Friday, December 4, 2009

How do you give assurance on the security when you do not know where the server is located?

Recently I read someone giving a very good point on why businesses are still not receptive of public computing. The reason is quite simple actually.

In every system development project, I'm sure you would have drawn network diagrams depicting where the server is located, what rack, what firewall, etc in your technical document. However in the public cloud, what assurance you have on that? How do you know that the software that is running on the cloud won't be easily hacked? How do you know if a person won't just walk into the data centre containing the software you're using, plug in a USB thumb drive, and proceed to dump all your important information in it?

You won't know... And that's the problem. After following up on cloud computing for so long, the only solution I can think of to this security problem is the hybrid cloud solution. You control the data in your own cloud which will communicate to the public cloud.

Therefore in any cloud solution, you should always look out if the vendor is locking you in to their cloud services. Does the cloud platform follow standards? Can it communicate to another platform? I'm sure some remember the good old days where some big guy refused to follow the web services standard, causing a lot of trouble to all software developers.

Keep your eyes open and beware of being locked in.


Anonymous said...

Cloud computing is easier say that done.

Corporate data easily the most important asset of a company. To run them externally way beyond the security perimeter is a big challenge.

However, it is not a goner case. If the algo / data can be first transformed using one-way approach, the cloud computers may not be able to extract much data too.

Data is probably easier since one can make use of one-way function mapping. Algorithm transformation is certainly a big challenge -- such as anti-RE properties.

chantc said...

Curious. Since you're talking about using one-way approach, does that mean you're talking about storage in the cloud? More of doing backups and dumping it into the cloud?

If you're having an application that does transactional data, you definitely need a 2-way transformation in order for the application to understand the data that is stored.

The only time you do a one-way transformation is when the application is only in-charge of dumping information in the cloud storage and does not need to read it.

This also brings about another problem. Cloud applications can also be considered as shared applications. I'm not sure if you can input your custom transformation logic into the cloud applications. And even if you can, it's quite simple to deconstruct your transformation logic to re-transform your data.

Visit Rhinestic's Knick Knacks @ Etsy for handmade goods and supplies!

Related Posts Plugin for WordPress, Blogger...