[originally published in Enterprise Conversation, a UBM/DeusM publication ]
This is one of the growing number of categories for stories I’ve recently been told, by people who get paid a nice sum, you care not one whit about. James Thurber collected “sweeping generalizations” (e.g., “There are no pianos in Japan”) and, in his honor, I’m collecting unsympathetic topics. I may be too sympathetic with readers to be a good judge of what constitutes an unsympathetic topic, but I’ve gained a lot of feedback from editors and other non-readers (you know who you are… at least, so I’m told) and am taking copious notes.
Early this year, I had a blast covering the RSA 2012 security conference in San Francisco, partly because it brought together the brightest experts in the field of information security — a topic about which I care deeply, though I’ve been told that’s symptomatic of my disease — for legitimate discussion and deep thinking about topics like cloud security that I’m told you care nothing about.
I Can’t Get No…
Having covered the Windows XP + Outlook e-mail security debacle in the previous decade, my immediate take-away from the RSA conference (and perhaps for 2012 as a whole) is that this time we are asking smarter questions about cloud security. Oh sure, we saw the public relations disaster that was the RSA company’s response to its own security breach (far more potentially damaging to your personal security than anything involving Microsoft): With the aid of a gospel choir, RSA Corp. literally sang its official response to the massive March 2011 SecurID security token breach, to Rolling Stones music: “You can’t always get what you want.”
That’s what happens whenever you let public relations handle incident response. Not smart.
But let’s be honest: Security is not (thankfully) a service of anyone’s public relations department. For once, the businesspeople who have their minds fine-tuned to this problem are asking the right questions. The most important of these questions, in my opinion, is this: If in every massive breach incident, the fault can be traced to design, then why can’t cloud architectures enable designs for a virtual envelope that have no practical correlation — that are physically impossible?
One such example was floated last year by VMware, and is still under consideration: a system that issues enterprise employees virtual, smartphone-capable, business oriented communications environments that do not exist at any centralized location anywhere in the world. Cloud architecture is enabling engineers to realize that virtual machines do not have to be constructed in parallel with real ones. What makes them virtual is the client, the perception of continuity on the part of the user, like a kinetic sculpture viewed from a particular angle.
It may be far more difficult to breach the security of an entity whose borders transcend any known concept of physical boundary.
When the enterprise thinks of cloud insecurity, the picture that immediately pops into mind is not RSA but Dropbox. The rapid rise of Dropbox and the other services in its category is on account of businesses’ need to more directly and conveniently share information between their employees. It speaks volumes about the slow moving nature of evolution in IT that even chief executives should breach their own policies and invest so much of their trust on an unhardened architecture designed not for business but for consumers. This whole “consumerization of IT” is getting more like a revolution every day, because we’re starting to see the bloodbath.
Yet even the Dropbox incident(s) is not indicative of an endemic fault with the cloud, or with cloud architectures specifically. In fact, the fault line lay not in the cloud but at ground level: Password protection is ridiculous. If there is a fault-proof system of authentication and session protection in our future, passwords will have nothing to do with it.
And that’s the problem… if you think about it, which is the very thing certain parties would prefer you not do. An entire industry is leveraged around the continued existence of certain elements of our information infrastructure whose existence is threatened by the cloud: endpoints. Passwords are the crux of endpoint security, and in a world with no endpoints, security providers would be forced to seek new jobs.
The key to prolonging the status quo is postponing debate on the future. For that to happen, you need to disavow all interest in the problem at hand. You have to be, as I’m told you already are, disinterested. And I believe that about as much as I believe another article in Thurber’s collection: “Women don’t sleep very well.”