The promising technology of Cloud computing recently suffered its first serious bout of growing pains when Microsoft/Danger, which provides cloud computing services crashed and lost all of T-Mobile Sidekick customers’ mobile phone information on their servers and back-up. That has to have cast a pall of concern over corporate customers evaluating the wisdom of outsourcing their relationship with their customers to a third party. Microsoft was at fault, but T-Mobile gets the blame. The other reasoning that has to be running through customers’ mind is that with an emerging technology, what can go wrong will. Anyone who has experienced Microsoft’s blue screen of death can attest to this.
The other vulnerability cloud computing customers face is security. Imagine if the T-Mobile Sidekick disaster had been a raid by hackers instead of a server farm and back-up meltdown. In a world of computer hackers that have become expert at finding the flaws in each new release of software, cloud computing has to offer an appealing target. And it’s not only financial records. Cracking into a server farm is the equivalent of breaking into the vault of a Swiss bank: personal records in the millions and not just one credit card company but charge accounts for them all. All of these problems will get solved in time as vulnerabilities get identified and fixes are implemented. The question for anyone contemplating being an early adopter is “do I want to be the guinea pig that finds the bug?” like T-Mobile.
Perhaps the greatest vulnerability is the lack of a single point of contact ensuring the security of the cloud computing solution. If a client buys the computing resource and storage capacity from Amazon, Microsoft, Google, or another cloud supplier; he purchases middleware from one or more third parties; and he gets applications software from someone else, the only one that has a vested interest in security across these different vendors is the client buying the service. If a break-in occurs finger pointing ensues. More importantly, hackers understand this vulnerability and seek out the weakest link in the collection of elements comprising a solution for any given client. For example, they might find the back door in a middleware program that can be used to gain entry into the main database.
Google’s cloud computing solution is called the Google App Engine. When asked after his introductory remarks at the Google Internet Summit May 5 and 6, 2009, in Mountain View, California to comment of security not being built into the architecture for cloud computing, Google CEO Eric Schmidt made the following statement. “The answer to your question depends upon where you think security should lie. Do you think it should be at the application layer? Or do you think it should be at some middleware layer... I think it’s too early to really know. It’s very strategic for us that people build—think of them as Ajax applications, Ajax++ (see note) with all the extensions—because that displaces the traditional PC dedicated client architecture… I don’t know how security will play out. I’m not aware within Google of a lot of activity at the applications level in security because the kinds of questions that are asked are still relatively early. Maybe we should fix that.”
Cloud computing is relearning all the security lessons that previous computing generation—the early mainframes, the minicomputers, and the PCs—already experienced. For those not familiar with them, the book “Cyberpunk” by Katie Hafner and John Markoff is an entertaining and informative place to start. You’ll follow the exploits of, among others, Kevin Mitnick who exploited the lax security that protected most minicomputer systems 30 years ago. In 1979, Mitnick gained unauthorized access to Ark, the computer system Digital Equipment Corp. (now part of Hewlett Packard) and stole DEC’s next generation RSTS/E operating system software—then in development, a crime for which he was charged and convicted in 1988.
Maybe security should be given more consideration in the development of cloud computing architectures.
Note: according to Wikipedia, Ajax (asynchronous JavaScript + XML) is a group of interrelated web development techniques used on the client-side to create interactive web applications. With Ajax, web applications can retrieve data from the server asynchronously in the background without interfering with the display and behavior of the existing page. The use of Ajax techniques has led to an increase in interactive or dynamic interfaces on web page and better quality of Web services due to the asynchronous mode. Data is usually retrieved using the XMLHttpRequest object.
No comments:
Post a Comment