|

Can firms trust cloud computing?

by Bruce Schneier

This year’s overhyped IT concept is cloud computing. Also called software as a service (SaaS), cloud computing is when you run software over the Internet and access it via a browser. Both Google Docs and salesforce.com’s customer management software are examples of this.

Last week Japan’s second-largest telecommunicatons carrier, KDDI Corp., announced it is using 3Tera’s App Logic cloud computing platform for its services.

If you believe the hype — cloud computing is the future.

But, hype aside, cloud computing is nothing new. It’s the modern version of the time-sharing model from the 1960s, which was eventually killed by the rise of the personal computer. It’s what Hotmail and Gmail have been doing all these years, and it’s social-networking sites, remote backup companies and remote e-mail filtering companies such as MessageLabs. Any IT outsourcing — network infrastructure, security monitoring, remote hosting — is a form of cloud computing.

The old time-sharing model arose because computers were expensive and hard to maintain. Modern computers and networks are drastically cheaper, but they’re still hard to maintain. As networks have become faster, it is again easier to have someone else do the hard work. Computing has become more of a utility; users are more concerned with results than technical details, so the tech part fades into the background.

But what about security? Isn’t it more dangerous to have your e-mail on Hotmail’s servers, your spreadsheets on Google’s, your personal conversations on Facebook’s, and your company’s sales prospects on salesforce.com’s? Well, yes and no.

IT security is about trust. You have to trust your CPU manufacturer, your hardware, operating system and software vendors — and your ISP. Any one of these can undermine your security: either by crashing your systems, corrupting data, or allowing an attacker to get access to systems. We’ve spent decades dealing with worms and rootkits that target software vulnerabilities. We’ve worried about infected chips. But in the end, we have no choice but to blindly trust the security of the IT providers we use.

SaaS pushes the trust boundary one step further — you now have to also trust your software service vendors — but it doesn’t fundamentally change anything, it’s just another vendor we need to trust.

There is one critical difference. When a computer is within your network, you can protect it with other security systems such as firewalls and IDSs. You can build a resilient system that works even if those vendors you have to trust may not be as trustworthy as you like. With any outsourcing model, whether it be cloud computing or something else, you can’t. You have to trust your outsourcer completely. You not only have to trust the outsourcer’s security, but its reliability, its availability and its business continuity.

You don’t want your critical data to be on some cloud computer that abruptly disappears because its owner goes bankrupt. You don’t want the company you’re using to be sold to your direct competitor. You don’t want the company to cut corners, without warning, because times are tight. Or raise its prices and then refuse to let you have your data back. These things can happen with software vendors, but the results aren’t as drastic.

There are two different types of cloud computing customers. The first only pays a nominal fee for these services — and uses them for free in exchange for ads, such as Gmail and Facebook. These customers have no leverage with their outsourcers. You can lose everything. Companies like Google and Amazon won’t spend a lot of time caring. The second type of customer pays considerably for these services: to salesforce.com, MessageLabs, managed network companies and so on. These customers have more leverage, providing they write their service contracts correctly. Still, nothing is guaranteed.

Trust is a concept as old as humanity, and the solutions are the same as they have always been. Be careful who you trust, be careful what you trust them with, and be careful how much you trust them. Outsourcing is the future of computing. Eventually we’ll get this right, but you don’t want to be a casualty along the way.

Bruce Schneier is a leading computer security specialist and the author of “Secrets and Lies: Digital Security in a Networked World.” Read about him at schneier.com