I’m not technology researcher. I’m not a technical writer either. I am merely talking from years of field experience.
Technology has a curious history. We have these giant leaps forward then in an instant as if we are scared to death we jump nearly the same amount backwards. When things are getting really dicey we take something old…dress it up…and call it something new. What am I referring to? I am referring to the absolute abysmal status of software security today. There is NO operating system that is really worth a crap…all we have is different versions of suckiness. Just look at the number of advisories for various open source projects of a security nature. Take a look at commercial software and it’s the same thing. Some are worse than others. It’s mainly the fault of high level languages and the focus on speed of code instead of quality of code. Cloud Computing is the attempted answer for this. Unfortunately Cloud Computing isn’t the solution. In some areas it’s simply a step backwards. In some areas it is a total retreat to failed computing models. This is what Cloud Computing is. It is a massive step backwards. Why do I say this? What is my basis for this? Is it too late? Does the “cloud” have a place in the modern world? I will attempt to answer these questions.
Why do I say this is a massive step backwards? Let’s look at what we had before the “cloud”. We had mostly de-centralized computing. Internal networks had a central server but the Internet itself was working as designed. Suddenly, folks thought it would be a good idea to attempt to centralize everything into one place or a very few places. They then called this the “Cloud”. This concept isn’t revolutionary. This concept isn’t evolutionary. Heck this isn’t even new. Want to know where the cloud came from? The client mainframe era.
For those who don’t remember. The previous era of computing was the dumb terminal (which was nothing more than a monochrome monitor and a keyboard) hooked into its “server” usually by a serial cable. The “server” was a mainframe computer that processed EVERYTHING and sent the output of said processing to the display for the user to see. EVERYTHING was controlled on the mainframe. Now let’s take a look at the “Cloud” as it is being pushed. The cloud is a very powerful server or cluster of servers. All applications are supposed to run on the server<s> including the operating system of the guest. The terminal is connected by a much faster connection but in essence it’s a dumb terminal running a micro-OS. The real work is done on the servers. Sounds like the 1960’s again. We got away from this configuration due to performance issues, high costs of running a mainframe, and the fact that when(not if) the mainframe went down…everything stopped. Guess what. This version of “cloud” computing is the exact same thing.
There’s another type of “cloud” computing. That’s the kind like Google Apps, Salesforce.com. BPOS, e-mail Marketing providers, etc. etc. etc. This version of the “cloud” is like cirrus cloud instead of the overarching Cumulus cloud above. I find this cloud more concerning. The reason being that everyone thinks because everything is in one huge datacenter it’s more secure. That would be true except for a couple of very large flaws. First, This is once again a single point of failure. As recent twitter, Facebook, Gmail, and now the huge breach at Epsilon prove…all you have to do is compromise the cloudy provider and much more is laid wide open. The Epsilon breach shows however that this model (also called SAAS or Software as a Service) is horrendously insecure. It’s not hard to breach a large cloud provider living in a datacenter full of servers. It’s even more exposure when you have multiple datacenters for redundancy. However it is still a single point of failure. Combine this configuration with more and more sensitive information(like health records, credit card or other highly sensitive financial information) being gathered into one place it’s easy to see the inevitable conclusion. The cloud may make it easy for administrators…but that single concentration also makes it easy for the miscreants to get to what you are trying to protect.
Is it too late? Not at all. If folks would do one thing they would put a quick stop to this upcoming series of disasters. Learn from technology past. We went away from the cloud (aka mainframe) because we wanted to not present a single point of failure, to improve security, and increase our ability to recover from a disaster. Keep in mind that datacenters are also subject to disasters and not as many are redundant as you would think.
Does the cloud have a place in modern times? Yes it does. Personal e-mail i think has a great place. However businesses with privacy and data security concerns should NOT use the cloud for sensitive communications. Keep in mind e-mail is akin to shouting outside your building…it is NOT a secure medium. You have now put your trust in a third party while you still assume all of the responsibility for a breach. I simply can’t see taking the chance of laws coming down on you while hoping a third party has as much concern about your businesses livelihood as you do. I can tell you right now. They won’t and they don’t.
Here are several links about the Epsilon breach. This is only to get you started. There are tons and tons more to see how widespread this is becoming: