Thursday 7 August 2014

Cloud computing goes up in smoke

Cloud computing, we have been told for years, is a no-brainer. It's cheaper than operating your own IT facilities in-house. It's more flexible – you can scale up and down as required. It's more secure. And it's greener.

Some organisations have expressed reservations but they have been ignored. Politicians, civil servants, the media and, of course, the suppliers of cloud computing services have succeeded in presenting cloud as a set of technologies which it is responsible to adopt.

Amazon, Google, Apple and Microsoft, among others, have thrived as a result. Businesses all over the world have been outsourcing their IT to these cloud computing suppliers, destroying their in-house competence and happily making themselves dependent on/beholden to outsiders.

Not just businesses, but governments, too.

In the UK, central government has contracted with third party suppliers to store a lot of their data (our data) and to operate many of their applications. They plan to put more data and applications into the cloud as soon as possible. They have created the G-Cloud team (government cloud) and CloudStore, a virtual supermarket where government departments can buy cloud services. And they have lured local government into doing the same, mocking local authorities who fail to follow the fashion.

The government initiative was championed by the charismatic Chris Chant.

Now it appears that the sales pitch was all wrong.

Who says?

Chris Chant.

For some months now, he's been tweeting teasers about trust and truth, e.g.

"Truth better than trust" – what does that mean? At first, nothing. But the other day it became clear. Chris is linked to an organisation called Rainmaker and Rainmaker is promoting an Estonian product called Guardtime. And what does Guardtime do? Guardtime "brings integrity, transparency and accountability to digital society". And not a moment too soon, because:
With an estimated 95% of all enterprise networks having been compromised, it is no surprise that every day the news headlines inform us of a new data breach, a new loss of intellectual property, more damaged reputations and increased legal liability.

Indeed, the loss of intellectual property and personal information has been described as the biggest transfer of wealth in history.
How do we stop our property being stolen like this? Use Guardtime.

And how does Guardtime help? Take a look at Cloud Insecurity and True Accountability, a primer for CIOs on Guardtime and Keyless Signature Infrastructure (KSI) for Attributed Networking written by Matthew C. Johnson, CTO of Guardtime (hat tip Tim Hanley).

Reading the primer may not help you to understand how Guardtime works. It is reminiscent of blockchains, the technology underlying Bitcoin. But what is clear is that its advocates including Chris Chant believe that it is needed because you can't trust the suppliers of cloud computing services:
Handing over competition sensitive, Personally Identifiable Information (PII), or related Intellectual Property information to a Cloud Provider is indeed an exercise in extreme trust without the ability to independently verify Cloud Provider coherence to purported security guarantees, controls, and associated contracts.

In 2014, in light of the CSA [the Cloud Security Alliance] assessment and analysis of threats to Cloud Providers [The Notorious Nine: Cloud Computing Top Threats in 2013], as well as governments’ perceived nefarious interactions with the telecommunications and data storage, social media, and search industries [see Edward Snowden passim]; it has become evident that blind trust in the service provider is a doomed strategy.
Weirdly, Chris Chant and Tim Hanley's Guardtime tweets telling us that G-Cloud's "doomed strategy" can't be trusted are posted on G-Cloud's Twitter timeline. Make of it what you will.


Updated 8.8.14 #1

"Some organisations have expressed reservations" about cloud comptuting, it says in the post above, "but they have been ignored". Which organisations?

Back in October 2012 we listed several. The OECD, for example, and ENISA, the EU's Network and Information Security Agency, who said that cloud computing "should be limited to non-sensitive or non-critical applications and in the context of a defined strategy for cloud adoption which should include a clear exit strategy". It's time to bring the list up to date.

For the moment, let's add just one name to the list – the Law Society.

In April 2014 the Law Society issued a practice note for its members – solicitors in England and Wales. Lawyers are meant to protect their clients' data and keep it confidential. The practice note sets out a number of matters on which lawyers should satisfy themselves before using cloud computing.

Read the practice note, and you'll see that it's very hard for lawyers to obtain that satisfaction. Read the Guardtime Primer, and you'll see that it's impossible.

If Guardtime and Rainmaker and Chris Chant and Tim Hanley are right, it follows that members of the Law Society shouldn't use cloud computing.

Updated 8.8.14 #2

"What", you will have been asking yourself, "about the Public Services Network (PSN)?".

