, 2008 at 12:27 pm |
Chris,
I totally agree with your statement. For many enterprises security is a key issue. Most private users, however, don’t care much about privacy etc. (although people might say that it is important, they usually are not willing to spend much time on securing their environment, erasing footprint, etc.).
There surely is a vendor lock-in problem with Google App Engine. With Amazon EC2 on the other hand you should be able to shift your instances to another provider who uses similar virtualization technology. It still would be a hassle, though.
August 24, 2008 at 10:46 am |
As you might see from the comments, the german state of mind is a special one, though there are other countries especially in Europe, that have similar concerns about “modern” topics like cloud computing. I strongly underline that data privacy is an important issue, especially after here in Germany CDs with millions of customer data incl. bank account data were sold to anyone paying some thousand bucks. On the other hand it is to simple just to say cloud is evil and on premise is good, in times of wireless LAN things boundaries become blurred somehow. Security and data privacy must not rely on system functions or SLAs. These features are more processes and They need be more present in the minds of companies, customers and users and also in the minds of legislators.
October 21, 2008 at 5:36 pm |
Having been on the receiving side of lawsuits seeking private information, I can assure you that people will try and pry data out of providers without the user’s knowledge. At at a cost of $10K-100K+ per incident, providers are going to be tempted to comply, and write that into their terms and conditions that people tend not to read. It adds another person to sue, another person to subpoena, another source.
BTW: I once heard a Intuit guy say that they never expect too many Quickbooks users to migrate to the web — because they keep two sets of books! And when the authorities are knocking at the door, they know to destroy/hide one of them… not something they have the ability to do when the knock is at Intuit.