Thursday, April 24, 2014

What Exactly Is "The Cloud?"


All About The Cloud

"The Cloud" as you can probably guess, at a gross level, refers basically to storage on the Internet.  But many companies and people seem to use it for different meanings, almost like it is a loosey goosey definition that is being exploited, definitely misunderstood in may cases.  In fact, you may at some point ask, what's the difference between the Cloud and the Internet?  So this article will strive to blow away all the smoke, and boil it down to its essence.

The Internet, as you may well be aware, is simply a set of interconnections between computers (and here I use the term "computer" to loosely describe some computing device).  This interconnection is a combination of wires and wireless media, and a collection of "protocols" or methods of communicating for specific purposes.  For example, the web uses the "HTTP" protocol, or "HyperText Transport Protocol."  File Transfer Protocol (FTP) is used to transfer files, and so on.  The Internet allows devices to connect and communicate with each other in an open and standardized (and sometimes secure) fashion.  So, what is "The Cloud" - as the Internet is well-defined, we don't need to call it something else, do we?

Basically, "The Cloud" is an euphemism (look up the definition) for storing your own data on someone else's machine that is accessible through the Internet.  It is a really good marketing ploy, a good single, simple term to describe a set of security protocols defined by whomever wants to define them, to allow you to store and access data (such as music, pictures, Office documents, applications, or whatever).  One example of A Cloud, is Google Drive.  This is a primarily web-based system that allows you to store and access files in folder structures, as well as providing hosted applications to edit these files - all on Google's systems (or someone they contract to hold their data, which is really your data).  Another example is Apple's iCloud, which allows you to not only store and share files and has hosted applications, but provides a secure way of storing application settings and experience preferences (like bookmarks, keyboard shortcuts, passwords, and more).  (By the way, iCloud also has hosted applications to find your devices on a map, and access e-mail, contacts, and calendar.)

So, anyone can define anything as a Cloud, as long as it allows you to store and access data across the Internet, securely.  Last year I bought a Western Digital cloud drive, which sets up Internet access to my files from anywhere on the Internet.  Granted, this is a loose definition of the Cloud, but probably still within the arena.

Many companies have had Cloud solutions for years, and many more are getting into it.

The Good And The Bad

So, what's so great about it?  You don't have to manage backups.  These clouds are typically accessible across devices, across operating systems.  Also, you can easily select certain data to share, and you are not e-mailing that data (which may be mega- or gigabytes), but a link to that data.  Many offer features like hosted applications (word processor, spreadsheet, etc. that you can run from a web browser to edit your data), so you never have to install or upgrade these apps.

So, if it's so great, what's so bad about it?  Once you put your data on someone else's system, you are completely in their hands as far as security and trust.  In the original computer paradigm, you create a file, and you store it on your hard drive.  Your computer has to be on, and connected to the Internet, for someone to remotely gain access to it.  This has been relegated to a set of fairly sophisticated hackers, who would have to know that your system exists, and have some interest in putting forth the effort to hack into it.  But now, with these Cloud services, they are huge - and become a huge known target for hackers.  Hackers know that your data is there, and know where to go to get it, and can assume that hacking is worth the effort.

Do you use QuickBooks online, to store your financial information?  Do you put your company's Intellectual Property, which may contain ITAR-regulated Defense designs, in the hands of some third party to which you can't hold liable if some of that data is stolen by foreign nationals, and the Department of Defense comes after you?  Do you put your personal files, containing personal data, on Dropbox, Drive, Microsoft SkyDrive, Amazon S3, or a myriad of other services?

Nowadays, we are riddled with news stories - and I can see the trend.  Traditional forms of computer security that we have held as acceptable, are easily cracked.  New password cracking algorithms, plus with the ability for computers to utilize the CPU and GPU to compute, plus more and more powerful computers, mean they can break through your encryption in minutes or hours instead of years, decades, or centuries.  The Heartbleed bug identified last week, that has been in place for 2 years, is a prime example of a core technology (Open SSL) that is used by most software to secure data, having a vulnerability that hackers have already exploited.  Chances are, we are probably not even aware of most of the worst hacks and thefts.

But, just as insidious I find, is do you really know or trust the company behind your cloud?  Do you trust Apple, Google, Yahoo, Amazon, or the little-heard-of companies that are contracted to store their data?  Do you trust the NSA's access to these data, should they (or their computer software) deem that they need to investigate you?  Because, the more that you put digitally, and the more you put it in the hands of someone else, the more vulnerable you are to the Science Fiction stories where the police hit a few keystrokes and can cross-reference any private or public information to instantly make a decision on who is "bad" to them (ala Continuum).

If you heard of Heartbleed but have no idea what Open SSL is, here's a 2-sentence primer.  Open SSL is a free set of libraries that most software developers use to secure data, such as encrypt Internet traffic or a file on a Cloud drive.  Heartbleed is a vulnerability that allows hackers to easily break that encryption and see what is encrypted, and was introduced in Open SSL 2 years ago, only now to be discovered.

How does that affect you?  Dude.  Dude!  I can guarantee you that at least 90% of everything you do on the Internet that you think of as secure (credit card purchases, cloud storage, password entry, VPN, etc.) uses Open SSL to encrypt the data.  That means that, if anyone is listening or wading through the data you store on other systems, and they know how to exploit Heartbleed, everything you have is an open book to them.  They can get your logon ID's, passwords, bank account numbers - anything you type into a web page that says it is secure, or indeed even if you don't have a web page, but some application that communicates over the Internet.  There is absolutely no guarantee, and no way for most of these companies who host your data, to even know or track if they have been hacked.  Some of the hacking may just be some third party "listening" in on the traffic between their site and you.

I am almost certain that there are vulnerabilities other than Heartbleed, that have not been or may not ever be found.  Who are the perpetrators?  Who knows.  NSA?  CIA?  Al Quaeda?  Syrian Electronic Army?  China?  Russia?  Could be anyone.  I predict in the next several years, the whole concept and practice of security will undergo an overhaul, an upheaval.  Is a simple name and password sufficient?  Not any longer.  What will replace it?  Multifactor authentication?  Biometrics?  Something else?

Either way, be afraid - be very afraid.  The more we use Cloud, the more vulnerable we are.   And there is nothing we can do about it, either legislatively, or legally.

No comments:

Post a Comment