Mirko Zorz| Net-security
Marinescu is the author of Cloud Computing: Theory and Practice. He was a Professor of Computer Science at Purdue University in West Lafayette, Indiana from 1984 till 2001 when he joined the Computer Science Department at the University of Central Florida.
In this interview, Marinescu outlines a variety of interesting facts about cloud security, illustrates how the cloud has shaped enterprise security, and provides insight into key future trends.
How has cloud computing shaped IT since it stopped being just a buzzword?
There is little doubt that cloud computing has revolutionized our thinking about information processing and information storing; its impact on the activity of many organizations, large and small, as well as on individual application developers, is a proof of the economic benefits of the new paradigm.
The very large number of applications running today on clouds show the appeal of virtualization, when users work in a familiar environment rather than being forced to operate in an idiosyncratic one.
The cloud computing landscape is continually changing, new services are offered and new providers enter the scene, increasing the competition among CSPs (Cloud Service Providers). But more work needs to be done. Improved security and a higher degree of assurance, performance isolation, and solutions to the problem of vendor lock-in and interoperability standards are at the top of the list of cloud users concerns.
Robust and economic solutions for cloud resource management, the ability to support elasticity without over-provisioning, security and reliability of the cloud infrastructure, and effective cost models are the main problems for the CSPs. In turn, both users and service providers would welcome the elimination of some of the inefficiencies related to resource virtualization and effective means to support interoperability.
The standardization efforts underway face many technical, business, and legal challenges. It is also unclear if standards based on the current state of the art in cloud computing will not have a negative effect and discourage future innovation.
How has the cloud affected enterprise security?
Security and privacy top the list of public cloud users concerns. It is impossible for a user to have a complete picture of all the operations affecting the data stored and processed on the cloud. Confidential data can be accidentally disclosed to a third party when files are replicated or moved from one storage device to another and the space where it previously resided is not annihilated. Accidental disclosure is also possible when the physical memory of the pages of one process is not scrubbed, before being allocated to the pages of another process.
Clouds are also vulnerable to the traditional threats of systems connected to the Internet and to problems caused by malicious insiders. Auditability is still a distant dream for the cloud systems we are familiar with. These facts limit the appeal of cloud computing for many organizations with strict security and privacy requirements.
In some sense the current state of the art in cloud computing resembles the one in the early to mid 1970s when the Internet was a data network expected only to transport data files from one site to another. Since then the Internet hardware and the software had undergone a dramatic evolution allowing this complex communication system to became a critical element of the infrastructure of the society; today the Internet supports the Web, electronic commerce, data streaming, and countless other applications including cloud computing.
The clever design of the Internet, the fact that it was conceived as a network of networks and that in the early stages of development it was not constrained by a plethora of standards and regulations allowed it to evolve to what it is today; all networks were only required to use the IP protocol and IP addresses.
Today, we are far from a coherent framework that would support clouds of autonomous computer clouds and tear down the barriers between the three cloud delivery models, SaaS, PaaS, and IaaS.
There is a substantial gap between the academic research and the community of CSPs. Very little information about the accuracy and the limitations of existing tools is available in the literature because CSPs are unwilling to share internal data. Each cloud service provider attempts to protect its proprietary technology and protocols which ensure the commercial success of the organization. The practical realization of interoperability seems to be fairly remote possibility under these circumstances; thus, we expect that for the foreseeable future, vendor lock-in will continue to be a very troubling issue for cloud users.
What key trends can we expect to shape the future of cloud computing?
The many challenges faced by cloud computing hint that computer clouds are indeed complex systems. A complex system is one with a very large number components, each with distinct characteristics, and with many interaction channels among individual components.
Four main groups of actors are involved in cloud computing:
- the CSP infrastructure consisting of possibly millions of compute and storage servers and an interconnection network
- a very large population of individual and corporate users
- the regulators, the government agencies that enforce the rules governing the business
- the physical environment, including the networks supporting user access and the power grid supplying the energy for powering the systems and for heating and cooling.
These elements interact with one another often in unexpected ways; a faulty error recovery procedure triggered by the power failure of a few systems could cause a chain reaction and shut down an entire data center thus, affect a very large user population.
Today’s clouds are designed and engineered using techniques suitable for small-scale deterministic systems rather than complex systems with non-deterministic behavior.