Off the Beat: Bruce Byfield's Blog

Where cloud computing is concerned, I confess to being a Luddite. I'm not utterly opposed to it, but the conditions under which I would ever store data in the cloud remove most of the reasons that most people would do so.

The usual argument for the cloud is convenience. Storing data in the cloud means that it is always available (assuming your connection is up), and you no longer have to transport files by flash drive or DVD between one computer and the next.

In addition, Matt Harley recently suggested that ChromeOS, which is built around the cloud, has other advantages over local Linux installations. He points out that, because ChromeBooks depend on the Internet, they have no problem with connectivity. But his main contention is that ChromeBooks are idiot-proof. Because they take care of updates for users, the risk of users running into problems when they upgrade are mostly eliminated.

Exchanging Security for Convenience
Harley adds some new points to the discussion, but I am still not convinced. As Harley mentions himself, connectivity is less common a problem on Linux that it used to be. Yet, even if that were not so, the advantage is not exclusive to ChromeOS and is available on any computer that ships with an operating system already installed.

As for being idiot-proof, I have seen too many supposedly routine upgrades go awry to assume that the problems will go away simply because someone else is taking care of them.

Anyway, one of the appeals of Linux has always been that you could learn to maintain your system yourself. You might make fatal errors, but that is part of the learning process, as frustrating as it can be. Eliminating that possibility reduces Linux to just another operating system, differing only on the technical level from OS X or Windows. It leaves users as permanent consumers, without any hope of ever controlling their own computers.

And that, really, is the problem with cloud services and storage: they are only convenient because they remove the responsibility from users. Instead, they ask that users trust the providers  -- and, the trouble is, very little is offered to justify that trust.

Short of anecdotal evidence on the Internet, there is next to nothing on which to judge cloud providers. Users do not know who will handle their data, or who will have access to it. If a provider publishes a policy, users have no way of knowing how well it is enforced. Presumably, keeping high standards is in a provider's interest, so that it can continue to attract customers and to satisfy existing ones, but the problem is not that providers are corrupt -- it's that users have no way to know.

Besides, even if providers have repeatedly demonstrated a high level of integrity, accidents can still happen. Yet, if they do, users may not hear of them, nor be in any position to assess their frequency or seriousness.

Yes, problems or accidents can happen on your own server. The difference, though, is that you are more likely to learn about them. At the very least, you can know what steps are taken to prevent them happening again.

In short, the problem in the cloud is the age-old one of convenience winning out over security. From a security perspective, the typical cloud is a disaster in waiting. That may be acceptable if you are a casual computer user -- unless you are storing some embarrassing photos, and, even then you might prefer to preserve your privacy. But if you are acting on behalf of a corporation, or your files have any potential value, you should approach the cloud cautiously. Even if a provider guarantees its own security measures, when you sign up, you are still being asked to trust -- and trust is a poor foundation for any security or privacy.
Holding the Cloud at Arm's Length
I don't go so far as Richard Stallman, who condemns clouds as a proprietary trap to be avoided at all costs. However, if you are going to use commercial clouds, encrypt your data with a key that only you or your company members possess. Better yet, set up a private cloud, and secure it to your satisfaction.

The only trouble with such measures is that the effort they require drains much of the convenience from the cloud. Remembering to encrypt before uploading is a nuisance, and so is setting up and maintaining security for yourself. Yet to act otherwise means taking a calculated risk.  Admittedly, the odds are probably in your favor with most cloud providers, but security measures should be based on the worst that can happen, not on the best.

Many people have turned to Linux and free software as a relief from being controlled by proprietary software vendors. Yet, all too often, the irony of working in the cloud for Linux users is that too often they abandon the independence they gained and given their independence to another proprietary company -- and all for no better reason than convenience.