On the first flight underway to CSI-SX and Interop in Las
Vegas, we were about to land at JFK. It was early in the morning, and as is
sometimes the case there were dense low-hanging clouds. We were about to
touch down, dropping out of the clouds very close to the ground, when the engines revved up and
we took off again. The pilot announced that “there was another airplane on the
runway … not a problem … we’re just going back in for another landing shortly.”
That’s about as close a call as I can handle, but this kind of occurrence is to
be expected – lack of visibility cannot be completely solved with
instrumentation and air traffic control.
What does this have to do with the conference? Well, in some
sense flying in the clouds and computing/storing/communicating in the clouds
have some similarities, and aviation certainly went through its period of
disastrous events that eventually were used to implement increased control and
safety. Cloud, at least in some aspects, is still in its infancy, and as I had
expected the cloud discussion was well alive. It wasn’t so much in the
exchanges I had with other attendees, but it certainly was front and center in
the general sessions and sprinkled throughout the tracks. The bottom line? I
didn’t exactly get the warm and fuzzies about either cloud security, or the general
understanding thereof. It was all, well, like trying to navigate those low-hanging
clouds.
It is perhaps unfair to pick on the presenters from Amazon
and Google – they are not security experts – but these are after all the people
who sell promises of the cloud to the CIO. Amazon’s Jinesh Varia’s slide deck
touted “military-grade perimeter controls” – perhaps someone can explain to me
once and for all what that’s supposed to mean. Google’s Adam Swidler spoke of
the virtues of having data securely in cloud instead of on the endpoint, only
to do a complete 180 and talk about offline data and applications a few slides
down. The kicker was when they referred to a SAS 70 audit as “a cool thing” and
“up and coming, ” respectively. In all fairness, Google’s security story around
software- and platform-as-a-service can be a lot tougher to sell
than Amazon’s infrastructure-as-a-service, but in the end I felt like
neither was all that convincing.
A later presentation by Tanya Forsheit and Nolan Goldberg
from Proskauer Rose LLP discussed legal aspects of cloud computing. The usual
suspects of information ownership, the geographic location of the information, and
who might be legally allowed to provide it to authorities were covered (side
note: Richard Watson blogged about regulatory
conflicts and cloud recently). The advice, as I boil it down, was pretty
simple: assessment, contracts, and oversight. But what was more troubling to me
was the notion that case law in the area of cloud computing is not yet at all
established. Tanya Forsheit noted that searching for “cloud computing” in a law
databases resulted in a single result having to do with a trademark dispute
over the term itself, not anything having to do with actually using the cloud.
But with outsourcing arrangements having existed in IT for a long time, I’m not
quite sure that many aspects of cloud are all that new. So maybe this is a case
of where the definition is really clouding the issues in the legal system … not
a reassuring thought.
So there’s obviously a lot left to be learned about “the
cloud” and its security. People were feverishly taking notes – I hope their
takeaway was similar to mine: cloud is a term describing way too many things at
once, discussing cloud security often conflates many issues in implementation
and control, and more clarity is needed. Our upcoming report on cloud security
(authored by Dan Blum) should provide a guide for at least plotting a safe
initial course in the clouds, but we need to remember that – just like in
aviation – we might have to witness or work through a disaster or two before we
figure it all out.
