A Survey of Cloud Models and Services – Part 3

This is the third part in the series which discuss the security concerns and problems in the cloud systems.

On Security, Privacy, Copyright and Piracy

Internet had fuddled all the lines between copyright and piracy, allowing everyone to use and distribute pirated copies. Web 2.0 created even more trouble about privacy, sharing and distribution of personal data to this already troubled area. With the rising of cloud services, we are about to get into a more problematic and questionable area ever before.
Problems in the quality of software is in ongoing issue and software quality is not yet fully covered and measurable. This problem, in itself, contains many other problems including trust issues of users to software. As a generation who had seen blue screens of death on Microsoft Windows we are not 100% sure that the software can work without any problems. As any software can be buggy, even the ones developed by huge corporations, an e-commerce site can charge you hundred times more than it should be or your credit card can be used without your authorization. It’s possible and anyone outside the software industry or anyone who is not using it on daily basis, has trust issues about the electronic payment. If we look into the details, of the decades old pos machines, same flaws can be found in them too. The only difference it has a a hardware attached to it, while the other is just a web site, purely virtual. This psychological effect, fueled by the instability of the softwares we use on daily basis, of course affects the current shift to the cloud.
Cloud is something completely new to the end users. While it’s actually empowering the end-user, it’s also depicted as a “cloud”. Looking at the history of the “cloud” in the telecommunication industry, it also causes a trust issue: Something happens there that you don’t know how. We are keeping our files out there but we don’t actually know where they are or who can access them. These issues are only protected by a privacy agreement provided to by your service provider. The case of thievery, actually illegal distribution of the digital item, also frightens us. It’s similar to someone finding out one of our secrets and there is no way to find out who found that secret, or even if the secret is known or not.
Actually, the question “is it found by anyone else?” is not new to us. Sharing the same user directory on the same computer with someone else, or keeping your files on a remote hard drive unconnected to the internet, also rises the same privacy problem. What shifted this problem more is the ease of distributing these files. Files kept in an offline hard drive, requires a media for distribution. Someone should be there physically and copy the contents to another hard drive or his computer and then distribute it. With the introduction of the cloud, all he has to do is to send an email to himself with the contents attached to it. The accessibility of cloud systems is also one of the root security problems.
For years, content is distributed digitally, including movies, songs, video games, documents, pictures, softwares, etc. They are all subject to the piracy. They all failed against the piracy. There is no serial key that can’t be broken with enough time and dedication, no always online DRM that can’t be fooled by an etc/hosts variable, there is no digital movie that cannot be copied from one storage to the other. For years we have disobeyed the end-users agreements proposed to us, even if we had accepted it. For years, we have “cracked” or “used”, at least, one of the things said above. Consider someone who uses cracking software, someone who does not know anything about computers other than pointing and clicking and googling, to bypass carefully designed security measures, is there a chance that he will believe that cloud is “secure”.
Putting aside the psychological effects of the “mistrust” between end users and service providers, on technical perspective cloud services are as secure as they can be. A software is not secure based on a list of things that should be done. Security is measured on the “importance” of the data you hold, and the things that you didn’t choose to do in order to “protect” them. Security is an ongoing battle between “attackers” and “defenders”. It should evolve and improve with each passing day. Cloud services are secure as they can be because it’s protected by security professionals whose only job is to “protect” your privacy. And no, they are not interested in your data.
Security, privacy, copyright and piracy issues on the subject of the Cloud are not new. They are the sequels of the mistrust between users and developers that is set on a new ground called cloud. While Cloud is as secure as it can be technologically, it will never be “secure” in the eyes of the end users because of psychological effects.

Cloud Security From Whom For Who

Trust issues between companies and end-users exists as long as the computer exists. End-users have some issues that the company might steal their data. However user’s private data is also important for the company. A company can only exists as long as it can profit. If there is a trust issue between the company and the end-user, there is no way, the company can go on. So security is actually more important for the company then the user. They should make their environment as secure as it can be for their survival.
Considering the Sony’s case where they lost the credit card information of their users is a case we should take a lesson. It was Sony that was damaged the most in this case. They lost millions of dollars in terms of future income, and more importantly they lost the trust of their users. A user who might have lost the credit card information, might get away, just by canceling it. Sony, on the contrary, should provide gifts and should make other promotions just to gain his customer’s trust back without waiting any revenue.
As an end-user, you should consider that it’s not the service provider that you should be afraid of but their negligence on the security issues (considering service provider does not have a bad intent).
Who should we be afraid of then? If the companies are not thieves or charlatans trying to get away with our private data, who is the real danger? Considering many Black Hat Hackers are breaching systems just for their ego (I breached here, put my mark as a file and don’t care what you actually keep here) and proving a moral point or point of view, you should be afraid of people who use free tools to breach servers instead of their skills. They are mostly unaware of the damage they are causing. Their only aim is to cause damage to prove their skills.
It’s always easy to show that a system is not secure by having a single failure. However you cannot prove that your system is secure if it’s not breached by a single attack. And once it’s breached it doesn’t matter how much safe it was before. Security is a constant struggle between defenders and attackers where each part should change his methods or update his tools in order to come triumphant.