Cloud Security Debate: Cloud Now or Cloud How?

min read

During the often-fiery 2012 presidential debate season, a lively debate of a different sort held at Indiana University (IU) featured passionate arguments on the nature, status, and future of cloud security in and beyond the higher education environs. Moderated by Brad Wheeler, IU's vice president for IT and CIO, the debate featured two figures characterized by Wheeler as symbolic leaders of the "Cloud Now" and "Cloud How" parties:

Shel Waggener (Cloud Now) is Senior Vice President at Internet2, where he leads the non-profit's cloud initiative, called NET+ Services. Waggener was previously CIO for a networking division at Lucent Technologies and CIO and Associate Chancellor at the University of California, Berkeley.

Fred H. Cate (Cloud How) is Distinguished Professor and C. Ben Dutton Professor of Law at IU's Maurer School of Law, and director of both the Center for Applied Cybersecurity Research and the Center for Law, Ethics, and Applied Research in Health Information.

Following are highlights of the Waggener–Cate debate, including salient points, key quotes, and a bit of the color and passion that permeated the sometimes sprawling and always interesting discussion. A full, unabridged transcript is available here. —Editor

Opening Statement: Shel Waggener

Waggener began by enumerating the benefits of life "in the cloud," from abstract gains such as opportunity and creativity to the concrete benefits of technological advancement, lower costs, and widespread accessibility. He then delved into the crux of the debate: data security.

Referring to Cate and the broader Cloud How contingent, Waggener stated that doubters would "have us believe that staying out of the cloud is a safer way to go.

"Perhaps you still run a mainframe at home, and you have your cloud-based deck of cards to feed into that machine, to tell it what to do. Whereas I have more power in my hand than every computer built from 1950 to 1980," he said. "That's because of the cloud."

After acknowledging that Cloud How supporters, or "server huggers," might feel safe when they see the "blinky lights turning off and on," Waggener said that, in contrast, he and his ilk rely "on open standards, community involvement, cloud security alliance, National Strategy for Trusted Identities in Cyberspace and federal standards, and — more importantly — the global engagement in computing to help ensure that we continue to evolve and don't simply stagnate running our own machines in our broom closets at home."

Waggener asserted that cloud computing's $250 billion market means that its investment in security "will eclipse anything any one individual or institution or state can accomplish on its own.

"That level of investment dwarfs all that have come before it, and represents not just an opportunity in the education space or for any of us individually, but in fact, for all industries and all communities to be and to collaborate in new ways."

Open-source and community-source developments have spawned some of the greatest advancements in software, said Waggener, and "[t]he cloud offers an opportunity to take those collaborative activities and expand them far beyond any one institution or individual."

Opening Statement: Fred H. Cate

Before moving on to his own opening statement, Cate quoted from Abraham Lincoln's assessment of Stephen Douglas's position during their historic 1858 debates, stating that Waggener's argument was also "thin as the homeopathic soup boiling the shadow of a pigeon that had starved to death."

Cate then summarized Waggener's Cloud Now position as, "Let's take our most critical data, our single most valuable asset, and the applications we apply to those data, and let's move them away from our facilities, away from our oversight, out of the control of the people in this audience who normally run them. And instead, let's put them some place far away. How far? We don't know.

"We don't know where they are. We don't know where they're located. All we know is we have intermingled them with data from dozens, even hundreds of other organizations about whom we also know nothing." Further, Cate said, putting that data in a cloud essentially draws a target on it, proclaiming, "This holds the most valuable resources of our modern economy!"

Such a move not only subjects those resources to attacks "from anywhere," but also results in a complicated liability maze, which empowers legions of lawyers who must be hired to manage the inevitable security breaches. What's really needed is a focus on hiring IT professionals to actually protect the data.

"Not that cloud computing will never be appropriate — not that there are no services that could be put in the cloud. But the notion that we are going to transfer away from us, away from our control, away from our oversight these vital, critical elements of our institution is as meaningless as the notion of your white, puffy, harmless balls of cotton in the sky," said Cate. He concluded, "When I hear 'clouds,' I think about thunderclouds. I think about menacing, dark, grey terror that knocks out servers — as they've done twice this year to Amazon."

In response, Waggener noted that Cate's argument assumes that maintaining resources internally is safer, but in fact, "the vast majority of security breaches occur internally" and that suggesting cloud providers are less secure simply "ignores the facts."

Questions and Answers

Does the fact that the number of Facebook users continues to grow despite the requisite surrender of personal information imply a tacit approval of the cloud computing model and its risks?

