We decided to translate to English Michail Emel’yanikov’s post as we think it brings some importrant questions many people forget to ask. Did you?
“Over the past week, there seem to be more and more articles and notes about cloud computing – periodical influx of interest to any topic; nothing out of the ordinary. But after reading the latest material, I experienced a little déjà vu. All of this was written a year ago, if not more; worded the same way, and applicable to the same situations. On one hand, purveyors of cloud services try to convince us that their corporate clients are enthusiastically clambering into the clouds. On the other hand – all these years there has not been a single vivid answer to all of the simple, obvious questions. Namely:
1. What happens to the data when its uploaded to the cloud after the completion of any actions specified by the customer (editing, data processing, pressing the Delete key on the user’s computer, working with the cloud’s infrastructure)?
2. How are the access rights of each user maintained in the SaaS/IaaS/PaaS and other *aaS clouds. How was the reliability and safety of these mechanisms guaranteed, and who guaranteed it?
3. What’s with the virtual architecture inside the cloud, attacks on the hypervisor, super-users, and why don’t they just sell our information to our competitors who receive everything on demand right in the same cloud?
4. Who controls the encryption keys used to secure a connection to the cloud? Why isn’t it FSB/BND/Mossad/MI6/CIA (add more as you wish here)?
As you understand, there is practically an infinite amount of questions to be answered, and they are all related to confidentiality. But, as soon as you raise your head to look at those clouds, more questions start to arise. The list grows further:
5. Who exactly is responsible for your data being intact in the cloud? How is this demonstrated?
6. What will you do when you will lose the internet access?
7. What will you do when the provider won’t be able to serve you for one reason or another?
8. What will you do, when your data simply vanishes?
9. What will you do when you decide to find another provider, and migrate to them? How will you transfer your data, if at all?
All these years the cloud services industry has been talking about advantages – brainwashing the customers and denying us any answers. Instead it presents us with an eclectic brew – the universal description of the great experience and responsibility of the developers, about a large amount of specific security solutions which cannot be described now due to “a lack of time in this interview”. Besides, 95% of such interviews and presentations are marketing tales anyway. They are about the inevitable technological progress and the future of outsourcing everything noncore – nothing to do with the actual questions.
But the absence of answers to all the above listed questions made me return to my own post and presentation, created one year ago.
I found no differences when comparing this how things are happening today. For information technology and informational safety, a year is a large period of time, and if there is no reaction to all of these challenges, but there is noticeable growth in aggressive marketing, it is no accident. And I, as a security consultant, have a new question for cloud service providers. How and where customers can see security log events associated with their specific data? Do they have them? And what about targeted attacks, with all new Stuxnet, Flame, Gauss? Clouds are more appealing for hackers than individual sites.
Until these questions are not only answered, but also become a part of the contracts with providers – public clouds will mostly be used for consumer services like social networks, email, file and photo sharing. As for examples of international corporations who already migrated their IT infrastructure (names, for obvious reasons, are not disclosed by providers), we will have to believe the cloud companies statements. I used ‘public’ cloud term, because I still cannot get the difference between a private cloud and an ordinary commercial data center. I have never heard a distinct explanation describing the differences between them. Well, except for the system of payment for services provided, of course.”
Link to an original post in Russian