Communications - July 2010

letters;to;the;editor
DOI: 10.1145/1785414.1785417

Don’t ignore security offshore, or in the cloud

Moshe Y. Vardi’s Editor’s Letter “Globalization and Offshoring of Software Re- visited” and Dave Dur- kee’s “Why Cloud Computing Will Never Be Free” (both May

2010) failed to address security risks.

Vardi’s headline promised an update on the questions raised by increased globalization of outsourced software development. Though I knew his main focus was on the economic impact of global outsourcing, I was still disappointed there was no mention of the security challenges posed by the global supply chain for software. Such challenges have prompted the U.S. Departments of Defense and Homeland Security, the SAFECode consortium, and numerous other organizations to commit significant effort to combating threats posed by software of unknown pedigree and provenance, including individual and state-sponsored “ insider threats” (such as implanted malicious logic, backdoors, and exploitable vulnerabilities), particularly when developed offshore. See the Government Accountability Office’s Defense Acquisitions: Knowledge of Software Suppliers Needed to Manage Risks (http://www.

gao.gov/new.items/d04678.pdf) and the Report of the Defense Science Board Task Force on Mission Impact of Foreign Influence on DOD Software (http://www.

acq.osd.mil/dsb/reports/ADA486949.pdf).

Though both focus on software used by DoD, the security issues apply to any organization that relies on outsourced software for critical business or mission functions.

Meanwhile, in an otherwise admi-
rable assessment of the strengths and
weaknesses of the cloud computing
model of outsourced IT-as-a-service,
Durkee likewise failed to mention po-
tential consequences of cloud provid-
ers not protecting outsourced comput-
ing infrastructure against hackers and
malicious code. For example, when dis-
cussing transparency, he overlooked
the fact that no cloud provider allows
its customers to implement intrusion
detection or security monitoring ex-
tending into the management-services
layer behind virtualized cloud instanc-
es. Moreover, these customers have
learned not to expect their providers to
deliver detailed security-incident, vul-
nerability, or malware reports.

SLAs by agreeing to industry-standard audits and certifications that ensure they get the security they need, a topic that is a great starting point for another article.

Dave Durkee, Mountain view, CA

author’s Response:

I strongly agree with Goertzel’s sentiment and appreciate her raising this very important issue. The executive summary of the 2006 Globalization and offshoring report said: “Offshoring magnifies existing risks and creates new and often poorly understood or addressed threats to national security, business property and processes, and individuals’ privacy. While it is unlikely these risks will deter the growth of offshoring, businesses and nations should employ strategies to mitigate them.” The report’s Chapter 6, “Offshoring: Risks And Exposures,” covered the risks at length.

moshe Y. Vardi, editor-in-Chief

up in the air

Describing the network effects of a cloud strategy, particularly when it involves SaaS platform efficiency, in his “Technology Strategy and Management” Viewpoint “Cloud Computing and SaaS as New Computing Platforms” (Apr. 2010), Michael Cusumano said that major cloud hosts, including Amazon, Google, and Salesforce, generally rely on detailed SLAs to guarantee security and other parameters for their hosted customers. However, many such hosts, including Amazon SimpleDB and Google Apps, agree to SLAs involving only, perhaps, performance degradation limits and availability of a given service. If cloud-relat-ed SLAs fail to include more specific parameters, the cloud infrastructure risks closing itself to new, innovative services due to its lack of dependable guarantees.

Burkhard stiller and Guilherme machado, Zürich, switzerland

author’s Response: As with performance and uptime, cloud security is determined by the necessity of meeting the terms of SLAs as demanded by customers. As they mature, they will demand even more from their providers’

Diversity factor Richard Tapia’s inspiring Viewpoint “Hiring and Developing Minority Faculty at Research Universities” (Mar. 2010) said that looking for the next Gauss or Turing is not necessarily the key criterion in all CS faculty searches. I have sometimes sensed confusion between the notion that research excellence drives academic success (it does and should) and what might be called the “additive argument,” or belief that maximizing the potential research stature of every new hire automatically maximizes a department’s overall excellence in research. I read Tapia’s section on reexamining search criteria to mean this is not always the case. I concur, convinced that the effects of talent are not simply additive.