The Bruce Schneier approach to security?
I asked Bruce Schneier one of the things that currently concerns me most. How can I be secure in the cloud?
Bruce Schneier
“You can’t,” he replied. “In the cloud you’ve given your data to someone else. How can you secure what you don’t have? You don’t even know where it is.”
What about data tagging, I asked.
“Doesn’t work,” he said. “Technologically impossible. How can you tag a bit?”
Just for a moment, I thought I was being given a lesson by Heisenberg. “Wait a minute,” I said. “At a philosophic level exactly the same applies to the data on my desktop.”
“That’s right,” he replied.
And that’s when I realised. Schneier, in his trademark subtle-as-a-sledgehammer style, was giving me a lesson in security: it doesn’t exist and you can’t have it. What you can have, and must aim for, is an acceptable level of trust.
On your desktop you ask yourself, do I trust this hardware manufacturer not to have installed something nasty? Do I trust my software not to be full bugs and phone-homes? Do I trust my security software to raise my level of trust to an acceptable level?
And in the cloud, you ask yourself: do I trust this supplier to protect my data, and store it in the right place.
Maybe we should rename it: infotrust…
Kevin Townsend 
I don’t think it should be Trust that we’re looking for from our technology and providers, we already have to trust them – what we want is trustworthiness.
Trust is simply what you have to do when you can’t be certain of something – like our current situation with regards information security. When I get on a plane I trust it to have been properly maintained by its owners, if I discover that an airline has not been doing so then they cease to be trustworthy and I decide to fly elsewhere. It should be the same for Cloud suppliers.
LikeLike
Bruce has been my hero since I bought Applied Cryptography all those years ago. Tells it like it is.
LikeLike