The Limitations of Cloud Computing in Controlling Information Security
In the beginning, compute power was concentrated
in mainframe computers. Edge devices
were dumb terminals that couldn’t connect to anything but the mainframe.
The network era has been a constant process of
increasing compute power at the edge. PCs, laptops, tablets, smartphones,
diagnostic and monitoring equipment, medical devices, and industrial controls
have increased compute capacity in ever-smaller forms.
Cloud computing is, in a way, an attempt to
return to the mainframe model—to centralize compute power in massive server
farms and use of software on smart edge devices that act as pretty-but-dumb
terminals for accessing information from the cloud. But inherent problems
prevent the cloud from being a complete solution for controlling the
distribution of information:
- Edge devices that are accessing the cloud act as dumb terminals, but they are not
dumb. They are tremendously capable computers that host myriad applications
that can be used as vehicles to defeat cloud security.
- It is not always possible to access the cloud. We are years away, if ever,
from bandwidth nirvana. There are far too many situations where work cannot get
done because no connection is available, the connection is intermittent, or
bandwidth is insufficient.
- Cloud computing requires that the hospital pay for all of the compute and connection
capacity. The compute power of edge devices is more or less thrown away, and
each new edge device increases the requirement for bandwidth and central computing
- The cloud data center defines a secure perimeter, but it does not address securing
data when data leave the data center.
For more information, see Dan Kruger and Tim Anschutz's "A New Approach to IT Security," hfm, February 2013.
Publication Date: Friday, February 01, 2013