Cloud Computing Security

1 August 2008 at 13:40 | Posted in Cloud Computing, Data Centres, Ideas, IT Security, Online Backup Services, Security | Leave a comment
Tags: , , , , ,

[Category: Ideas. If you are new to my blog please read the “About itimes3” page first]

Cloud computing is the next big thing, or perhaps the current big thing. If you work in the IT industry like me, you’ve read about it and heard sales talk about it for several years now, and the pace is stepping up.

Yet what has been surprising me, particularly now that cloud computing appears to be taking off in earnest, is that there does not appear to be any formal, independent global body as yet that overseas the cloud computing industry.

There are no ISO certifications for cloud computing operators, there is no standardised security benchmark, no governing body, no way you can tell whether a service you may want to subscribe to is run in a secure data centre or on a stack of dusty, failing reconditioned PC’s in the corner of someone’s flood-prone garage.

For the past few years I have been doing my backups online, online backup being probably the most basic form of cloud computing. Problem is: each of the big operators in this market claims they have secure facilities, store your data in a way nobody can access it, use private keys for encryption, etc.

However there is no way I can know for sure that the data centres they use, and the systems they use, are truly secure and compliant with any standard – particularly because there is no standard. One thing is certain: there are vastly differing setups out there, yet everyone claims high levels of security.

Case in point is the use of “private keys”. Several operators claim to offer data security via the use of a private key, and that they cannot access the data because the private key is entered by the user and thus the user is the only one who knows the key and can encrypt and decrypt the data.

However this is not technically possible. Because all these backup services use versioning to track changes in the data and back up files incrementally, which very significantly saves on disk space.

In order to use versioning, the data needs to be decrypted to check the file content and how it changed, then back up the changes and re-encrypt the file. For this, the private key is required. Which means it is stored somewhere and accessed by the backup service on a practically non-stop basis whilst the backup is occurring.

Obviously this is all done in an automated way, no human being is sitting there manually decripting and re-encrypting these files. But it means that if someone at the backup service provider wanted access to your data, all they would need to do is load the private key, which they have to have access to, and decrypt any files they wanted.

And this is just one example. The same applies to any other cloud computing services available today. We do not know what is out there at the data centres. Our data is lost in the fog. A big brand name makes no difference (as recent big outages at one key provider show). What is needed is independent verification and compliance with standards.

So I say: it is time for either the industry or user interests to initiate the creation of an independent governing body, that issues certifications to cloud computing providers that comply with a published minimum security standard. And to verify compliance on a regular basis, through, for example, unannounced annual inspections.

If you like this idea and you work in a type of industry where this is relevant, I would be happy to discuss in more detail, answer questions or assist in other ways. For details and contact information please see the “About itimes3” page.

George Spark

Disclaimer: Any trademarks mentioned herein are the property of their respective owners.
All usage of this site is entirely at users risk.

Blog at
Entries and comments feeds.