If Willie Sutton had been a hacker, we know what he’d have thought about cloud computing.
Sutton, of course, was the 1930s bank robber famous for his quip that he robbed banks “because that’s where the money is.” And for hackers, the cloud might be just as tempting because it’s where a great deal of data is being concentrated.
But how much loot will modern-day Willie Suttons really be able to plunder from the cloud?
The short answer will probably turn out to be: Not much. That’s because greater data concentration makes it easier to build strong, high walls around more of it at once. Think Fort Knox. There’s a lot of gold in there — but Willie Sutton wouldn’t have stood a chance if he had tried to grab it.
The long answer is a bit more complicated: Security in the cloud will depend on a number of technology practices and policy decisions that are just beginning to unfold in industry and government.
First, there is the industry side. As BSA has outlined in a set of guiding principles for the cloud, service providers must adopt comprehensive practices and procedures that include well-recognized, transparent and verifiable security criteria so customers can shop for the best. There also must be robust identity, authentication and access-control mechanisms commensurate with the level of sensitivity of the data being housed. And there must be comprehensive, ongoing testing of security measures before and after deployment of cloud solutions.
Those are things that must be driven by industry because prescriptive policy mandates would quite likely have the unintended consequence of fossilizing cloud technologies while they are still in their early stages of development.
That is not to say there is no role for public policy in promoting cloud security. There is, starting with tough laws against theft, fraud and hacking. Those were needed before the advent of cloud computing, and they are needed all the more now. And since security concerns are tightly linked to privacy concerns (they are twin pillars undergirding public trust in technology), it will be important for lawmakers to ensure that data stored the cloud enjoys the same legal protections as data stored on personal computers.
A wrinkle in all this for policy-makers is that, as with all cybersecurity matters, cybersecurity in the cloud is by its nature an international issue, so we need an international approach to building defenses. BSA has outlined how to construct such a global cybersecurity framework.
Industry and government should each carry out their respective responsibilities in securing the cloud with a sense of urgency because it will help build confidence in the marketplace, thereby speeding the maturation of technologies that hold the potential to touch off a new wave of IT-driven growth.
Also, Willie Sutton’s heirs are casing cyberspace. We should deny them any opportunity to score.