Fog computing

:: computer, security, orwell

Fog computing is like cloud computing except that no-one can see what you are doing.

A basket of eggs

Here is an interesting quote from the website of a company which provides an ‘enterprise content collaboration platform’:

80% of central government departments use [our system], making it the most trusted cloud-collaboration solution for UK government and public sector organisations.1

There are several ways of understanding this.

What they want you to think. ‘Gosh, all these government people will be very fussy about security and extremely competent, and we’re a big corporate/government type place too: we should be using this product ourselves.’

What Dr. Evil is thinking. ‘80% of UK central government departments are using these people? That’s a lot of data that I am sure my customers would be willing to pay a great deal for, all in one place. Minions: to your keyboards!’

What President Evil is thinking. ‘80% of UK central government departments are using these people? That fool Dr. Evil is probably wasting a lot of effort trying to break in to sell me the data. Minions: buy that company for me!’

What the government is thinking. ‘Minions: another bottle! And send up another boy: I seem to have broken this one.’

The desert of the real

We all like to talk about ‘the cloud’ as if it is something new, but it isn’t: all it is is centrally-managed and outsourced storage and processing of our data. The only new thing about this is the outsourcing, and that’s not very new.

Central management holds out the hope of saving money and improving security, but means that there is a single point of failure: if the system fails then it fails for everyone, and if it is compromised then it is compromised for everyone. Information can also leak between regions which should be isolated from each other: in particular a hostile user who succeeds in compromising the system can obtain other users’ information.

Outsourcing means that small organisations or individuals don’t have to have expertise in data management but can rely on an external provider to do it for them. Large organisations may think they can save money by outsourcing and occasionally they can. Outsourcing means you are protected only by a contract and lose direct control over the system: this is fine so long as you are sure that the provider is honest, competent, and not subject to a malevolent legislative framework. Well, they may at least be honest.

The thing that makes the economics of cloud computing work is that there will be a relatively small number of relatively large specialist providers who can become really expert at providing these services and exploit economies of scale to make doing so cheap2. Unfortunately this is also what makes cloud computing dangerous: if a lot of sensitive data is centralised in a small number of organisations this is like painting targets on the backs of those organisations. Anyone who is interested in that data – bad people, governments (are they different than bad people?) and competitors – will stand to gain enormously by compromising cloud providers.

Of course, they will tell you how secure they are, and imply that they can never be compromised like this. If you believe that you can stop reading now.

Obscured by clouds

So let’s assume that you don’t trust your cloud service providers and you care about your data: Can you still make use of them? The answer is that you can in limited but, I think, still useful ways.

There are two assumptions that you must not make:

  • don’t assume the cloud provider is reliable – your data and any associated services can vanish at any time and that must not be catastrophic;
  • don’t assume the cloud provider can be trusted – assume that either they are themselves not trustworthy, or that they have been compromised, legally or illegally, and that anything you store or process there is visible to bad people as a result.

It’s fairly easy to deal with the first point: if the data might go away you need to make sure that you have other copies of it, and ideally copies that you have full control over. Similarly with services: make sure you can survive if things go away.

The second case is harder. If you can’t trust your provider what use are they? Well, still some use. In particular, if all the data that you store on the cloud is encrypted and the encryption keys are not available to the provider then, even if bad people get access to this data there is rather little that they can so with it: it’s just a huge blob of meaningless bits to them. To decrypt the data they must attack your systems, where the encryption keys are held.

Encrypting data like this fairly seriously limits what can be done with the data in the cloud: in fact all that can be done with it is to ship it to from clients and store it in the meantime. No kind of processing which depends on the content of the data can be done at all on the provider’s systems. For many purposes this is a less crippling restriction than it seems: globally-available storage is quite a useful thing to have, in its own right.

For instance, a government agency might want to keep sensitive documents in the cloud: it can do this quite happily so long as the documents are always encrypted before they leave the client with keys which also never leave the client. To edit a document it is fetched, decrypted, edited and encrypted again on the client, and then sent back to the cloud3.

What a system like this can’t do, by design, is process data in the cloud in any way which depends on its content: if you want, say, a shared calendar with server-side appointment management then you can’t have it, because it requires the server to be able to see the content of the data.

The illusion of security

Cloud service providers are very anxious to tell you how secure they are: they will use terms like ‘encrypted at rest’, ‘AES–256’, and ‘military-grade security’, all of which signify nothing. There are only two questions that matter:

  1. do they have the keys to whatever encryption system they are using?
  2. if they do, are you and they the same person?

If the answer to the first of these is true, then the answer to the second must also be true: if it’s not then you should not trust them. Yes, they might mean well, and they might even be competent, but even if they are they can be subject to attacks which they will not be able to withstand: when the people who won’t say who they work for come calling with their bit of paper then the keys will be handed over and they won’t tell you that this as happened.

The only way that your data is safe is if you put it in a box to which only you have the key4, and that means that you must encrypt it with keys you control and live with the consequences of that.

In the fog

Fog computing is more-or-less this: it is the use of cloud-based shared storage to share data which is encrypted and decrypted only on the client, providing the possibility of real security rather than the illusion of it that cloud providers currently offer.

One good thing about fog computing is that you can implement it yourself: you do not need to rely on a provider offering the service. A tool which encrypts data on the client can sit on top of any kind of cloud storage provider. This is, indeed, beginning to happen: there are backup tools (notably Arq) which do this client-side encryption and can indeed be configured to sit on top of many different cloud storage providers.

However even encrypting the data like this is not really enough. The bad people can still look at your patterns of access and (if you are not careful to obscure it) metadata such as file names and deduce more than you would like: for instance they can work out who you talk to by noticing who else accesses your data, and so on. This can be avoided by obfuscating these acces patterns but it is much harder to do. But just encrypting the data with keys you control is a big step in the right direction.

Fog computing is inherently limited: since the data in the cloud is entirely opaque, no useful computation can be done with it there. You can not have shared calendars with conflict detection in the cloud, you can not edit documents which live entirely in the cloud, and so on. But it is, or can be, secure, and if you care about security this is what you should be doing.

  1. The quote is current at the time of writing, but edited to remove names. 

  2. If you are a large enough organisation to get computers custom-made to your designs then you can make them very cheap, and some cloud providers do just that. Almost all of them will be building custom datacentres. 

  3. Documents which are not sensitive or which should be public can of course be left in plain text in the cloud. 

  4. And even then the shabby people with their bits of paper and police escort can come calling, but at least you will know they have called, which is the best you can hope for.