Last year I was contacted by a student asking me to complete a questionnaire on cloud security issues as part of a dissertation for her degree. Shortly following that request, there was an article published on the very same topic. The article was built around a joint statement issued by European Commission Vice-President Viviane Reding and US Secretary of Commerce John Bryson on the 19th March 2012. The statement frames a high level conference on Privacy and Protection of Personal Data, held simultaneously in Washington and Brussels and, in their words, “represents an important opportunity to deepen our transatlantic dialogue on commercial data privacy issues.” This is an excerpt from the statement:
“The European Union is following new privacy developments in the United States closely. Both parties are committed to working together and with other international partners to create mutual recognition frameworks that protect privacy. Both parties consider that standards in the area of personal data protection should facilitate the free flow of information, goods and services across borders. Both parties recognize that while regulatory regimes may differ between the U.S. and Europe, the common principles at the heart of both systems, now re-affirmed by the developments in the U.S., provide a basis for advancing their dialog to resolve shared privacy challenges. This mutual interest shows there is added value for the enhanced E.U.-U.S. dialogue launched with today’s data protection conference.”
The thrust of the student’s questioning was that the uptake of cloud technology was being slowed by businesses’ concerns about data security and privacy. I wasn’t so sure that that was at the heart of the issue as you can probably tell from my answers.
Question: Despite its promises very few businesses have actually moved their operations to the Cloud. Why has the real application of Cloud computing not yet reached momentum among businesses?
Answer: I think the premise of the question is wrong, i.e. that very few businesses have moved operations to the cloud. To explain what I mean, we need to agree terms first. Cloud just means stuff hosted off premises. Web is cloud. Virtualisation is cloud. Streaming is cloud. If cloud means stuff hosted off premises, then a critical limiting factor is the pipe between the client and the host. Even with diversely routed connectivity, this is a business risk in terms of resilience and performance. Business risks need to be balanced against costs and benefits. The second issue for cloud services is that it is more difficult to integrate disparate systems – potentially from different vendors – to meet business specific requirements. There are not yet standards that facilitate this type of integration between cloud vendors (although discussions are in progress). The combination of issues I describe means that cloud services are not suitable for all business functions, business types and business sizes. For example, some businesses may be willing to sacrifice performance and resilience to achieve lower price or greater agility. A business whose main channel is the Web may already have the internal processes and culture to embrace more cloud services. When I said the premise of the question was wrong, I meant that I think most companies do take cloud services, albeit in a limited way. It’s true that most businesses haven’t embraced cloud for the full scope of their technology requirement but I’m not sure this is possible for most businesses given the present limitations of the technology. So really what we’re talking about is a hybrid scenario with a progressive shift to cloud services as bandwidth costs reduce, standards for integration emerge and the business case, taking account of the risks, gradually shifts in favour of cloud. This is part of the picture. There are also cultural and practical issues in terms of change management. On premises IT departments have traditionally kept a tight control over their networks and data. Releasing control is difficult for them. It’s only when competition becomes extreme that the old paradigms become unsettled and eventually unseated. I’ve deliberately left the wider data security issue out of this response because there are lots more questions about it later!
Question: A study by LSE has revealed that the top two issues on the way to adopting the Cloud are fears of data security and privacy and data being offshored. In your opinion have these two issues been the main concern for your users/clients?
Answer: I have some sympathy with this view although when issues are complex, respondents often migrate to shrink-wrapped answers. My view is that the issues of data security and privacy are the go-to issues for cloud ditherers. They’re a form of displacement behaviour. In my experience, it’s rare that data security and privacy are truly critical factors in the decision to use (or not) a cloud service. They are of course critically important issues, but as a technology, ‘cloud’ usually has reasonable answers, at least relative to the security and privacy challenges that already exist due to human and system frailty. My experience is that the objection regarding data security and privacy is often the first provided objection but that a little digging usually reveals a more complex set of concerns, some technical, some practical and some cultural.
Question: Steve Ballmer, CEO of Microsoft believes that security is a personal responsibility of everyone in the chain (– employees, managers, end users). How important is human factor in ensuring security on all levels?