Just to remind you:
The Public Services Network (PSN) will substantially reduce the cost of communication services across UK government and enable new, joined-up and shared public services for the benefit of citizens. PSN is creating one logical network, based on industry standards, and a more open and competitive ICT marketplace at the heart of the UK public sector.
Gluttons for punishment can pursue their further researches on the PSN website.

The rest of us can take refuge in a chatty little 22-pager issued in January 2014 by the Cabinet Office, Public Services Network – PSIIF Trust Framework v1.0. "PSIIF" denotes Public Sector Internal Identity Federation. And (para.1.1):
A trust framework is made up of Business (Legal/Commercial/Policy), Technical and Implementation/Operational obligations on the members and providers of services within the PSIIF. This document defines the obligations, the mechanisms in place to ensure these are met and how these fit into the technical operation of the federation.
You know what the PSN is, and the PSIIF. And you know what a trust framework is. One more thing (also para.1.1):
The PSIIF will exist and be operated within the framework of the Public Services Network Authority (PSNA), but will extend to G-Cloud services and potentially 3rd Sector organisation providing service to the public sector that are not directly connected to the PSN, which have a requirement to identity the public servants using those services.
Now flick forward to Section 3 – Trust Model (para.3.1):
The establishment of trust between different organisations has always been a significant challenge in the development of effective Single Sign On across the public sector. Different organisations can have quite different interpretations of acceptable minimum levels of identity verification and of authentication, as well as a healthy scepticism about whether their fellow members are truly following their declared policies. This issue is not restricted to identity but has historically applied also to networks and shared services.

The development of the Public Sector Network requires that all participants in the network have trust in all users of the network to ensure that all organisations protect their endpoints. The same holds true for all users of G-Cloud services. The PSN and G-Cloud have implemented an accreditation and compliance model that allows all organisations to trust all users of the PSN and G-Cloud at the stated level of trust ...
"The PSN and G-Cloud have implemented an accreditation and compliance model that allows all organisations to trust all users of the PSN and G-Cloud at the stated level of trust"?


Things have changed since January.

By the end of July, G-Cloud had moved to a system of self-accreditation:
The transition to the new G-Cloud Security Approach, which asks for self-assertion, and the Digital Marketplace will be soon coming into effect. This means that suppliers on G-Cloud will no longer need to get Pan Government Accreditation (PGA).

G-Cloud will stop accepting submissions for PGA from 30th of July 2014.
Now how much can "all organisations trust all users"?

And that's not the only change.

If Estonia and Guardtime and Rainmaker and Chris Chant and Tim Hanley are right, you can never achieve trust anyway. Trust isn't on the menu and it's a "doomed strategy".

In that case, bang goes G-Cloud. Bang goes IDA, the identity assurance service (RIP). And bang goes the PSN.

What do the G-Cloud team have to say in response?

Nothing. Not a thing. Chris Chant and Tim Hanley have undermined the legitimacy of G-Cloud and effectively accused the team of leading people on, under false pretences, but either the team haven't noticed or they don't consider those charges to be worthy of a response.

Not so, Chris Chant. Two big changes – (a) self-accreditation and (b) the notion of a trust framework is a nonsense. And what does he say? Rien ne change, nothing has changed:

You can only admire the chutzpah.

Updated 12.8.14

"Rien ne change", says Chris Chant on 8 August 2014.

Which is strange when you see what he was saying on 30 July 2014 about how Rainmaker "totally disrupts UK cloud security capability" ...

... and what he was saying on 31 July 2014 about how "Cloud security has changed in the UK from today" and "today is the day everything changes for cloud security in Europe" ...

... and then there's that Rainmaker tweet on 18 June 2014 which he retweeted, "things will never be the same again".

He used to think that Guardtime would change everything. Now he doesn't. What changed?


He's been quite busy promoting Guardtime – there are 15 tweets alongside.

Guardtime's message is perfectly clear.

They say :
Trust of a Cloud Service Provider is nonsense without the instrumentation and metrics to develop a formal sight picture into how reliable they really are and what they are doing with your data, services, and applications. (p.7)
How can you possibly trust the service provider to say, ‘it’s not our fault, we are not liable’, when there is no evidence to confirm or contradict the statement and what little evidence that might be presented is entirely shaped from the perspective of that service provider. (p.8)
Cloud Service Providers have been hesitant and stonewalling integrity verification and transparency technologies. The reason? Compromise of your data or exploitation may or may not indemnify them for losses and has direct effects on insurance and reinsurance of both your and their assets.

