A candid Peeyush Pande, Inspector General, Special Protection Group, Government of India exemplifies the reasons that hold people back from using technologies like cloud, especially in a government setup
As a user I would like to have as much ease and efficiency as any technology can offer. My adversary is not a hacker, not somebody who is going to exploit or learn, but someone who is making that system.
Suppose, I have a data which needs to be secured, but I am not very convinced. Even if you encrypt it, my concept would be my encrypted data, unencrypted data and encryption algorithm, along with the key, exists; so what stops anybody from hacking into it? How do I know how secure and how valuable is my encryption? Who would evaluate that encryption? Those who work in the government know that certain evaluations need to be done, and there are people, who develop those encryptions ready for such evaluations.
My concern is not whether my data is secure in a data center; I am concerned about who is securing it. Is it the employees who have access to that data? Or, is it the people, who are not only my employees, but also those of the service provider? What accesses do they have? And, it is these concerns that prevent a lot of us from using the true potential of the cloud in an efficient manner.
The ignorance of the user in a government setup is phenomenal. For example, when I was in the Calcutta Police, in 2002, there was an attack in front of the American Center, in which we lost five of our constables. All the communications between the persons initiating that attack on the police personnel were based in Dubai, all the calls were routed through the US and all emails were routed through various servers. We got all the details and went through those. But, the first task was educating my men on what the things were about and how do they happen. After doing that, it was important to educate the public prosecutor for presenting the case, and after that we had to educate the judge, because he did not know what a user ID or a password stands for.
The first prerequisite for effective use of cloud as a technology in the government sector is adequacy of knowledge of the user, who is going to use the systems. If I am distrusting the user or the service provider, I am distrusting myself, because that way I am making the whole system exposed and vulnerable to all the leakages that may happen.
For me, it is important not only to trust them—trust the person who has made and presented the system to me—and trust myself because if I am not confident of using it, I might expose my secrets. As for the level of security, suppose I have an armour that will protect me from a bullet, but if I use the same armour against a tank, it won’t work.
In various government departments, different levels of secrecy are required. But, how do I evaluate what is the level of security that I need, and how do I evaluate the service provider that I look forward to? That is where we need the industry to guide us as to what are the questions I need to ask, like what is that I am using, where I am storing, what are the security protocols that they are using.
It is very important that people like us are taught what questions to ask the cloud service providers, as we don’t have the standards which will help us know the fundamentals of cloud computing. And, if those questions are answered in the affirmative, then you are free to provide us those services.
Click here to Watch Peeyush Pande Speaking Live