Trust in the cloud

Every time someone mentions ‘the cloud’ this week your mind wanders… are the talking about ‘the cloud’ as in that fuzzy collection of Internet-based services and storage, or that cloud of volcanic ash which is keeping the airport duty-free shops empty and raising the profit forecasts of car hire companies? The article I’ve been reading, from the BBC ‘Click’ web site, discusses the Internet-based cloud and whether your data is safe. If you go to any search engine and type in the name of a well-known cloud service provider beginning with G followed by “security breach”, you’ll find enough articles to consider that your data (whether personal or work-related) is not safe. In their own blog, they state that a recent attack was not just aimed at them but also at “at least twenty other large companies from a wide range of businesses”. Google (okay, that’s who it was) are now suffering from having a big target painted on their back in the same way Microsoft have. And any other software company that goes to market with a campaign labelling themselves as ‘unbreakable’. Here’s my head, and here’s me putting it above the parapet.

Security is a big topic… by that I mean that it has many facets. I was once the lead UK Lotus Technical Sales Specialist for the Domino web server (many moons ago) and was fairly knowledgeable on the subject of public / private key infrastructures, X.509 certificates and the various flavours of Secure Sockets Layer. Whenever someone invited me to a meeting about security I’d have to qualify it – on one occasion I was lined up for a customer meeting about security which turned out to be about securing the server room (thankfully this fact was discovered before the meeting took place). Security is not just about encrypting data. Access control is an incredibly important aspect – if you start showing one person’s data to other people you’re in trouble. Authentication is pretty important too. So, anyone who thinks SSL on it’s own is secure better think again.

The chap from Evernote tells Click that their premium (i.e. paid for) service is protected by SSL. Our own LotusLive service is SSL-enabled, but not just for paid users – if you log in as a guest your traffic will be encrypted. IBM have a very good track record for security, but we’re committed to the fact that there’s no room for complacency in this space.

Here’s a favourite quote of mine, from the book ‘Digital Certificates’ by Feghhi, Feghhi and Williams (which sits on the bookshelf in my office)…

Cryptography is the science of making the cost of improperly acquiring or altering data greater than the potential value gained.

That may sound a bit dull, compared to (for example) a Groucho Marx quote (“time flies like an arrow, fruit flies like a banana”). What it’s saying is that anyone who has invested in time and skills for nefarious purposes will be after the big fish in order to get a return on their investment. However, that book was published in 1998 and the world is now a very different place. Given that anyone – including the slightly gullible – can have a computer, an Internet connection, an e-mail account and a bank account, the average phisher can reach a decent economy of scale. The weakest link is not necessarily the technology, often it’s the operator.