If they (or you) can’t prove what was lost or compromised on their watch and how it occurred – if the evidence doesn’t exist, they can claim they are not liable. “Prove it”. (p.11)
Today, the Cloud Provider cannot provide proof you can trust that your company’s hosted data, applications, and services have integrity – that your critical data has not been manipulated without your knowledge or that it has been migrated to unauthorized locations (stolen) or altered. (p.13)
To overcome those problems, Guardtime say, you should use their Keyless Signature Infrastructure (KSI).

They may or may not be right but Chris Chant certainly agrees with them. 15 times.

You'll never get trust, he says, but at least with Guardtime you'll get the truth, which is "essential for any network or data storage asset", he was telling us on 4 July 2014.

Essential. I.e., without Guardtime, cloud computing customers are missing something important, "trust can never be enough" (5 August 2014). With Guardtime, "Uk orgs and citizens no longer have to have confidence in that their data is secured, they can now verify the fact" (4 August 2014).

That seems clear enough. But then, would you believe it, something else changed and now Chris says there's nothing wrong with using the cloud even if you don't have Guardtime:

It's getting very hard to keep up with Chris's changes. Trust is hard. Truth is hard. Meaning is hard.

Perhaps Mr Singleton can help. Shed some light on the matter. He's the boss of the G-Cloud team. Is using the cloud without Guardtime a "doomed strategy" or isn't it?

Updated 9.9.14

It's not just Chris Chant and Tim Hanley who now support the Rainmaker contention that trust in the cloud can never be achieved. They are joined at Rainmaker by several other senior former Whitehall officials:
  • Mark Forth – Mark spent the majority of his career as a Civil Servant and has worked as the Commercial Director for HMRC, Home Office and DCLG ...
  • Jan Joubert – Jan has extensive experience in the technology industry and supported the development of the UK G-Cloud market by ...
  • Michael Bateman – Michael took G-Cloud through its first and second iterations ...
  • Rhys Sharp – Ex-CTO at SCC, Advisor to HMG on G-Cloud programme, Senior Strategy consultant to Legal & General, Co-Op Financial Services (oops) ...
  • Mark Poole – Ex-Chief of Staff, Cabinet Office e-Delivery Team, System and Service Implementation and Integration specialist – Defra, Home Office ...
  • Peter Fagan – Ex-Security Manager – Government Gateway Critical National Infrastructure, GovConnect, GCF email scanning service, IA review for 2011 Census, National Lottery franchise assessments, original CLAS scheme member ...
Maybe there's something in it. Maybe all this talk of "trust frameworks" really is a waste of breath.

Maybe, for example, tScheme is wasting its time. tScheme and every EU member state. The Department for Business Innovation and Skills's paper on electronic signatures turned up yesterday and there, on p.6, we read that:
tScheme Limited (see: is the UK’s Trusted List Scheme Operator (TLSO) and creates, hosts and maintains the UK’s Trust Service-status List (TSL) on behalf of the Department for Business, Innovation and Skills (BIS). Every Member State has its own TSL and each of these is referenced from a central list that is maintained by the Commission (see: EU Trusted list certificate providers - further info and policy).
If Rainmaker are right, Rainmaker and all those senior officials, then yes, tScheme is wasting its time.

Updated 2.10.14

Yesterday the UK abandoned the tax discs we have always displayed in our windscreens to demonstrate that we have paid our Vehicle Excise Duty (VED).

That led to a last-minute flurry of people trying to pay their VED using the new system recently deployed by the Driver and Vehicle Licensing Agency (DVLA) on GDS's award-winning GOV.UK.

Ever fashionable, GDS insist on using the cloud. The VED system is deployed in the cloud, we must assume, and you can write the script yourselves.

You know about the cloud. Capacity expands instantaneously to meet demand, it's resilient, nothing can knock it over.

Except that, according to the Guardian and all other media outlets:
DVLA tax disc renewal website buckles under pressure of high demand

Tax disc renewal site taken offline by ‘unprecedented demand’ as new service comes online and tax disc by post is phased out

The DVLA’s new vehicle tax site has crashed due to the large volume of people attempting to renew their tax online after paper discs were abolished in favour of digital records.

The site was experiencing more than 6,000 visits a minute at 9.43pm on Tuesday, according to the DVLA, but remained up but by Wednesday morning when the new rules came into effect it was overwhelmed.
This is getting embarrassing. Again. You could drive an untaxed coach and horses through that cloud sales patter.

No comments:

Post a Comment