Today I came across a rather thought-provoking blog post by Ryan Bitanga on Planet KDE called Security and the Cloud. He argues that moving personal and corporate data into the Cloud – a form of on-demand on-line computing infrastructure where “Users need not have knowledge of, expertise in, or control over the technology infrastructure” as Wikipedia states – is inherently unsafe. He continues,
Without the need to physically access a target device, your data is no longer secure once your credentials are compromised. […] Granted, this is an issue shared with most, if not all, networks connected to the internet. However, cloud computing amplifies this problem by having all your data readily accessible from the internet.
I could not agree more.
However, what is needed are strategies to mitigate those risks. To prevent unauthorized access to data in the cloud, it should become common practice to use two-factor authentication such as the combination of a password known by the user and a hardware-generated token (e.g. SecurID). Only if an attacker has access to the password as well as the physical token generator, access can be (rightfully) obtained.
Although the above procedure would reduce the risk of unauthorized access through password theft, another plausible attack scenario that I see is the storage service being either compromised or being the intruder itself. One particular example that comes to my mind is the Google Mail service which analyzes its users’ emails in order to provide contextual advertising. While such analysis might not worry personal email users too much, the fact that a foreign enterprise even has the theoretical ability to poke around in other corporate data hosted on its servers should ring all alarm bells of any company deriving its business value from its data. Therefore, an additional layer of encryption hiding the content from the storage service should be the default procedure for companies looking to moving their data into the Cloud.
Overall, it however appears to me that awareness for such security and trust issues does not adequately exist yet and current discussions about Cloud computing are mainly one-sided and benefits driven. I wonder what kind of major data theft incident will be necessary before the discussion approaches a more balanced level.
Update: The New York times ran an article yesterday, sharing many of these views. Read it here.