If you heard many of my conversations with people in ICT about cloud, you might find it hard to believe that we are, in fact, only at the very beginning of the cloud age, with all the uncertainties, complications, and opportunities that would entail.
To dispel this mistaken idea, let’s take a look at a bit of history. It’s fairly obvious that, cloud age or not, there have always been three pillars of the ICT industry—network, compute, and data—and that we can basically explain every past or present industry trend in terms of the convergence of at least two of these pillars. Take the PC or smartphone: that’s network meets compute. The network-storage industry comes from mixing data and network. Big data is compute plus data, and so on.
Read my article in Ericsson Business Review titled: Head in the clouds: is the ICT industry fooling itself?
Network, compute, and data
Cloud is the ultimate convergence of these three pillars. It’s a complete systems approach to network, compute, and data under a single operational, automation, and governance domain. For the first time, server, storage, and network infrastructure is completely integrated, which means that simply thinking of cloud as a different delivery mechanism for software really understates its true significance.
Governance at heart of security questions
But it’s the governance domain that poses the most serious questions. Consider that the whole point of cloud is accessibility—unlike traditional IT and telecom systems, which can be compared to completely closed boxes with a cable going in one end and out the other, almost anybody can get inside a public cloud system and program against it. This makes clouds convenient and easy to use, but it also constitutes their major disadvantage. The classical security model is built on the exact opposite principle, namely strictly limited access, and that’s simply not an option anymore.
It’s hard to overestimate the scale of this challenge. In fact, the classical security model views a public cloud—with unknown numbers of unknown people running unknown applications with accessed hardware—as the very definition of a compromised system. The cloud requires us to start from the point at which this classical model breaks down and to assume not only that everything been accessed, but that this has actually been done on purpose.
Finding a new model of data security
Finding a new model that guarantees the integrity and confidentiality of data in a system without secrets is an enormous task. There are some potential solutions under development. For example, several companies are working on approaches to data integrity based on keyless signatures and keyless encryption, and some of the most interesting research in this area focuses on homomorphic encryption, or trying to figure out how encrypted information can be accessed without unencrypting it. Get this right, and there’s no need for a trust model at all, since there’s literally nothing that users have to trust their cloud providers to keep secret.
But if this sounds like a Herculean undertaking, that’s because it is. The industry is still a long way from cracking this particular nut, and the lack of robust governance and transparency remains both a top stumbling block to widespread enterprise adoption of the public cloud and the principal reason why cloud still represents such a low share of enterprise IT spend.