On the first flight underway to CSI-SX and Interop in Las Vegas, we were about to land at JFK. It was early in the morning, and as is sometimes the case there were dense low-hanging clouds. We were about to touch down, dropping out of the clouds very close to the ground, when the engines revved up and we took off again. The pilot announced that “there was another airplane on the runway … not a problem … we’re just going back in for another landing shortly.” That’s about as close a call as I can handle, but this kind of occurrence is to be expected – lack of visibility cannot be completely solved with instrumentation and air traffic control.
What does this have to do with the conference? Well, in some sense flying in the clouds and computing/storing/communicating in the clouds have some similarities, and aviation certainly went through its period of disastrous events that eventually were used to implement increased control and safety. Cloud, at least in some aspects, is still in its infancy, and as I had expected the cloud discussion was well alive. It wasn’t so much in the exchanges I had with other attendees, but it certainly was front and center in the general sessions and sprinkled throughout the tracks. The bottom line? I didn’t exactly get the warm and fuzzies about either cloud security, or the general understanding thereof. It was all, well, like trying to navigate those low-hanging clouds.
It is perhaps unfair to pick on the presenters from Amazon and Google – they are not security experts – but these are after all the people who sell promises of the cloud to the CIO. Amazon’s Jinesh Varia’s slide deck touted “military-grade perimeter controls” – perhaps someone can explain to me once and for all what that’s supposed to mean. Google’s Adam Swidler spoke of the virtues of having data securely in cloud instead of on the endpoint, only to do a complete 180 and talk about offline data and applications a few slides down. The kicker was when they referred to a SAS 70 audit as “a cool thing” and “up and coming, ” respectively. In all fairness, Google’s security story around software- and platform-as-a-service can be a lot tougher to sell than Amazon’s infrastructure-as-a-service, but in the end I felt like neither was all that convincing.
A later presentation by Tanya Forsheit and Nolan Goldberg from Proskauer Rose LLP discussed legal aspects of cloud computing. The usual suspects of information ownership, the geographic location of the information, and who might be legally allowed to provide it to authorities were covered (side note: Richard Watson blogged about regulatory conflicts and cloud recently). The advice, as I boil it down, was pretty simple: assessment, contracts, and oversight. But what was more troubling to me was the notion that case law in the area of cloud computing is not yet at all established. Tanya Forsheit noted that searching for “cloud computing” in a law databases resulted in a single result having to do with a trademark dispute over the term itself, not anything having to do with actually using the cloud. But with outsourcing arrangements having existed in IT for a long time, I’m not quite sure that many aspects of cloud are all that new. So maybe this is a case of where the definition is really clouding the issues in the legal system … not a reassuring thought.
So there’s obviously a lot left to be learned about “the cloud” and its security. People were feverishly taking notes – I hope their takeaway was similar to mine: cloud is a term describing way too many things at once, discussing cloud security often conflates many issues in implementation and control, and more clarity is needed. Our upcoming report on cloud security (authored by Dan Blum) should provide a guide for at least plotting a safe initial course in the clouds, but we need to remember that – just like in aviation – we might have to witness or work through a disaster or two before we figure it all out.
Comments