Cate: After first noting that Facebook's making money "off our cupidity" isn't surprising, Cate pointed out that the real question is whether the Facebook model is one worth following in terms of protecting institutional data.

"I think anyone who has seen the breaches that Facebook has suffered, has seen the changes of terms of service, has seen the difficulty that individuals have getting control of their own data in the Facebook environment, would argue that Facebook is the perfect example for why we would not want our data in the cloud."

Waggener: Waggener took issue with Cate's characterization of Facebook users, noting that there are clear differences between protecting the security of cat videos and posts about what users ate for breakfast, on the one hand, and institutional assets that obviously demand a more concerted effort at security on the other. Comparing security of consumer services that are explicitly designed to collect and resell data on your activities with solutions designed explicitly designed to protect data misses the key point — 900 million people may be willing to share photos of Fluffy the cat with little concern about security, but those same individuals expect transactions with banks' cloud offerings are safe and secure. This is no different to internal systems some designed security and some less so.

"The Arab Spring simply doesn't occur without connecting people in new ways," said Waggener. "Which is more valuable: the freedom of an entire population or protecting pictures of Fluffy?"

If humans are the weakest link in any security apparatus, how are we better off by concentrating all of our data such that one human error would expose us all — not just one campus or one department?

Waggener: "The greatest failing, thus far, has been the security research community, which has not yet updated and adapted their practices to accommodate for the kind of scale that we're dealing with now in the cloud," he said, adding that educating users as to their responsibilities is also essential.

"You would no more give a three-year-old keys to a sports car than you would send somebody out to begin putting all of their data into the cloud without training. Yet, in fact, we do that today in our own computers, at home. People perceive that by putting a password in, they're secure. Then they proceed to use that same password in every system that they connect to. That's not a failure of a system. That's a failure of an educational process."

Cate: "The problem that we face here is one, as he puts it, of adaptation. And I, for once, agree with him," said Cate. "The security research community has not adapted," which is precisely why it's not yet wise for an institution to concentrate all of its assets in one location.

Professor Cate, you're a very strong advocate of security and policy and getting policy and the rules right. If the policy and the rules can't protect us, is your work meaningless?

Cate: It isn't that policies per se can't protect us, said Cate, but rather that policies in this area are not yet rational. "We don't have standards around cloud computing.

"Everyone in the security world agrees that the three greatest vulnerabilities in any system of protecting data are the humans, the supply chain and, ultimately, the government — because the government, depending upon where the data are located, gets access to everything."

Cate said we've not yet done a good job in any of the three areas, and putting them at a distance certainly won't help. In the pre-cloud world, he noted, we "at least know our own humans. We have no idea, when we put our data in the cloud, who their humans are. We have no idea even where they are located."

Likewise, Cate said, local supply chains are verifiable and auditable, whereas in the cloud, "we don't even know who the suppliers are...and remember, in almost all of the significant outages we have seen from cloud service providers, they have ultimately been blamed on either humans or a supply-chain problem."

As an example, Cate cited a case involving hospital records processed by a company in San Francisco. That company sent those records to a company in India, which then subcontracted the job to a company in Bangladesh. When that company neglected to pay its employees, the employees posted the records online. "No amount of contracting, no amount of policy is going to protect us against that risk."

The final element, government, gets access to data anywhere it's located, said Cate, "so when we store our information in a cloud — without knowing where that cloud is, in what jurisdiction — we might as well just be posting it on the web with a, 'come and get it' sign."

Waggener: He began by noting that medical schools and hospitals have long outsourced transcription of medical records and that "the problem existed long before the cloud became the more efficient and effective way to distribute information and simply resulted in cost savings.

"Whether you have a good partner or not has nothing to do with the cloud," said Waggener. "It has everything to do with your ability to understand the risks involved in any engagement and to ensure that you have the proper oversight in place."

Credit cards and debit cards have security issues related to fraud, but over time, that has been largely worked out. The market was self-correcting. The behavior sorted itself out. The policy and the security standards evolved. Won't this situation really fix itself, too?

Cate: "The answer is no," he said, adding that the market didn't fix the credit and debit card fraud situation. "Congress fixed that situation. It passed a law saying no individual could be liable for more than $50 for the fraudulent use of a credit card. It passed that law 40 years ago, and 40 years of experience when all of the financial responsibility was shifted to the card issuer has taught card issuers to be really careful."

According to Cate, there is no liability shifting in cloud computing. "A cloud computing company loses your data, a cloud computing company is hacked, a cloud computing company goes down. Congress has said nothing about what happens there," said Cate. "That's exactly the point about this being in [its] infancy. There will come a time when we will have well-established standards of behavior and it may then be that certain data can appropriately be put in the cloud."

