We are witnessing the large-scale industrialization of the data center, owned and operated by the ICT operators, with security technologies in the hands of the end user to remove any need to trust their human operators.
The traditional “protect the perimeter” model of enterprise data security, one where layers of security are added around enterprise data, access to which is limited to trusted insiders, clearly has challenges in a cloud model when outsiders (the folks running the cloud) have access to all your data and can monitor everything that you do in their environment.
The solution is not, as some would tell you in the security profession, better certification of cloud providers and external vetting of the human operators. Certification has a role but the ultimate answer will be the invention of technologies that completely remove the need for trusting the human operators.
There is a historical precedent for this. In a previous era longshoremen who handled cargo at ports (outsourced storage and compute) had a series of certifications on their security that were manually audited by Government officials. Eventually, containerization and automation of ports made those certifications irrelevant, solving the problem using technology and dramatically increasing the amount and speed of international trade.
As Jason Hoffman, CTO of Joyent, (a competitor of Amazon Web Services), likes to point out: “data centers are the digital ports of the 21st century; the bit is the new economic good, measured in bytes and contained in packets, words and blocks.” The analogy is striking and it is likely that technology will again solve the problems that currently hinder adoption of the cloud by enterprises.
Each pillar of the CIA triad of data security—confidentiality, integrity and availability—is currently experiencing tremendous innovation, easing and accelerating adoption.
Availability is the easiest to understand: how a public cloud model can deliver better performance over enterprises owning their own data centers. Consider how the earthquake and subsequent tsunami in Japan made the banking community realize that having a main data center in Tokyo with a backup in Yokohama, just 50km away, wasn't such a smart idea. Contrast that with the latest object-store solutions that provide multi-continent, multi data-center storage redundancy and availability. An example is Joyent’s Global Compute Network, a global alliance of telecommunication providers offering cloud services allowing end users to migrate their data and applications to multiple locations around the world with nothing more than a mouse click.
Integrity, possibly the least understood of the security triad, is keyless signature infrastructure (KSI), which provides digital signatures for data on a massive scale. Keyless means that the integrity of the data can be verified without reliance on cryptographic keys, removing the need to have a trusted human anywhere in the verification chain.
Banks such as SEB, ecommerce providers such as Rakuten and Governments globally such as China and Estonia are integrating KSI deeply into their data centers, ensuring that every system event and object modification is linked together in a causal chain, the proof of integrity of which is independently verifiable by users, regulators or auditors. Regulatory compliance requires enterprises to prove the integrity of their archived data, spending as much as $10,000 per TB for hardware-based solutions. Now this can be done in software in a public cloud at a small fraction of the price.
Confidentiality is possibly the biggest concern for enterprises to adopt a fully public cloud model. Yet here too there is tremendous innovation. Since IBM's Craig Gentry announced his fully homomorphic encryption (FHE) scheme there has been intense research in the academic community to build something practical. FHE implies that you can store encrypted data in the cloud but still run applications on that encrypted data, decrypting the result locally only when an authenticated end user needs to view it, thereby removing any possibility of the cloud operator or outside attacker breaching the confidentiality of the data. Recent results by cryptographers Brakerski and Vercauteren indicate that practical implementations of FHE may be on the horizon.
Subsets of FHE such as functional encryption or searchable encryption can achieve the same result for specified use cases. As a simple example of this technology, imagine if you encrypted a search term say “Britney Spears” and entered the encrypted result into a search engine. The results you get back would be gibberish until you decrypt them, giving you the latest gossip on Britney without anyone having any knowledge of what you searched for.
Encrypted search of course requires a lot more computational power, which is great news for companies like Intel but also for the service providers who can offer a premium service with encryption enabled applications.
I recently had the opportunity to read George Dyson’s history of computing, Turing’s Cathedral, where he traces the digital universe to a nucleus of 32-by-32-by-40 bit matrix of high-speed random access memory built in 1953. Since then there has been wave after wave of innovation and while cloud computing represents the next wave, the impact for the enterprise may be the most profound.
We are witnessing the large-scale industrialization of the data center, owned and operated by the ICT operators who specialize in that task, with security technologies in the hands of the end user to remove any need to trust their human operators. Driven by competitive forces this will lead to a level of service and security vastly superior to what can be achieved in-house, allowing enterprise IT budgets to be slashed yet providing on-demand the latest software applications.
It will take time for regulators to be convinced, but eventually it will become obvious that the technologies described above will enable regulated businesses to be more reliable, more secure than before and the barriers to cloud adoption will be eased. The inevitable conclusion will be an enterprise IT model with zero assets in-house and a massive expansion of business for ICT operators who are operating the data centers and providing indemnification against any business loss.
That time might be closer than you think.
* * *
About the Author
Mike Gault is CEO of Guardtime, the developer of keyless signatures that algorithmically prove the time, origin and integrity of electronic data. He started his career conducting research in Japan on the computer simulation of quantum effect transistors. He then spent 10 years doing quantitative financial modeling and trading financial derivatives at Credit Suisse and Barclays Capital. Mike received a PhD in Electronic Engineering from the University of Wales and an MBA from the Kellogg-HKUST Executive MBA Program in Hong Kong. You can reach him at Mike.Gault@guardtime.com or visit www.guardtime.com.