What is “the cloud” and why so much of this weather-related computer speak lately?
One of my colleagues states it best in their email signature line: “The cloud is just a word used to represent someone else’s computer.” At Wikipedia, here’s what “cloud” means in the meteorological sense: “an aerosol consisting of a visible mass of minute liquid droplets, frozen crystals, or other particles suspended in the atmosphere….” In comparison, this is cloud computing: “the on-demand availability of computer system resources, especially data storage and computing power, without direct active management by the user.” So the cloud is not a thing per se but more like a service. It alleviates the computer user from managing something such as their own computer resources. It is a service that never turns off because its availability is on-demand. When you need the cloud, it’s there for you (for a cost, of course).
The masses use cloud computing pretty regularly already whether they acknowledge it or not. If you’ve ever sent email from a Gmail, Yahoo!, or Hotmail account you’ve used the cloud. So many media consumers use the cloud because they’re not storing thousands of songs on their iPhones or Galaxys. Rather, the music is housed in the cloud—remember, on someone else’s computer—and when one wants to hear a song and they tap the artist’s name the song streams instantaneously and invisibly to the device. We’re at the stage of communications speed that this is feasible. It’s no different than selecting a film via Netflix. You don’t keep the Netflix library in your home, you just have this on-demand computer system, which Netflix bought and maintains, that you subscribe to and it sends your movie to your screen when you want it.
Now, since I try to share lessons that regard online security and privacy you may already be anticipating how I want to bring the cloud to light. That’s what my colleague’s getting at with his admonition to remember that the cloud is just someone else’s computer. What of your otherwise secure information, or of your private life, do you want some other company or person to be custodian over? Money, cashola, greenbacks, and the like are some of our most precious materials, commercially at the least. You want utter security over your money so you are very, very selective about whom you trust it with. For example, that’s limited to FDIC-insured financial institutions. The insurance gives you one level of trust, and the centuries-old tradition of banking institutions provides another layer. At the bank, if a teller wants to caress your fat stacks of cash they can conceivably go into the vault and manhandle it to their heart’s desires. Same goes to the cloud service provider. In both examples, they are likely not permitted to do that, but they can we’d all agree. What, then, about these cloud service providers? What do you know about them, their privacy practices, or where they keep your valuable information? Do you even realize that your information is “out there” on the cloud, or wherever?
These questions and others are part and parcel to information security professionals’ workadays and that group continually debates, researches, and investigates the cloud’s security, or not. Among others in the field the Cloud Security Alliance since 2008 has been working to understand and repair the cloud’s security implications. They’ve highlighted some of the most meaningful and serious threats to cloud computing including data breaches, malicious hackers, and similar crimes, but also more innocent-leaning failures such as system vulnerabilities (through design and architecture), data loss (the old whoopsy-daisy!), and other diligence-lacking issues. Their point is important. Cloud security is not only under attack but it’s also, like any technology, prone to user error, a risk nonetheless.
Years-long dissertations and graduate-level courses do better at explaining the cloud than some hundreds of my words here, so keep top-of-mind the reality—again, it’s someone else’s computer—when I share with you about the federal government’s treatment of cloud computing security. And, the agency I’m about to refer to isn’t the Animal and Plant Health Inspection Service or the Marine Mammal Commission. Nope, I’m about to talk about cloudiness at the U.S. Department of Defense, presumably an agency that is a bit more keen on security than these other two.
You might think that the DOD is so hypersensitive to security, data or otherwise, that they’re deeply invested in it. After all, the millions of armed forces who leave their families at home to fight the good fight and prepare for the most heinous of the world’s offenses must be the most precious assets that the U.S. government has, yes? In all security discussions we must balance it against convenience, usability, and many other forces. Back to your money, you could encase it in cement and bury it beneath the ocean floor. Total security! But, who cares if no one, yourself most importantly, can never access it?
Defense has taken the weight of convenience, or maybe efficiency is the better concept, to new level of import in the balancing act. It’s decided that acquiring cloud products and services no longer requires security authorizations for “Impact Level 2” information, those data sets that would otherwise be publicly available. The “speed” of government procurement being what it is, this saves time. Seems risky, eh?
To those who might say, “Welp, the stuff’s available to the public anyhoo…” I might retort with another, much more popular idiom to complement my colleague’s: A chain is only as strong as its weakest link. I trust that Defense knows its business better than I, but my networking and tech intel cannot have me escape the logic that IL2 cloud services have some nexus with Impact Level 6, the Pentagon’s highest classified data protecting our secrets and our soldiers. It’s cloudy.
Ed is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at email@example.com.