Waggener: "I think the real issue here is that the credit card laws were passed after, not before, the credit card industry existed. The first in wide use, the BankAmericard, was innovative at the time," said Waggener. "But, in fact, once the innovation evolved and reached a certain scale, the community was able to voice its needs and laws were passed.

"You're suggesting that the government step in and prevent evolution and advancement of cloud computing until we get it perfect. I would think, as a technologist, even you would recognize that there is no such thing as perfect, but rather continued enhancement and improvement. We have seen laws passed in 50 states now, providing data protection."

Cate: After noting that credit card protection was created over the objections of industry — which initially rejected the idea of standards in favor of in-house fraud management — Cate emphasized that Congress acted to protect consumers only after consumers demanded that protection.

"Secondly, the 50 states that you refer to as having enacted security standards may be someplace," he said wryly, "but they're not in this country. In this country, 47 states have enacted breach-notification laws. Get this — this is what he called good security: 'We'll tell you after we've lost your data.' That's a good standard. To date, only one state has enacted a state security standard law, and that's the state of Massachusetts. So if you want to put your data in the cloud, I'd go to Massachusetts," said Cate, "because at least there, there is some legally required minimum standard for security of data."

In the aftermath of assessing the recent massive meltdown of the U.S. economy, we see that almost no one was responsible, that each bank was dependent on another bank. They were all individually "following the rules." Is the cloud the next financial house of cards?

Waggener: This scenario is a "very real possibility," he said, if we, as an important community of interest, take responsibility for ensuring that we require strong security protections be put in place — not just with the primary provider, but with the data itself. For example, by implementing sound encryption, individuals and institutions can maintain control over how their data are stored and protected, regardless of any breach or failure that might occur at the cloud provider as long as encryption standards are followed. Encryption is just one of such commonsense security practices.

"Such individual institutional actions contribute to an overall ecosystem of protection, so that you're not relying on any one player in the ecosystem. You're relying on everybody to do their part. And, most importantly, you're relying on yourself to do your part and not simply turning over everything to a cloud provider without actively participating in the protection of your information."

Cate: "I think it is a house of cards. One question we might ask is, 'What happens when it comes crumbling down?' Which it will."

To illustrate the possibilities, Cate cited the case of Toy Smart, which was one of the earliest data-mining companies to go bankrupt. Toy Smart held data on children who had purchased toys online, promising, by law, that it would never sell the data. "Until it went bankrupt," said Cate. "Then the bankruptcy court said, 'you only have one asset: that's data.' Just like a cloud-computing provider. Just like all of the service providers you talked about.

"If any chain in that link fails, the whole chain fails. But, worse than that, the asset that they all have in common is our data. Our data, which at that point is marketable. It has value. It can be sold to settle the debts of the bankrupt."

How does use of devices such as an iPhone — which are not all that impressive without cloud services — square with being cautious about data housed in the cloud?

Cate: "For playing Tetris, the iPhone is fabulous. It is, perhaps, the best screen ever invented for that game. It also makes watching movies terrific," he said. "But for putting your most sensitive data on, your tax returns, your banking, and so forth — you then have to use a different standard of judgment. That standard of judgment does not ultimately depend as much on the iPhone as it does with the partner on the other end of the transaction.

"The problem we have seen with the iPhone is where Apple itself has failed to live up to its commitments. For example, we discovered a majority of apps were collecting data even though they weren't permitted to collect data," Cate said, adding that this is "a classic case of an early-adoption problem." In the iPhone case, he noted that the data shared was at least data that users had elected to give Apple, "as opposed to having somebody else make the choice for them about data that are potentially far more valuable — about the students, the applicants, the alums, the staff, and the faculty of the university."

Waggener: Devices such as the iPhone are about more than data, he said. In essence, they are "windows into the world" that facilitate access to information and resources.

"The vast majority of that isn't about protected, proprietary, or custom data. It's about sharing information," he said. "So, when you go to do that in a portable device, you have to know how to protect what's important. With that, I do agree with Professor Cate that you must have those standards in place. Not just for the company, but for yourself."

What data to you personally put in the cloud?

Waggener: In addition to filing his taxes electronically, Waggener said he puts much of his content into a 3-2-1 program. "I have three places I keep all my data. Yes, I have data in iCloud, and yes, I also have it in Amazon, and yes, I also have it at Google. But I have all my most sensitive data protected, also, with an on-site solution in my home, as well as mirrored to a third location away from my home but outside of the cloud, so that I — at all times — have three individual copies on three different types of media."

