Murphy's Law: Is Cloud A Growing Storm on the Horizon?

Posted 01/07/2010 at 2:00pm | by David Murphy

9

Comments

Print

You're hearing a lot about the wonders of cloud computing at this year's CES. And while that has different applications for the enterprise level than consumer, the practical reality of it for most PC users (and laptop users especially cough-cough-Chrome OS-cough) is that you're taking the data that would otherwise reside on a system within your control and placing it in the hands of another entity. It's not quite a question of "open data," as that phrase is more used to describe the concept of data that's accessible to all. But cloud computing does open up your data.

Cloud applications can be super-useful when you let others run the services that improve your geeky life. Your data, however, is your own. And the more consumers coalesce their computing lives into access points, the more this data becomes ripe for abuse... or worse.

But don't let me be the sole voice of reason on this one. Just this week, the Federal Trade Commission sent a letter to the Federal Communications Commission--more a missive--detailing the exact issues that cloud computing brings to the table. Quoth the FTC:

"For example, the ability of cloud computing services to collect and centrally store increasing amounts of consumer data, combined with the ease with which such centrally stored data may be shared with others, create a risk that larger amounts of data may be used by entities in ways not originally intended or understood by consumers."

Now, I don't want to point figures and suggest that a specific company would use your data in an erroneous fashion. But it's not as if this would be an unfamiliar concept in the world of big business. And it doesn't even have to be a purposeful reworking of your information--like a mash-up of search history, the contents of your documents, or your gaming preferences with a healthy dose of advertising or services promotions.

Consider a simple transaction like uploading a picture to a social network. Although there might not be anything potentially marketable for a cloud service provider to see a shot of you at a company holiday party, you've nevertheless turned over a critical measure of control to an entity that might not have your interests at the forefront of its daily operations. What happens when you want to delete the picture that's seemingly under your control? Now what if this picture was a critical legal document or list of all your passwords?

Let's take it one step farther: A few proposed solutions for Cloud security are currently floating on the marketplace, but I don't think that there's enough being done to secure the transaction and the method of transaction between you and the third-party service you interact with.

My iPhone is the first such example that comes to mind. I can buy plane tickets with an iPhone app, I can check my bank account with an iPhone app, all my email comes directly through an iPhone app, et cetera. Now, suppose someone gets their hands on my phone. All the hardware encryption in the world isn't going to stop a dedicated enthusiast from breaking through the castle door and storming through my social networks to build up a list of my logins, passwords, and other critical information.

That's one scenario. Here's another: Given that so few applications are set to run in a virtualized environment, it almost doesn't matter if an unscrupulous person gets physical access to a machine. All it takes is a few exploits to plant the seed for data or authentication theft. From there, it's only a matter of time before the totality of one's accounts is compromised--remember, the cloud stores your data now, not your desktop. It would be much easier to access a PDF being passed from host to cloud or stored on a server somewhere than it would via a folder on your hard drive.

I could go on, just as I could likely list out quite a number of ways you could accidentally destroy your PC throughout the course of your day. The point is not what cloud can do to ruin your life, but rather, what preventions will the industry need to enact to ensure seamless cloud adoption? This a three-way tango:

• Hardware: Cloud-attached devices need tougher encryption and more rigorous authentication methods. Similarly, if a user breaks into a cloud-attached device, there needs to be another security gateway or hardware lock (almost in the same vein as a Blizzard Authenticator) that blocks access to cloud data without a perfectly precise method of identifying the exact user at the system. Any owner of a master account should be able to disable cloud-accessing devices at a moment's notice.
• Access: Any data traversing from a PC to a cloud service, or vice versa, should be heavily encrypted to the point that it's indecipherable to any eavesdropping program or user. Similarly, virtualization and sandboxing should be key components of any operating system or applications that interact with the cloud to reduce one's ability to compromise hardware via an external source.
• Storage: Cloud companies need to provide secure hosting for cloud-based data that can remain independent from any breaches to the service throughout the chain. There must be an explicit and immediate method for data removal throughout all its locations in the cloud, and safeguards must be taken to ensure that data remains independent from unauthorized access by the storage host itself--including comprehensive logging, data-leak provention, and authentication services.

If it sounds like a tall order, that's because it is. You wouldn't give up your passwords or data if one of your friends or coworkers promised to store them for you. Why should you give such implicit trust just because an entity is corporate, not corporeal?

David Murphy (@ Acererak) is a technology journalist and former Maximum PC editor. He writes weekly columns about the wide world of open-source as well as weekly roundups of awesome, freebie software. Befriend him on Twitter, especially if you have an awesome app or game you're dying to recommend!