In academic communities that lack advanced technology infrastructures and the funding to put them in place, grid and cloud computing play vital roles in providing research services, power, and storage normally associated with supercomputers - minus the hefty price tags. However, concerns linger over how best to ensure the security of these resources.
From its beginnings, grid computing has come a long way in bringing together dispersed compute and storage resources. Scientists and researchers now use developed protocols and middleware without giving thought to brokering, exchange, negotiations, and authorization - all happening behind the scenes to integrate disparate grid resources into seamless, simultaneous processing on a virtual platform. Cloud computing is similar, in that it offers hardware and software resources to end users and delivers them online as a service. Resource pools are easily accessed with existing standard protocols, and they provide appealing alternatives for projects looking to take advantage of cost savings.
Cloud proponents such as Shel Waggener, senior vice president of cloud initiatives at Internet2 (an advanced networking consortium led by the research and education community), believe all roads will eventually lead to the cloud: "When abstraction occurs, pieces get moved further and further away from individual technologists, and components get smaller and faster; we've been able to drive costs down and benefits up, making them available to the masses."
Cloud-averse colleagues like Fred Cate, director of the Center for Applied Cybersecurity Research (CACR), disagree. "It's a bad place to put data," he says pointedly. "We don't have rational policies and standards around cloud computing. The biggest threats are humans, the supply chain, and government. We're not going to get any better by moving the data further from us." Cate also holds the position of director of the Center for Law, Ethics, and Applied Research (CLEAR) in Health Information, and he is an inaugural member of the Cybersecurity Subcommittee of the US Department of Homeland Security Data Privacy and Integrity Committee.
Ultimately, for all of the benefits cloud computing environments offer, they still require ongoing development and refinement. Security, however, is a refinement no one is comfortable delaying. The Grid Security Infrastructure (GSI) uses public-key based protocols for authentication, communication protection, and authorization, while Community Authorization Service (CAS) provides authorization within and across communities. On the other hand, the cloud lacks the regulatory compliance to ensure service providers have external audits and certifications that meet regulatory security requirements. The National Institute of Standards and Technology (NIST) has developed provisional roadmaps for cloud security, with security standards targeted for 2012 to 2015, but these are not security assurances.
Despite work to secure grid infrastructure, security vulnerabilities exist in open source grid middleware and cloud services. Barton Miller, professor of computer sciences at the University of Wisconsin, Madison, is intent on making qualitative improvements in the security of these resources. As co-director of the MIST software and vulnerability assessment collaboration with the Autonomous University of Barcelona, Miller was on hand at the SC12 conference to deliver a technical program on secure coding practices for grid and cloud middleware and services. He boiled the program down to a single, driving sentiment: "I want to enable open source software providers to easily get the clear, useful information they need to improve the security of their software."
Miller's work goes beyond the mainstream debate that often captures headlines. For the last seven years, he and his team have been providing in-depth, analysis-driven assessments of internet software to those looking for maximum security and robustness. Recent work includes ongoing evaluations of many components of the Open Science Grid (OSG) software stack: "Used worldwide, OSG is a substantial resource with a fairly complex software stack; we continue to work closely with the development team to up their awareness."
Miller will serve as chief scientist of the recently announced Software Assurance Marketplace (SWAMP) project, part of a $23.6 million grant from the US Department of Homeland Security Science and Technology Directorate to address threats arising from the development process of software used in technology. Miller anticipates several OSG components will be part of the project's continuous assessment process.
Apple founder Steve Wozniak was quoted earlier this year as saying, "The more we transfer everything onto the web, onto the cloud, the less we're going to have control over it." He is right that security is about control, but grid and cloud technology are both paradigm shifts - technological evolutions that will continue well into the future beyond this momentarily hot debate about security. As Barton Miller is demonstrating, the best security is to strengthen what you have, where you can, in every way possible, effectively minimizing the need for direct control.