 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
Cloud Computing and the Internet
Posted by Vinton Cerf, Chief Internet Evangelist
[adapted from the speech given on the occasion of the honoris causa ceremony at the Universidad Politecnico de Madrid]
The Internet is largely a software artifact and a
layered one as my distinguished colleague,
Sir Tim Berners-Lee has observed on many occasions.
The layering has permitted a remarkable versatility
in the implementation of the Internet and its applications.
New technology can be used to implement each layer and as
long as the interfaces between the layers remain static,
the changes do not affect the functionality of the system.
In this way, the Internet has evolved and adapted new
transmission and switching technology into its lower layers
and has supported new upper layers such as the HTTP,
HTML and SSL protocols of the World Wide Web.
In recent years, the term “cloud computing” has emerged
to make reference to the idea that from the standpoint of
a device, say a laptop, on the Internet, many of the
applications appear to be operating somewhere in the network
“cloud.” Google, Amazon, Microsoft and others, as well as
enterprise operators, are constructing these cloud computing
centers. Generally, each cloud knows only about itself and is
unaware of the existence of other cloud computing facilities.
In some ways, cloud computing is like the networks of the 1960s
when my colleagues and I began to think about connecting computers together on networks. Each network was typically proprietary. IBM had Systems Network Architecture; Digital Equipment Corporation had its DECNET; Hewlett-Packard had its Distributed System. These networks were specific to each manufacturer and did not interconnect nor even have a way to express the idea of connecting to another network.
The Internet was the solution that Robert Kahn and I developed
to allow all such networks to be interconnected in a uniform way.
Cloud computing is at the same stage. Each cloud is a system unto
itself. There is no way to express the idea of exchanging
information between distinct computing clouds because there is no way
to express the idea of “another cloud.” Nor is there any
way to describe the information that is to be exchanged. Moreover,
if the information contained in one computing cloud is protected
from access by any but authorized users, there is no way to express
how that protection is provided and how information about it
should be propagated to another cloud when the data is transferred.
Interestingly, my colleague, Sir Tim Berners-Lee, has been pursuing
ideas that may inform the so-called “inter-cloud” problem.
His idea of data linking may prove to be a part of the vocabulary
needed to interconnect computing clouds. The semantics of data
and of the actions one can take on the data, and the vocabulary in
which these actions are expressed appear to me to constitute
the beginning of an inter-cloud computing language. This seems to me
to be an extremely open field in which creative minds everywhere
can be free to contribute ideas and to experiment with new concepts.
It is a new layer in the Internet architecture and, like the
many layers that have been invented before, it is an open opportunity
to add functionality to an increasingly global network.
There are many unanswered questions that can be posed about this new problem. How should one reference another cloud system?
What functions can one ask another cloud system to perform?
How can one move data from one cloud to another? Can one request
that two or more cloud systems carry out a series of transactions?
If a laptop is interacting with multiple clouds, does the
laptop become a sort of “cloudlet”? Could the laptop become an
unintended channel of information exchange between two clouds?
If we implement an inter-cloud system of computing, what abuses
may arise? How will information be protected within a cloud and
when transferred between clouds. How will we refer to the identity
of authorized users of cloud systems? What strong authentication
methods will be adequate to implement data access controls?
Because the Internet is primarily a software artifact, there seems
to be no end to its possibilities. It is an endless frontier, open to exploration by virtually anyone. I cannot guess what will be discovered
in these explorations but I am sure that we will continue to be
surprised by the richness of the Internet’s undiscovered territory in the decades ahead.
Mark Rasch In the News. This week, a federal grand jury indicted three people on charges of hacking into the files of a credit and debit card processing company. The government alleges that they stole data for more than 130 million cards and sold it. What makes this even more remarkable is that one of the accused, Albert Gonzales, has worked for the U.S. government as an informant. Listen to the interview at: http://www.npr.org/templates/story/story.php?storyId=112134924&sc=emaf
Mark Rasch is a former cyber crime prosecutor at the U.S. Justice Department and co-founder of Secure IT Experts, a security consulting firm. He joins us in our studios. Thanks very much. ews
Secure360: The Triumph Of Politics (Over Security) InformationWeek - Manhasset,NY,USA
"Mandatory reporting by the government to some central authority with meaningful sanctions" is needed, says Mark Rasch, former Department of Justice ...
