Imagine you are a security guard, charged with protecting a diamond necklace. Unfortunately, the necklace has been broken into a few million pieces—and they’re scattered from Seattle to Singapore and everywhere in between.
That’s the essence of the problem facing UAB computer security expert Ragib Hasan, Ph.D. Hasan is searching for ways to safeguard the far-flung packets of data created when companies entrust their information to “the cloud.” He is also preparing students for a new wave of technological change by getting them up to speed on one of the hottest topics in tech.
Apple and Google have invested heavily in cloud computing in recent years, offering users the chance to store their music and other files on computer servers rather than on their personal machines. The advantage: instant access to songs, documents, and other data from any device, whether it’s a cell phone, the office laptop, or a home computer.
[For more on cloud computing, see "Cloud Computing in Three Easy Steps."]
But cloud computing could have its biggest impact as a corporate tool—one that allows small start-ups to expand with minimal investment, and any company to cut costs and improve efficiency. “The idea of cloud computing emerged from the large data centers that companies like Amazon and Google built in the 2000s,” Hasan says. “Amazon in particular had to build massive data centers with thousands of servers to handle the rush of Christmas orders each year, but their investment wasn’t being used efficiently. Most of the year, they were only using 5 or 6 percent of their capacity. So they got the idea of selling this excess capacity to others.”
In 2006, Amazon launched a program that let customers borrow its computers starting at 10 cents per hour—and if customers didn’t have their own applications to run on the computers, Amazon would rent them as well. “The computers are sitting in Amazon’s data centers,” Hasan explains. “Each machine can be accessed by up to eight customers at a time, so they can handle quite a bit of capacity.”
The cloud paradigm “changed the technology market considerably by reducing the barriers of entry,” Hasan says. “If you want to compete with Twitter by launching your own Web site, you don’t have to pay millions of dollars to buy your own servers. You can start small by renting a few servers, then scale up as your business grows.” In fact, Hasan notes, Twitter itself “ran on top of Amazon’s cloud” for its first few years of life.
Into the Black Box
The trouble is, “right now you don’t have any guarantees about what happens to your data when it goes in the cloud,” Hasan says. “That might not matter with your personal mp3 collection, but when it comes to financial data or health-care records, you certainly should care.”
“Federal regulations mandate that you provide adequate security for data, and it’s just not there at the moment for cloud computing,” Hasan says. Existing security options “make the clouds so inefficient that they aren’t used,” he notes. “I want to find a way to make security schemes more efficient and apply them to clouds.”
Amazon now has several large data centers in the United States, Asia, and Europe. “They can automatically transfer the load of traffic between these centers”—for instance, as U.S. demand peaks on heavy shopping days, European servers can help out—“and as the customer, you never know what’s happening,” Hasan says.
But that doesn’t sit well with corporate customers who want to know that their information is being kept secure, not bounced around to computer servers worldwide. Companies like Amazon “want to keep the cloud as a black box,” Hasan says. But corporate executives pondering cloud-based applications for spreadsheets and company memos are “going to want security guarantees about exactly where their data goes and what happens to it in the cloud.”
Hasan and a group of student researchers are experimenting with new cloud security techniques as a part of his new Secure and Trustworthy Computing (SECRET) Lab. He is also investigating new ways to provide secure location information that can increase the level of data security on mobile devices such as cell phones. Hasan received a 2011 Google Faculty Research Award to fund this work, which is focused on developing collusion-resistant tracking systems that could be used at defense installations and food supply chains, among other applications.
Two years ago, Hasan designed one of the world’s first university courses on cloud security while he was at Johns Hopkins University. He brought the course with him when he came to UAB in summer 2011 as an assistant professor in the Department of Computer and Information Sciences, and he taught it for the first time in fall 2011. The course attracted the attention of Amazon, which recently awarded Hasan research and teaching grants.
This is a great time to get involved in the field, Hasan notes. “Many companies are looking to build their own clouds, besides Google and Amazon,” he says. “These companies need people who know how to make clouds secure. Last year at Hopkins, a lot of people in my class went on to join Amazon and other cloud vendors, and they told me that the human resources interviewers at those companies were really surprised to find that they knew all the details about cloud security issues.”