I listen to NPR basically every time I'm in the car. Normally this gives me an ok sense as to what the rest of the world is thinking about. One show I am able to listen to regularly is “On Point”. I was somewhat surprised when the topic of the day was “cloud computing”.
As usual, the show lined up some very knowledgeable people, but as the term cloud computing is a bit vague and has had more definitions than Merriam's can keep track of, the conversation could have gone in several different directions. I thought that it would be useful to call. Have a listen at their site: http://www.onpointradio.org/2009/08/from-desktop-to-the-digital-cloud. One of the common thoughts about cloud offerings is that “anything accessible over the internet can be called 'cloud'.” This line of thought leads to the belief that you need to hand your information to a third party. While there are some very popular offerings that use this method, it is not entirely true.
There is a way to keep an eye on your data while still reaping the benefits of the cloud computing architecture. This is the essence of public cloud vs. private cloud. Cloud Computing is really a “new” architecture for computing in general (new in quotes, because it's “new” like bellbottoms were “new” in the 90s [link: http://en.wikipedia.org/wiki/Centralized_computing] ). Computation is moved to the server, rather than on the client. Often this means that a user will now use a browser to input into a server's processing and get output from the server (instead of entering input into a local application and getting output directly). In terms of security, there are some immediate concerns. First, who handles the information? In terms of public cloud architectures, the vendors will take control of your information.
This opens several legal issues that I should not be considered an authority on, but suffice it to say that the vendor is now legally responsible for your data and can disclose it to authorities under certain circumstances. Also, you must trust their security methods because if they have a breach, you are affected. The private cloud, however, means that you keep control of your information's chain of custody. This is a great benefit for organizations with highly confidential information and highly competent security personnel such as hospitals and financial institutions. Another interesting security topic is that you create a smaller, but more inviting target – but also, you create a smaller footprint to defend. With private cloud, you have one (or a small amount of) server(s) that hold all of your applications and data and are all centrally located. This means that if one system is compromised, there is a lot more damage that can be done to disrupt operations.
With the current model, an administrator has to keep track of a multitude of information on disparate machines on various network segments. If one host was compromised it is a limited disruption, but the entire operation would not grind to a halt. This may seem that there is a security drawback to private cloud but instead you can now focus your efforts on a smaller amount of infrastructure, making it more difficult to compromise a central system, increasing security of your key infrastructure. In my mind, both architectures have their merits and there can be gains if done correctly on both sides. In my opinion, there is no “one size fits all” solution.
Organizations need to find an architecture that suits their needs. As long as all topology chosen is implemented properly and securely then maybe someday we can completely secure the Internet. Isn't that why we are so passionate about security?
The original article/video can be found at The Public Cloud