Court upholds 'hacking' charge against smut-surfing worker... Register - London,England,UK
Mark Rasch, a former federal prosecutor of computer crimes turned computer security consultant, said it would have been better to fire Wolf than drag him ...
Insight from Michael Corby
FTC Issued Consent Order for GLBA Privacy Rule and Safeguards Rule Violations
Today the FTC issued a consent order against mortgage lender James B. Nutter & Company for GLBA Privacy Rule and Safeguards Rule violations resulting from having an inadequte information security program and safeguards. The requirements will result in, among other actions, 20 years of ongoing activities by James B. Nutter & Company; much more costly than it would have been to have established appropriate information security safeguards to begin with...
See the press release about this at: http://www.ftc.gov/opa/2009/06/p2pnutter.shtm
See the complaint at: http://www.ftc.gov/opa/2009/06/p2pnutter.shtm
You can see the consent order at: http://www.ftc.gov/os/caselist/0723108/090616nutterdo.pdf
Of particular note:
Since at least September 1, 2004 until at least November 2008, respondent engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information. In particular, respondent:
(1) did not develop, implement, and maintain a comprehensive written information security program;
(2) did not implement reasonable policies and procedures in areas such as employee training in safeguarding personal information;
(3) stored personal information in clear readable text on its computer network, creating an unnecessary risk to the information;
(4) did not employ sufficient measures to prevent or detect unauthorized access to personal information on its computer network or to conduct security investigations, such as monitoring and controlling connections between the network and the internet or regularly reviewing activity on the network;
(5) did not assess risks to the personal information it collected and stored on its computer network and in paper files; and
(6) provided back-up tapes containing personal information in clear readable text to a third-party service provider but did not require the service provider by contract to protect the security and confidentiality of the information.
As a result, an intruder was able to direct respondent's computer network to send millions of outgoing spam emails without its knowledge, and could have accessed personal information without authorization.
7. Respondent began providing privacy notices to customers in 2004. The notices it provided: (1) did not set out respondent's security practices; (2) did not accurately inform customers that respondent disclosed customer information to third parties, such as credit reporting agencies; and (3) informed customers that they had 30 days in which to exercise their opt-out rights, even though the Privacy Rule provides that they can opt out at any time during the course of their loans.
A comprehensive information security program, based upon each organization's unique risks addressed through applicable compliance requirements and any other essential additional safeguards, is absolutely necessary to preserve the privacy of personally identifiable information (PII). Cutting back on information security costs to try and save money will end up costing much more in the long run from resulting information security incidents, privacy breaches and non-compliance sanctions.
It is critical that the privacy compliance and legal areas work with the information security and IT areas to ensure an effective and comprehensive information security program is in place.
This case is a good one to show to executives to demonstrate long-term consequences of not implementing a strong information security program.
This particular sanction is also good to use as a case study in your information security and privacy training.
________________________________________________________________
Swine Flu (H1N1) - Don't panic, but be prepared.
Insight from Michael Corby
The latest news is that the World Health Organization has raised the concern to Level 5, which means that the flu has spread to several countries and that widespread contagion is likely.
Remember that our assessment is that the news coverage of the swine flu has raised awareness throughout the country, and you may begin to see a higher rate of absenteeism because of this awareness as children are kept home from school and daycare, and as people become more leery of public transportation and places. Any flu is very uncomfortable at best, and can be quite serious with many groups that at risk for major consequences. Although this strain of the flu has not been identified as more dangerous than the “ordinary” flu, it is likely that more people will be affected because of the absence of an effective preventative vaccine.
If you haven’t begun some contingency planning to identify your crisis team and response strategy, now is the time. You should also be reviewing succession plans for key staff members and laying in the technical specifics of an extensive “work at home” computer access program.
The attached may help you in your planning, and, of course, we are ready to help your prospects and clients as necessary.
Please View our Service offering "Pandemic PDF" for further information.
