The term “cloud computing” is now widely used – and unfortunately widely misused – often to irritation or amusement of those of us who remember the times before “clouds”. In fact recent advertisement by a well-known hard drive manufacturer describes a network-attached storage solution – essentially an embedded Linux system with a large hard drive attached – as “your own cloud”. Indeed, cloudy thinking is not far away from cloud computing.
At JUMPSEC we like to keep our feet on the ground, and remember that while abstractions can help us to focus on essential properties of systems and their architecture, unnecessary hype and confusion about technical details can only lead to bad design decisions, misconceptions and ultimately security failures. It is necessary to remember in particular that:
- Bits are bits – copied data is as good as the “original”
- Cloud computing does not actually happen in the clouds – but in very physical data centres subject to laws of nature, laws of states and laws of economics
- Just because you run something in the cloud does not make it “better” or “worse” on its own
- Just because you don’t see or own the hardware, the operating system or the middleware does not mean problems affecting them magically disappear
- If you outsource or offshore a business function the risk of that business function stays with you
- The fundamentals of computing and computer security have not changed.
Next time someone extolls the virtues of cloud computing or shoots it down as yet another fad, why not ask what exactly do they mean?