What do banks and the public cloud have in common? More than you might think. Let’s use the concept of banking as we jump into the root of the public cloud debate.
Do you remember when you were a kid and your parents first walked you into a bank? It always felt like a magical palace where anything was possible. You had a little booklet where the teller marked your deposits, and a slip of paper could turn into money.
Now, the bank is truly magical in a different sense. Banks are still seen as the safe and secure alternative to storing your money under your mattress. But who knows where our actual money really is? All we know as consumers is that our cash and gold bars (wishful thinking) will be waiting for us whenever we decide that it’s time.
We understand that the bank “takes care of our money” as the FDIC insured signage instills both confidence and comfort. If the bank goes out of business, you still get your money back – and the government guarantees it. It’s not a perfect system, but it’s a great example of how trust in an institution translates into material exchanges. And your mattress does not provide interest on any deposits.
Now, let’s go back to those gold bars for a second. Banks offer another attractive service called safe deposit boxes. In this scenario, you take your most valuable items (see: birth certificates, family jewels, old childhood soccer trophies, whatever), and place them within the walls of the bank. Once this is secured, only yourself and any of your selected parties hold the necessary keys for access. There’s also a secure process – you hold a key that the bank doesn’t own, you need a specific ID to enter the facility, and activities are monitored up until the time you leave.
I’m guessing that you wouldn’t want your worst enemy (or anyone else for that matter) to be given access to your safe deposit box. In fact, you wouldn’t even want someone in the bank to have access.
A cloud safe-deposit box?
Now let’s switch that focus back to the public cloud. At the moment, many organizations have decided to put some of their data in a cloud environment, while still leaving the true “family jewels” of the business (i.e. customer information, HR policy forms, and credit card details) ‘under their mattress’, or in their data center. While they are not ready to fully embrace the cloud for everything, it is clear that moving to the cloud is the next step.
Now, let’s think back to CSPs and banks for a second. Many CSPs have openly stated that they will not be responsible for the privacy of your data. What would happen if the bank told you that those safe deposit boxes weren’t really that secure, or that protecting the jewels in their vaults actually was your own responsibility? Yikes! I wouldn’t go near the place with a ten-foot pole!
While data is not quite the same as money – you understand the analogy. It took a while for banks to put the right processes, technology and regulations in place to build consumer confidence.
I believe cloud adoption will follow the same trend, and the payment card industry is on the right track. In the latest PCI DSS cloud guidelines, the authors talk about shared responsibility. Let’s explore this a little more.
When you go to the cloud, your data is in the hands of the provider. Further, unlike money, data can be copied or exchanged, so you might not even know someone has accessed it, as long as you can get it back on demand.
Can you protect it? Yes you can. You encrypt your data within the virtual machine (VM) you rent from a CSP, making it safe from the time it leaves the VM, all the way through the hypervisor to whatever storage devices the data ultimately resides. This is definitely something you can and should do.
There are still issues with the cloud. What happens if a CSP snapshots the VM to ensure availability? Well, this is a big issue since they now have access to the contents of memory that could contain anything – credit card information, health care information, etc. – in other words, potentially the family jewels. But this is also where shared responsibility comes into play. You can’t do anything to protect any snapshot images taken, but the CSP can. They must encrypt and protect access to this data..
Now the final question remains … who owns the keys? This is the hardest problem to solve. Should you hold the keys in your safe deposit box? Should the CSP hold the keys? What about the possibility for a 3rd party to hold the keys? All are realistic approaches if implemented correctly.
So will the cloud start to look like a set of large banks at some point in the future with multiple “savings accounts” and “safe deposit boxes?”
I think the answer is yes.
If you want to avoid building out and maintaining racks of servers, and if you can be sure of the security of your data, the ability to spin up servers and applications in seconds and pay only for what you use is pretty appealing!