Cloud control: a response to Wozniak

Apple co-founder Steve Wozniak may have his worries about the privacy and security implications of the cloud but are his fears unfounded?

The current state of the cloud computing sector is similar to that of the early automobile industry. The cloud needs security devices – the tech equivalent of seat belts and airbags - to make it safe.

In a recent interview, Apple co-founder Steve Wozniak warned of a dark future for cloud computing, predicting “horrible problems” as its popularity soars. His comments have highlighted the need for governments to enact safety legislation for cloud computing, just as they did for automobiles.

But is the data plonked in the “my computer” folder on our hard drive really any safer than the data we upload to the cloud?

Cloud computing is largely considered the way forward in industry circles, so Wozniak’s controversial comments have ignited fierce debate about the privacy and control we have over the data on our computers.

In a way, his concerns over privacy are valid, particularly for personal users.

The advertisements we are bombarded with while accessing Gmail, Yahoo, Hotmail or other webmail services are a clear indication that the emails we receive are not ours alone. These email systems analyse the contents of the email and display advertisements that are relevant to the email that is being read.

Wozniak also indicated that lack of ownership is a problem. But having ownership does not mean having control.

The terms and conditions of Facebook clearly state that the user owns their data. However, that does not stop Facebook from manipulating our data to suit their needs, or selling it to potential marketers.

The lack of privacy and control over the large amount of data we as individual users are providing through our email and social media interactions online is a major issue for personal users of ‘free’ cloud providers, and Wozniak’s concerns in this regard are well founded.

When it comes to organisational use of the cloud, the situation is more complex. Unlike the terms and conditions of the free service available to individual users, corporate agreements are usually bound by privacy and other requirements.

A recent survey in CIO magazine indicated that more than 80 per cent of businesses are concerned about cloud security, but more than 50 per cent of business view cloud computing as critical to their operations.

Trust not enough

Moving forward, the key issue for businesses will be trust. Do they trust their cloud service provider?

But trust alone will not be enough – a business must have legislative support. When signing service provider agreements, it is important to be aware of the legal aspects and identify which country’s regulations will be applicable if there is a dispute.

Business agreements must also address provider availability (what happens if the cloud service is not available) and recoverability (what happens if the systems used by the service provider fail). They also need to allow for data portability, retaining the right to move from one provider to another.

Finally, organisations should know who has access to their data and who is responsible for detecting malicious activity.

Carefully scrutinising your corporate provider agreement to ensure it ticks all of these boxes offers some level of protection, but some privacy and control risks still remain.

But as with any disruptive technology, there are always opportunities for innovation.

Developing a regulatory framework

Encryption, data segregation and a regulatory compliance framework are all being touted as possible solutions, but how they are handled remains an open challenge.

Current encryption solutions are clunky and require fresh thinking; while data segregation – the notion of keeping highly sensitive data on owned infrastructure – still leaves businesses at the mercy of viruses and Trojans capable of stealing sensitive data.

The development of a regulatory compliance framework would be a big step forward.

Currently, a group called The Cloud Security Alliance, which includes all the major players, exists to promote best practices, but there is no independent body that can certify the providers.

With adequate regulatory control and continued investment in the technology, the cataclysmic problems with cloud computing that Wozniak has predicted can be avoided. 

Professor Paddy Krishnan is a cloud computing expert and Professor of Software Systems at Bond University.