One of the big concerns for would-be users of cloud services at the moment is around the protection of their private or sensitive data from other users of the service or the providers of the service. Data can hang around for a long time once it's in the cloud or even just on the Web. There have been some interesting developments in this space, albeit of an academic nature i.e. stuff to take a look at but not necessarily to use in real life!
Firstly, back at Cloud Camp London 4, Miranda Mowbray of HP presented a mechanism for obfuscating data on-premise and then processing only that obfuscated data within the cloud. The unobfuscated data is then only available within the secure (*cough*) on-premise location. There are some problems with Miranda’s approach from the point of view of an enterprise whereby the cost of a data compromise could outweigh the cost of a frequency analysis (or even better a chosen plaintext) attack, however it may have some value for the more casual user or for less sensitive data. It was stated that Miranda hoped to open source the project but I don’t believe that’s happened yet – an abstract of the HP Labs technical report can be found at http://www.hpl.hp.com/techreports/2009/HPL-2009-156.html but no link to the full paper unfortunately.
Secondly, there’s the Vanish project of the University of Washington - http://vanish.cs.washington.edu/index.html. It’s an interesting method for ensuring the inaccessibility of data after a set period of time that utilises the churn of peer to peer hash tables to ‘lose’ elements of a distributed encryption key over time. Once the key is no longer available, the data is no longer accessible. I can see how this may be of value to individuals looking to ensure their individual privacy – I’m really not as convinced that this is acceptable in the corporate or government worlds given their discovery and reporting requirements. But I’m no lawyer – take a look for yourselves!
Hmmm… it’s going to be an interesting space – at least until someone can come up with a practical mechanism implementing homomorphic encryption. I’m not holding my breath :0)
(http://www.schneier.com/blog/archives/2009/07/homomorphic_enc.html)
Friday, 24 July 2009
Saturday, 11 July 2009
CloudCamp London 4
I got to attend the latest Cloud Camp in London last Thursday night (there has to be some advantages to working the less civilised parts of the UK :-)...
Highlights for me were the lightning talk from Mark Cusack from Rainstor outlining some very interesting ideas around storing data in the cloud for compliance purposes when retiring database applications and the Microsoft talk on Azure. In particular the .NET Service Service Bus demo was both pretty cool and pretty scary at the same time. I can certainly appreciate the benefits from being able to quickly and easily publish web services securely via the .NET Services Service Bus (c'mon Microsoft, call it Azure Service Bus and save our typing fingers!) however securing the services in transit is not the be all and end all. What scares me is the almost certain eventuality of employees deciding to write their own wrappers around internal services that should never be exposed outside of the organisation and using the Service Bus to make such services available over the Internet. But, hey, the network traffic's encrypted over an authenticated channel so everything's ok... no?
I've previously blogged about the need for organisations to start monitoring for potential unauthorised use of cloud services. I'd like to emphasis that need again - and organisations shoud also consider blocking access to the .NET Services service bus until they have a suitable policy in place regarding use of such services.
Highlights for me were the lightning talk from Mark Cusack from Rainstor outlining some very interesting ideas around storing data in the cloud for compliance purposes when retiring database applications and the Microsoft talk on Azure. In particular the .NET Service Service Bus demo was both pretty cool and pretty scary at the same time. I can certainly appreciate the benefits from being able to quickly and easily publish web services securely via the .NET Services Service Bus (c'mon Microsoft, call it Azure Service Bus and save our typing fingers!) however securing the services in transit is not the be all and end all. What scares me is the almost certain eventuality of employees deciding to write their own wrappers around internal services that should never be exposed outside of the organisation and using the Service Bus to make such services available over the Internet. But, hey, the network traffic's encrypted over an authenticated channel so everything's ok... no?
I've previously blogged about the need for organisations to start monitoring for potential unauthorised use of cloud services. I'd like to emphasis that need again - and organisations shoud also consider blocking access to the .NET Services service bus until they have a suitable policy in place regarding use of such services.
Subscribe to:
Posts (Atom)