Waggener said he won't allow providers — such as Google and Yahoo — to link his identities; he never provides personally identify viable information (PII) to any cloud provider; and he always creates his own security questions. "And I use the same credit card — which has the highest level of protections — for my enrollments online."

Cate: "I'm glad that Shel doesn't put his PII in the cloud; he just thinks you should put the rest of our PII in the cloud instead," he said, before offering his own list of what he puts — or rather, doesn't put — in the cloud:

"I don't put any sensitive student information — I don't put anything regulated by US Department of Education regulations — in the cloud because I don't think we can verify compliance with that," Cate said. He has a local backup of less important information that he connects to through an iPhone or an iPad, "on the assumption that they will almost certainly be compromised in the cloud." He doesn't use Facebook or Twitter, and, as much as he admittedly loves his iPhone, he didn't get the first-generation iPhone "because I wanted to wait for the iPhone next-generation to let them fix the first round of certain problems.

"That is very much where we are with cloud computing today," he said. "The notion of taking a huge collection of data and putting it some place far removed from us — where we have no direct control over it — may one day, in some future generation (or after enough drinks) make sense. It just doesn't yet."

Waggener: "Things like Twitter are not about personally identifiable information. They are about connecting things," said Waggener, who added that he opened a Facebook account when it was first released "not because I was going to use Facebook, because I was exploring and deciding what the value of such a tool was for myself and my community."

Is this obsession with privacy just a 20th-century notion? Are we attempting to solve a problem that's no longer relevant to the younger generation?

Cate: "We know well that this generation cares about privacy. They don't care about it the way that we do. They don't think about it as the same thing," he said, noting that when discussing privacy with his classes, he often lugs in a box of his students' college application essays and offers to read them aloud, but gets no more than five words into the first one when everyone yells, "Stop!"

"Whenever people say, 'This generation doesn't care about privacy,' you can just look at the reaction to specific things that challenged their view of privacy," he said. "They have a much more subtle notion of privacy, which cares about circles of trust."

Waggener: "I think it's fair to assume that privacy standards will continue to evolve as appropriate decorum in any professional setting has evolved over time. It doesn't mean it's worse today. It means it's different."

He went on to say that "what is rude in the real world is just as rude online," but that it's not the cloud's fault that inappropriate words are uttered or off-color ideas are shared. "Is it the cloud's fault that a complete idiot would make a video that would enrage a billion people? No, those are standards of free speech. Those are standards of decorum which transcend the cloud — and calling an individual an idiot is something that we all still have the right to do."

Isn't the real debate here only about the pace of these problems being solved and the pace of how much we engage? And, if so, what is the right pace for cloud?

Cate: "I don't agree that it is just a question of pace. We have seen technology move down many what you might call 'dead ends,'" he said, citing the examples of cassette tapes and digital audio tape. Technologies evolve and are replaced, often with no indication that something is simply a fad. The question, said Cate, is "how much people and institutions want to invest in "an unproven technology in an unproven system" when putting their critical data into it might make it harder to secure and harder to reliably access at will?"

"What I would suggest is not to eschew cloud — that's why the campaign slogan is not 'Cloud Never,'" he said, "it's simply 'Cloud Not Yet.' Not until we have better experience with it before we put institutional data in it. Not before binding legal standards are developed that tell you where liability is going to be found when things go wrong, which they inevitably will. Not before there are clear security standards on what good background checks mean, on what appropriate oversight is, on what auditing looks like in the cloud.

"What you don't want is to be the test case that demonstrates that. And therefore the right pace is not to say never, it's to say not yet."

Waggener: "I can appreciate the bitter feelings that Professor Cates has over his Betamax collection today. But believing that the best approach is to sit on the sidelines and to allow any technology evolution to occur — without your involvement, without your engagement, without your input, without your insights, and, just as significantly, without our communal insights — thinking that the best approach is to wait until all the problems are solved simply goes against the core ethos of the academy."

Waggener concluded by asserting that it's essential to recognize that the pace of change is accelerating whether we want it to or not. "I'm sure living in Mayberry was a wonderful thing; we'd all like to go back there. But remember, Mayberry never actually existed. It was imaginary, and it was proposed as an idyllic scenario for all of us to escape to.

"I'd rather not escape anywhere; I'd rather be part of that change. And I think being involved in the cloud today gives us the opportunity to influence it rather than to sit by and wait, and wait, and wait, and then eventually recognize that no one else has a Betamax to play your tapes on."