Friday, May 25, 2012

Next Challenge for Governance - the Cloud Computing

Commander Mukesh Saini (Retd.)

The internet has transformed the planet Earth into a global village; where in cyberspace boundaries have little meaning. However perimeterization of an organizational data was always possible even in the Internet environment and it was possible to create De-Militarized Zone (DMZ) between the Internet and organization’s data. However with the adoption of Cloud computing, even this hazy boundary is being eroded. Thus the challenge ahead for a sovereign state is how to adapt to new technological paradigm.

Cloud computing (‘Cloud’) is changing the concepts of information handling in the same revolutionary manner as the World Wide Web did to it about a decade ago. So what is this Cloud Computing? It describes the use of collection of services, applications, information, processing power and storage resources. These components can be rapidly provisioned, implemented and decommissioned and scale up or down, providing for an on demand utility-like model of allocation and consumption of Computer based resources. It is hiring of various hardware, operating system and application software remotely from a very large pool from a Cloud Service Provider (CSP). The word cloud emerged from the initial diagrammatical representation of the Internet as cloud. It changes the capital cost into a variable cost.

Cloud computing is an evolving term that describes the development of many existing technologies and approaches to computing into something different. Some of the existing technologies orchestrated together to form a cloud include web 2.0, ubiquitous connectivity, virtualization, broadband networking, clustering, utility computing, multi tenancy, service oriented architecture and out sourcing. Cloud separates application and information resources from the underlying infrastructure, and the mechanisms used to deliver them.
National Institute of Standards and Technology (US) has published the working definition of the Cloud, which is “ A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can rapidly provisioned and released with minimal management effort or service provider interaction”.

According to NIST, Cloud services exhibit five essential characteristics that demonstrate their relation to, and differences from, traditional computing approaches: On-demand self-service, broad network access, resource pooling, rapid elasticity and measured service.

Though there are many flavors of services provided by CSPs but primarily there are three service models. Where only hardware such as Servers, memory, storage space etc. are provided on demand and user need to deploy its own Operating System (OS) and applications (apps), such services are called Infrastructure as a Service (IaaS). Incase CSP provides IaaS + Operating System than such a service model is called Platform as a Service (PaaS). The Software as a Service (SaaS) is the service model where CSP provides complete package including apps.

The cloud can be deployed as a ‘Private cloud’ by a group of companies under same banner or a government for internal purpose; or as ‘Community cloud’ for a specific community, say banking community; or as ‘Public cloud’ where anyone can buy any services and use; and in ‘Hybrid cloud’ environment private and public clouds are jointly used in an efficient and secure mode.

In ideal situation, cloud provides a kind of security which can never be matched by any medium size organization and at cost which can be as low as 10% of existing security cost. But the sense of loss of data outside the perimeter of the organization creates new challenges to cyber security. Challenges are created because the data of the organization is under CPS’s control, which may be fragmented and stored /processed at various locations across the globe unless service level agreement specifically bars it.
For a nation-state, the Cloud has created a new area of legal risks which lacks any precedence or established legal history. There will be difficulties in establishing legal jurisdiction for gathering evidence and enforcing any court order. Some of the challenges for law enforcement in the Cloud will be:-
(a) How the evidence will be gathered from the Cloud, in reliable and authentic manner, which can be verified during the trial - may be few years later?

(b) Who will be considered as custodian of data – the user who kept the data in the cloud or the CSP who owns the data storage space?

(c) Indian Police, which is still cannot cope with collecting digital evidence from desktops in accordance with the IT Act, let alone servers & clusters, how will they collect the evidence from the Cloud?
(d) Unlike first world countries where e-discovery and cyber evidence related to privacy of an individual can be gathered only on a court order, in India such orders are issued under sections 68 and 69 of IT Act by the executive. How such dramatic differences will be resolved? Rule under section 69 have been issued but no one is following them. Such attitude cannot help in cases with international ramifications.
(e) What happens when the original CSP goes bankrupt or taken over by a company from a country having not so friendly relations with India?

(f) What if criminals/ cyber terrorists use cloud for perpetuating a crime in real world and then release all resources back to the cloud? How such evidence will be retrieved? (It is one of the cloud management requirements that if a storage space is vacated by one legitimate tenant of the cloud, same to be forensically cleaned up immediately otherwise there exist a possibility of data leakage.)

Cloud Computing is a new paradigm which cannot be wished away, nor an executive order that no one to use cloud, will be of help because not allowing own companies / organization to use the Cloud will make them far less efficient and will have adverse affect on economy. It has been estimated that cloud provides 80 to 90 percent efficiency on IT spend and allow an organization to focus on its core competence. Simile could be, buying an aircraft to go from Delhi to New York, (traditional computing) versus buying a ticket from an airline for the journey (Cloud computing).

According to Gartner survey report, cloud computing service revenue in 2010 was estimated to be around £41 billion. The US Government as well as US industry is very aggressive on this technological shift. China has already rolled out “Sea of Cloud Plan” which will create 200 billion Yuan industrial cloud server by 2015.
Some of the suggested recommendations at nation-state level are:

(a) Government cannot afford to move at its lethargic pace, not only security but the very growth rate of India may be adversely impacted if this issue is not handled properly and timely manner.

(b) Government must aggressively launch Cyber Security Awareness campaign.

(c) Frame all rules as envisaged under the IT Act.

(d) Form a task force to advice and guide the policy and law makers. The Task Force must contain those who understand cloud security technological issues as well as national policy matters.

(e) Government must sign Convention of Cybercrime without further delay.

(f) Train Police, Cyber Forensic experts, Public prosecutors, lawyers and judiciary, to understand the complexity of investigation in the Cloud.

(g) Involve industry and private players in capacity building.

(h) Be a proactive partner in international fora on Cyber Security.

(i) And appoint an Ombudsman for resolving complaints of Cloud users and CSPs.

The world is at the chasm of next disrupting technological breakthrough which will make the national borders further meaningless. We can ignore the CLOUD at our own peril. There will be no choice expect adopting this new tool, therefore it will be better to understand it and make new laws to protect our interest, without attempting to contain its adoption. Aligning with international community will be a necessity, while getting into cocoon could be dangerous.

No comments:

Post a Comment