I often wonder about the changes as a result of mobile technology in so called rural and under-developed areas. The cost of infrastructure can be prohibitive compared to deployment of wireless technologies. My first introduction to this was when Brazil announced cell phones were being sold within 24 hours at a time when a phone line there could take as long as a year to install. That was over ten years ago. Brazil went from extremely low telephony penetration (sorry I don’t remember exact stats) to over 50% by 2006. The Ukraine in 2010 reported 115% penetration for 54 million users. Just one mobile provider in India (e.g. Bharti Airtel) can report over 2 million new subscribers in a single month! Imagine trying that with this system:

Now I see companies racing to deploy ATMs with the same mobile technology. A point of sale (POS) device and/or a cash dispenser can be placed anywhere you have power. It became clear that the switch from land lines to wireless could significantly reduce the cost of creating and expanding capital for a market. This trend towards micro-capital on a giant scale is why I was excited when asked to help draft a security standard for ANSI that will ensure ATM and POS wireless implementations can be done securely.

A friend in Asia just pointed out a recent paper that is extremely helpful to me for this project. It is a detailed study of the economic impact of information technology in India that confirms the theory above. Wireless technology significantly assists the growth of markets in under-developed areas at a fraction of the overhead and cost of traditional IT. This paper from 2007 called “The Digital Provide: Information (Technology), Market Performance, and Welfare in the South Indian Fisheries Sector” provides the following synopsis:

Between 1997 and 2001, mobile phone service was introduced throughout Kerala, a state in India with a large fishing industry. Using microlevel survey data, we show that the adoption of mobile phones by fishermen and wholesalers was associated with a dramatic reduction in price dispersion, the complete elimination of waste, and near-perfect adherence to the Law of One Price. Both consumer and producer welfare increased.

This begs the question of information resilience in terms of confidentiality, integrity and availability. It is truly exciting to think of the benefits described in the paper, but as a security professional my job is usually to focus on the risks. That is why I have dedicated a chapter in the new ANSI draft to the problem of security in mobile technology for finance. We need to plan and create more dynamic controls for distributed commerce — decentralized or federated markets. This is only possible once business managers can see how and why risks from wireless really are different from wired, especially in terms of new business models.

The best minds in cloud security are meeting today at the Cloud Security Alliance Private/Public Cloud Summit…no, not really. I just wanted to say that because it typifies the hype and marketing I often find in cloud computing model discussion. There are a lot of smart people here, though, and the presentations are interesting.

We have heard about compliance in a presentation by Symantec that should have been titled “Why SAS70 (still) has zero value”. Naturally the compliance presentation brought up the ubiquity of LAMP.

We also have heard from Dell about how they support LAMP, especially after their merger with Perot. They offer consulting services for LAMP, to get your company in the public cloud.

The Burton Group presented on the trust and identity models of private and public clouds, and how LAMP might be deployed.

LAMP? It’s the Linux Apache MySQL PHP (or Perl) model of computing. I guess it’s more PC (pun intended) to just talk about cloud computing instead of calling it enterprise LAMP.

eBay, also a cloud provider, presented on identity and encryption and how they are moving to a public cloud as a consumer. They didn’t mention LAMP but you know it’s in there. Instead they talked about how cool it is to deploy code to handhelds and phones…oh, yeah, and I’m sure they were developed by the best minds in cloud. Next please.

Aside from the LAMP angle, what stands out most to me is the notion of linear change. Every presenter is working with the assumption that traditional computing was transformed by virtual, which then became private cloud and will eventually achieve public cloud status.

This strikes me as awkward, if not completely skewed. Many people obviously are vested in the public cloud as the height of evolution (those selling products and services). Here’s a typical comment, found in the eBay slides:

“Private clouds do not offer the cost savings of public clouds”

Click. Next slide…wait, wait, just wait one minute. How is that cost measured? Are you considering privacy cost savings? What about control and compliance cost savings?

Long story short, I see an evolution ahead from proprietary but public cloud to distributed and open public cloud. This is like saying the true private clouds will come about just like LAMP. What do I mean by true private?

Remember how data was put on the Apple, IBM, Sun, Microsoft and Oracle etc. devices while they promised “cost savings” versus roll-your-own systems? LAMP grew and evolved and roll-your-own has again become the future of data management.

Look at the cloud option when you install Ubuntu 10.04 and you see a hint of the future cloud. They will be in loosely confederated private hands, rather than strictly in a “public” and proprietary model.

Those who advocate clouds achieve their final state as public only, in the large corporate and proprietary sense, seem to forget government regulators are a huge factor in confidentiality, integrity and availability. You want privacy? Oh, yeah, then don’t go proprietary. You want high availability (e.g. you can’t cut off someone’s service over a contract dispute or non-payment issue), then don’t go proprietary. Go LAMP, go open.

It seems to me thus that Amazon, Microsoft, Google cloud solutions are a stepping stone and not the end of evolution. We would be wise to call it the proprietary phase of cloud that will be followed by the movement to open platform cloud options.

The real end-state, the future after public clouds, could be something like a contiguous and private network created from appliance-like cloud apps meant to run on any system — like TOR or P2P. Imagine, for example, that every computing device owned by a company (laptops, desktops, handhelds…everything) could provide some portion of CPU, network and memory to their very own compute “cloud”. The role of security in all this will be to allow customers to deploy a free and open cloud infrastructure themselves without the need to hand over everything to a “provider” that they can never trust without real/tangible costs.