Answer: Steve Ballmer’s comment highlights the absurdity of the data protection and privacy issue in the context of most businesses. That is to say, people are most commonly the weakest link in the security chain, closely followed by the systems and processes they devise. For example, in schools across the land you’ll still find passwords and user names written on post-it notes attached to the monitors of administrators with access to sensitive data about pupils. In the next breath, they will resist a cloud technology solution because they’re not sure where the data is located. There’s a significant lack of perspective about the relative significance of the human factor in most security breaches.
Question: Do you believe security is a two way responsibility for both users and providers?
Answer: In order to create a secure technology chain, people, processes and technology need to work together in a seamless way. This means reciprocal responsibilities between users and providers.
Question: Cloud providers are increasingly trying to convince users that because of their heavy investments in hardware, software and staff, security in the Cloud may be better? Would you say that security on average is better in the Cloud comparing to the in-house security?
Answer: For small and medium sized businesses in particular I’d say that this is true as long as you believe the cloud provider have robust and resilient systems themselves. The reality of most SMEs is that pressure to compete and grow creates budgetary pressure and that privacy and security are easy victims of this pressure. We still see many businesses which do not store and control data effectively and where staff are inadequately trained in the security systems. Aggregating demand through cloud removes part of this problem from the premises and frees up resources to focus on the ‘edge’ issues, i.e. people (and their systems).
Question: What legislation are you currently guided by in the Cloud industry? Do you believe it is sufficient enough for users’ security?
Answer: The UK’s Data Protection Act 1998, the US Patriot Act and the European Union’s Data Privacy Directive all have something to say on this issue. In truth they’re all out of date in the context of cloud and there are various reviews of the legislation happening at present in order to stimulate the cloud industry. One of the issues is at what point permission is required from the data subject. At the moment, the legal view is that the data subject may need to provide permission even if a non-EU company stores data temporarily on an EU device, e.g. through a cookie as part of a social networking service. Moving personal data outside the EU therefore presents potential issues. Currently some cloud companies have circumvented this problem by basing data centres in the EU, e.g. Microsoft. Others have resisted making absolute statements about data location (such as Google) because their data is so widely replicated (data sharding) around their system for the very purposes of resilience, redundancy and security. So the legal landscape is somewhat at odds with the technical landscape.
Question: Some scholars have suggested we create an auditing board/authority to monitor activities of the providers. Do you think it is a good idea?
Answer: Issues of data security and privacy are very important issues. It may not seem so until something goes wrong and you are directly affected. Luckily most of us never experience the effects of a meaningful breach of our personal data. We may be irritated by it, for example if our credit card information is hijacked. However, there is a system of restitution in place and so it’s usually an irritation rather than a catastrophe. However identity theft (as another example) is potentially a very significant issue and one that is growing. So, in order to build confidence in the cloud, there inevitably needs to be some regulation and control. In the same way as integration standards between cloud providers will enhance take-up of cloud technologies, so regulation and legal harmonisation will enhance confidence and take-up.
Question: What are your predictions for Cloud computing security in the future?
Answer: As I said earlier, I think the shift to cloud is underway for most businesses. Whether it is as simple as web-based email or a web store front, or as complex as an entire company built on cloud computing, businesses are on the journey. To paraphrase Anais Nin, cloud adoption progresses when the risk it takes to remain tight in the bud is more painful than the risk it takes to blossom. Cloud leverages scale to deliver more for less. If it really does this well, then the business ecosystem will naturally select it. In my view, security and privacy are real issues that need to be tackled. The cloud providers are the guardians of valuable personal assets: our personal data. They are the data ‘banks’. Data is a valuable asset and therefore as vulnerable to abuse as the banking and financial systems. I would argue therefore that we need consistent and robust regulation and legislation in order to protect our interests. It is clear from the banking crisis that the trust and best intentions rarely work out well for the individual. My prediction would be that ‘big data’ and the ‘cloud’ will be a very important trend over the coming decades and that a robust legal and regulatory framework will emerge, along with standards for multi-vendor cloud integration.
Although the answers provided are focused on businesses, the situation is actually very similar for educational organisations albeit some of the drivers for change are different.