As more companies turn to the cloud as a delivery mechanism, some of the initial fears about the model are being shoved to one side, but not all of them. There’s still a concern about the level of trust that’s being allowed in the cloud.
There are several levels to this fear. How secure are cloud service providers? Are they going to be careless with your personal data? Can you trust governments? What do the security forces know? Who can you trust?
A debate at the recent Cloudscape 2016 conference in Brussels, looked at the element of trust in the cloud and whether some of the fears about the technology were justified. But it was a speaker from outside the trusted cloud debate who set out the scale of the problem and just why there are so many concerns about what’s happening to our data.
Tony Richards, now a security consultant, but formerly responsible for security at the government G-Cloud initiative knows thus fear isn’t entirely misplaced:
The government loves collecting information about people – it has about 80 million records on file –not bad for a population of 60 million.
Of course, there’s no suggestion that any government is using this information for any malign purpose, but there remains the general fear that there’s too much personal data out there and that, just by being out there, there’s a danger that it could be picked up by somebody with real malign intentions.
The Snowden revelations shook up the industry and the ongoing row between Apple and the FBI has stoked further fears about how knows what (or, perhaps, who has access to what).
In the Cloudscape debate, the European Commission’s Pearse O’Donohue acknowledged there’s a genuine fear out there and that industry and the EU need to respond to these concerns:
We’re not here for the ICT industry. Our mandate relates to the users. This lack of trust and security impacts on what we’re going to do.
David Blundell, CEO of cloud hosting company 100 percent IT says that the key issue is that it’s very difficult for customers to verify how reliable a provider is:
People need to trust the providers but have no way of verifying that they’re reliable.
However, he says, there is an element of complacency in the process as users are not always concerned about such niceties, he adds:
Some users don’t care what happens to their data, they just want cheap cloud hosting.
He says, however, some industries like the finance sector are very concerned about the trust element:
They have thousands of instances in Azure and would like to have more, but don’t trust Azure.
The European Union has been well aware of this gap between user concerns and providers’ operations which is why it is in the process of implementing a new regulation – the General Data Protection Regulation (GDPR)
According to Kuan Hon, a consultant lawyer with Pinsent Masons, the new GDPR has done little to help some of the problems with trust.
Speaking after the conference, she said that the GDPR is perpetuating 1970s outsourcing models and not modernizing in many ways:
It’s going back to the days of computer services bureaux when you had data on a disc or tape that you handed over to the bureaux to process for you. Cloud is not like that, it’s self-service; you’re processing the data yourself using rented technology.
The example I always use is that it’s like cooking, the current data protection laws assume that you’re hiring caterers, they don’t take into account that you may be doing the cooking yourself using a rented kitchen.
It’s a situation that has been designed (probably not intentionally) for one group – the cloud giants like Amazon, Google and Microsoft, she argued:
The new requirements are going to be tough and the giants are the ones who are going to have the resources and bargaining power to comply: their ability to comply means they’re also more likely to be trusted.
Such trust is going to have an effect on the cloud market says Dr Hon:
Just as in the old days, you wouldn’t get fired for buying IBM, these days it seems you won’t get fired if you buy your cloud services from Amazon, Google or Microsoft – or IBM.
One of the key elements to build up trust is in the use of encryption. Dr Hon says that there should be more emphasis on encryption rather than data location, especially for personal data.
But such an approach does depend on there being reliable encryption and a desire on the part of the user to adopt the technology. Keith Martin from Royal Holloway College says that cloud doesn’t always sit easily with encryption as cloud services are geared to different types of data and encryption takes a one-size fits all approach. However, he says, there’s a level of misunderstanding too:
There’s premise that if it’s cloud then you can’t do much with it. People aren’t aware that there are tools they can use.
There’s a clearly a gap between perception and reality on the part of users. And this is going to cause some issues when it comes to choosing cloud providers: there’s plenty to weigh up when making a choice. Do you trust the providers? Do you trust the government (and its agencies)? And if not, what sort of encryption are you going to use?
One of the key factors is that individuals need to be more aware of what providers are up to. According to Martin:
Have a better understanding as to what you can trust the provider to do.
100 Percent IT’s Blundell puts it more succinctly:
There’s an old Russian proverb. Trust, but verify.
It’s guidance that a lot of people should bear in mind as more companies turn to cloud: trust should be at the top of the agenda.