When Edward Snowden leaked intelligence files, a storm was triggered in the cloud, leaving a path of destruction. Snowden’s email provider Lavabit shut down. So has the email offering of Silent Circle. The Guardian ran a story declaring: Lavabit’s closure marks the death of secure cloud computing in the U.S. And the EU is not entirely unaffected either. Be it by the Tempora program in the UK or the U.S. National Security Agency facilities that reportedly reside in Germany.
As Brian Proffitt writes, this storm has triggered the need for all companies to review their cloud strategy. And while the storm’s damage may be messy, all storms also bring a breath of fresh air. We’re starting to feel that now, as more people are reshaping the way they think about their selection of cloud offerings. So, as you take cover from the storm...
Here is your Do Cloud Right list, designed to help you choose offerings wisely based on your needs:
#1 : Choose the country of your provider carefully, or run it as private cloud locally.
Firstly, all romantic notions about "information is free" and "the cloud is global" aside, the NSA’s PRISM surveillance program has aptly demonstrated that in these matters legislation trumps technology and even cryptography. That is no small conclusion. Because more often than not users overestimated the power of the IT company and the glorified nerd when making assumptions about who could get access to their data. But even the most committed privacy advocate cannot protect your data when the alternative is prosecution with all the government’s might. And when push comes to shove, most people prefer not to be in jail.
Secondly, claims to encryption on the server of the provider and statements such as "it is encrypted on our server with your passphrase, so even we don't have access" are virtually always snake oil. Because if the server can decrypt your data to serve it to you, it can equally well decrypt it to serve it to someone else. Especially when dealing with server side keys, or broken concepts, such as using the user’s password for encryption. Please keep in mind that same password is sent to the server every time your phone connects to keep the email push alive. That's why Ladar Levinson of Lavabit was not exaggerating when he said shutting down was the only alternative and people should not entrust their data to U.S. cloud providers.
The Takeaway: Of course encryption is good. But it can only bring you up to the level of security that the applicable country and its legislation have to offer. So before anything else, check the country that meets your data protection and privacy requirements, and ensure there are no backup copies of your data in other countries. The weakest link breaks the chain.
#2 : Pick a solution that is fully open source and comes closest to open standards.
Of course technology matters. It's number two on the list. One of the other things that has been frequently reported was that Microsoft provided the NSA with vulnerabilities prior to them being addressed or even publicized. And I suspect they are not alone. Channels of access for the NSA have been reported in several other proprietary applications for a long time.
Unless you believe in the ultimate moral superiority of any particular country and its people, the safe assumption is that no proprietary software can be trusted. Of course open source is not automatically and perfectly secure. All software has bugs. Even open source may have back doors inserted. Perhaps some will even remain undetected for some time. SELinux itself has been questioned for some time because of the heavy involvement of the NSA. But the NSA is not the only party working on this code, and not all eyes on this code are friendly to the United States. With the heavy use of SELinux at the NSA it has little interest in knowing themselves vulnerable.
The Takeaway: The important lesson is in the process of co-development. It builds a natural tendency to increase security. Solutions that were put together from open source components by someone who is not part of that process and are not being actively maintained in such a fashion may easily be worse than proprietary software, though.
#3 : Take the company that is actively developing at least parts of the technology.
A good guideline: They should be championing at least two open source technologies.
The third criterion is therefore upstream contribution and connection. Whether you are talking about a cloud service provider, or a technology provider for your private cloud, upstream connectedness is likely the third most important criterion in your selection process. Only then will your supplier be able to ensure that security issues are mitigated quickly when they appear and participate actively in driving the technology to the maturity and feature set you require.
Of course, some companies are simply so large that they create whole planets of technology all by themselves. But that usually goes hand in hand with the technology being proprietary. And they create a gravity that is hard to escape. In fact, there is no escape plan.
The Takeaway: Choose your supplier of technology or services carefully. Take a good look at whether they are actively involved in driving and maintaining the technology. If they are just passive users, or worse, running with a fork, it's better to stay clear. Look where the key people of the respective technology community work. That's the company you want to work with.
#4 : Know your escape plan.
Solutions that are provided to you as fully open source have an elegant escape hatch built into them by their design. Read: You can take the entire stack and host it yourself without losing productivity or data. This backup plan protects you against legislative changes, company restructuring, and much more. The other side to this is provided by open standards.
The Takeaway: Choose solutions that have the most complete open standards approach to go with open source, because if your escape plan fails for whatever reason, there is a backup. Beware of "Open Core" offers masquerading as open source, though. Gartner called them the "emperor's new clothes" for a reason.
Final steps and parting thoughts
If you’ve followed these steps, be sure you don’t stop short by failing to read the Terms of Service. The Terms of Service; Didn't Read project provides invaluable advice. Choose between the candidates that have made all these criteria. And choose wisely, because there are a lot of unsustainable offerings out there. Sometimes out of too much enthusiasm; i.e. with activists that end up cannibalizing the very source of their own technology, and sometimes out of lack of professional understanding for what running such services solidly in the long term entails.
If it sounds too good to be true, it usually is, and that's true for the cloud, as well.
If after all this, there are no options left, you need to either consider running your private cloud, or accept a higher risk associated with the service. But don't come back and say this is too much to ask, because this is precisely what we set out to do with MyKolab.com. So, it can be done.
Now we just need to demand that these steps become the default when choosing cloud offerings.
4 Comments