Microsoft’s VP for trustworthy computing opened his keynote on “Creating a Safer, More Trusted Internet” by reviewing how the internet – and internet security – have evolved over the last two decades.
“The threat model has changed substantially over the last 20 years”, Charney reminded the audience. “Although it was predictable, the reality is that until something actually comes about, society does not galvanize around it. The attacks are getting far more complex and targeted.”
Thinking about how and when to deploy storage, infrastructure, or applications in the cloud, Charney suggested, must take into account the threats, as well as thinking about the societal and policy implications of transition to the cloud, “because the cloud will change how they are perceived in the world”.
According to Charney, much of the problem we have in dealing with threats is that we think of internet security as something complicated, which can be broken down into parts and solved piecemeal, instead of as something complex, which cannot be deconstructed into different parts.
And because the internet is a shared domain and attacks are often similar, there are numerous actors – some malicious – who all use the same infrastructure. “The nature of the attack often does not tell you anything about the actor or their motive”, continued Charney, with the internet being integrated in such a way that you cannot tear it into separate parts.
“When we think about protecting [the internet], we need to think about how do we protect a shared domain”, Charney added. It’s this mentality that can be applied directly to the concept of cloud security, where resources are often shared by numerous entities.
Perhaps the most difficult security question to ponder is that of attack attribution, said Charney. “One of the two things you don’t know on the internet is who’s attacking, and why?” One of the issues we get bogged down in the security field, he asserted, is that defense occurs in this ‘wild west’ free-for-all environment.
Of course, Charney reminded the audience, there are also jurisdictional and privacy issues to contend with when it comes to a whole host of cloud-related issues. Where attribution of attacks may be clear, the local policies regarding use and access may conflict with the investigating body.
Charney gave, as an example, problems that arise when local authorities are investigating suspects, yet their data is held by a cloud provider that stores the suspect’s data in another country. “One of the problems here is over borders – what does the customer own, and what does the cloud provider own?”
Among the other complications the Microsoft VP noted included compliance. “Cloud asks people to give up their sense of control and pass it to the provider”, which, under our currently regulatory regimes, is no defense for non-compliance.
There are also many “green” benefits to moving data into the cloud, but doing so creates rich, attractive targets Charney continued. This also presents a problem when things go wrong, such as how do you conduct shared investigations? Who investigates when there is a dispute between cloud provider and its client? Many times the solution is to bring in an independent third-party investigator, but this presents challenges as well, he commented.
Charney closed the address by acknowledging that approaches to cloud security must take into consideration the complicated social implications that accompany the paradigm.
Identity and privacy are key issues here, and as we aggregate information within the cloud, one username and password can provide access to a wealth of personal or confidential information. Charney asked the audience to ponder: What is the appropriate use of this aggregated data by cloud providers?
He also reminded the audience that, for better or worse, data stored in cloud-based services will always remain. “Your whole life will be recorded”, he warned. “That could be great, but computers never forget anything, and everything is searchable. These are major social shifts in the world.”
And while tracking such information may be a plus for marketers, not everyone feels comfortable with being profiled. The social implications of all these cloud-based services, said Charney, are enormous, with each jurisdiction weighing in having a different perspective. “Most people have no idea how much surveillance is done over the internet. Most people have no idea how targeted advertising is done”, he lamented. “These problems are complex and are not always well understood by the public at large.”
“The balances we choose to strike in the years ahead, between the security issues of the cloud and the privacy implications, are going to be huge, and they are not going to be easily worked out.”
“Technology should not dictate social policy”, Charney declared, alluding to the explosion of available cloud-based services. “The fact that something is technically doable, does not necessarily mean that it should be policy. And even after you sign the policy, you need to make sure the technology lines up with the policy you just enacted.”