This conference, sponsored by the Congressional Internet Caucus Advisory Committee, has become the "go-to" event for Internet policy makers and observers. To meet the needs of our readers, we are restricting coverage to a single session dealing with Cloud Computing. In particular, we focus on legal and privacy issues associated with "The Movement of Information from the Crowd to the Cloud."
While Cloud Computing has recently gotten a lot of publicity from big name players like IBM, ATT, Amazon and Google, little attention has been devoted to security and privacy concerns, especially protection of client data and meta-data (information about the data) from unauthorized entities. This panel zero’d in on exactly that topic. The three panel participants were:
- David Schellhase, Senior VP/General Counsel, salesforce.com Inc
- James X. Dempsey, Vice President for Public Policy, Center for Democracy and Technology
- Matthew Parrella, Assistant District Attorney, U.S. Department of Justice
There is a lot of confusion as to what Cloud Computing really is. One panelist thought that the Wikipedia definition was a bit too all encompasing. But he quoted the first three paragraphs anyway:
"Cloud computing means Internet (‘Cloud’) based development and use of computer technology (‘Computing’). It is a style of computing where IT-related capabilities are provided "as a service", allowing users to access technology-enabled services "in the cloud" without knowledge of, expertise with, or control over the technology infrastructure that supports them. It is a general concept that incorporates software as a service, Web 2.0 and other recent, well-known technology trends, where the common theme is reliance on the Internet for satisfying the computing needs of the users. For example, Google Apps provides common business applications online that are accessed from a web browser, while the software and data is stored on the servers.
Cloud computing is often confused with grid computing (a form of distributed computing whereby a "super and virtual computer" is composed of a cluster of networked, loosely-coupled computers, acting in concert to perform very large tasks), utility computing (the packaging of computing resources, such as computation and storage, as a metered service similar to a traditional public utility such as electricity) and autonomic computing (computer systems capable of self-management). Indeed many cloud computing deployments are today powered by grids, have autonomic characteristics and are billed like utilities, but cloud computing is rather a natural next step from the grid-utility model. Some successful cloud architectures have little or no centralised infrastructure or billing systems whatsoever including Peer to peer networks like BitTorrent and Skype and Volunteer computing like SETI.
The majority of cloud computing infrastructure currently consists of reliable services delivered through next-generation data centers that are built on compute and storage virtualization technologies. The services are accessible anywhere in the world, with The Cloud appearing as a single point of access for all the computing needs of consumers. Commercial offerings need to meet the quality of service requirements of customers and typically offer service level agreements. Open standards and open source software are also critical to the growth of cloud computing."
IBM refers to cloud computing as an emerging approach to shared computing infrastructure. Results are computed in a data center (seen as "being in the cloud" by users) and returned over one or more Internet connections. Users are not generally aware of the underlying technologies or rules governing the flow of data within the cloud. Others believe that cloud computing is a broader concept- any 3rd party computing or storage service, with the Internet as the backbone. All panelists agreed that cloud computing employs a shared services model.
Cloud computing was seen as being an integral part of the inexorable redirection of technology from local use to the net. Storage and services occur in the network, rather then at desktops or laptop PCs. Cloud computing dramatically lowers the cost of storage to the user (by taking advantage of cheap and voluminous network storage).
We were surprised to hear that Dell has applied for a trademark on the term Cloud Computing.
Key User Concerns with Cloud Computing
One panelist suggested there were three drawbacks to cloud computing (with my questions in paranthesis):
1. Users pay a fee (isn’t it normal to charge for a service?)
2. Users lose control over services (isn’t this always the case with outsourcing?)
3. Loss of privacy of data and meta-data (isn’t a privacy statement and contract necessary?)
Many questions arise regarding regulation, security and privacy:
- Should this new industry be regulated? If so, in what way?
- Who (besides the client company) should have access to the data/ meta-data/ results of computations?
- When and under what circumstances should notice be given to the client that law enforcement (or any government agency) seeks or is given access to the data? In particular, can the U.S. Patriot Act be invoked to commandeer data from a company suspected of aiding and abetting a terrorist organization?
- What privacy protection will be offered cloud computing client companies? How will the integrity of their data be preserved? Can it be adequately covered in a contract or service level agreement?
One panelist stated that privacy protection falls off when data is stored in the network. If it is exposed to public view, the data will not be protected at all. What about data in transit- is it protected? User concerns here include terrorism, identity threats and on-line fraud/ scams. A big concern of one audience member was that Cloud Computing service providers would hand over customer stored data/ usage patterns to govt agencies who had not obtained proper authority. Justified under "Patriot Act" but compromising privacy and integrity of data.
According to the DA panelist, "there is a crazy quilt of laws governing privacy of network stored data and that has become a major issue effecting individual (and company) rights." He stated there was a movement away from hacking and copyright infringement and into industrial espionage- the theft of trade secrets. The concern was that cloud computing service providers might not have robust security practices in place to prevent that. In other words, they might not be able to honor the customer contract that protects Intellectual Property/ trade secrets from others. (See last paragraph for a different opinion).
A crucial concern is who can have access to (proprietary) company data stored in the network? Not just third parties (including government agencies and police forces), but any and all Data Base and System Administrators who hold "the keys to the kingdom." Those insiders could pose a threat if they are recruited by an entity practicing industrial espionage (including foreign governments). But that seems to be an internal security matter, under the jurisdiction of the client company, rather then the cloud computing service provider. Key question is what procedures does the provider have in place for authentication, authorization, and administration of user requests? Are these being standardized?
One panelist took an optimistic view, stating that the cloud computing service provider would do a better job of security then the client company. Since it was responsible for security management and privacy protection of many client companies, the provider must have a very robust and comprehensive security system in place to be a viable entity. If it didn’t, it would go out of business very quickly, independent of its price or performance. Hence, the provider would be able to adequately protect client IP as per the service contract, according to this panelist.
Addendum: IBM invests Nearly $400 Million on Cloud Computing Centers in U.S. and Japan
"We consider cloud computing to be the model that can fundamentally change the current IT market structure and create paradigm shifts," said Yutaka Miyabe, director of system research and development center, NS Solutions Corporation.
"Cloud computing is fundamentally about re-engineering the world’s computing infrastructure, to enable game-changing — even life-changing — applications. To IBM, cloud computing is much more than the normal evolution of a data center," said Willy Chiu, Vice President, IBM High Performance On Demand Solutions.