Prof. Whitfield Diffie, Cryptography guru and former Chief Security Officer at Sun Microsystems talks with David Talbot of Technology Review. In his interview, he makes some interesting observations which I feel is very important to Cloud Computing and, also, will be of interest to the readers of Cloud Ave. I am only highlighting the points I find interesting and I suggest you to read the full interview on Technology Review website.
He makes an amazing comparison to air transportation to explain the difference between public cloud providers and in-house infrastructure. I really loved this comparison as it clearly articulates the advantages of public clouds and its limitations/requirements.
The effect of the growing dependence on cloud computing is similar to that of our dependence on public transportation, particularly air transportation, which forces us to trust organizations over which we have no control, limits what we can transport, and subjects us to rules and schedules that wouldn’t apply if we were flying our own planes. On the other hand, it is so much more economical that we don’t realistically have any alternative.
Another important point from the interview is his take on using cryptographic techniques to secure the data while using cloud computing. Coming from the Cryptographic guru himself, this is very important to all of us who have their feet wet in the clouds. While pointing out that the use of existing encryption techniques are prohibitively expensive and will undo any economic gains that comes with the use of public clouds, Prof. Diffie offers some suggestions to vendors as an intermediate step. Even though the second part of his suggestion is pretty widely discussed by many in the industry (including some discussion by myself in this space), I would like to highlight what I consider as an interesting suggestion.
Much of this would result from care on the part of cloud computing providers–choosing more secure operating systems such as Open BSD and Solaris–and keeping those systems carefully configured. A security-conscious computing services provider would provision each user with its own processors, caches, and memory at any given moment and would clean house between users, reloading the operating system and zeroing all memory.
I am sure there will be a debate on this suggestion but I thought it is compelling enough to merit a highlight, even though the whole interview is a good read. It is time for all of us to stop debating whether public clouds are secure or not. Instead, we should understand the trust requirements and, then, take into account the economics to decide on the cloud strategy.
