Oftentimes, we delegate the storage of our electronic information to third parties, perhaps without considering the risks of not keeping it "under the mattress."
We are constantly immersed in a digital world to the point where we no longer notice it. Many things that were once considered science fiction are now part of our daily lives. Although the pace of technological evolution seems to have slowed somewhat after the rapid advancements of recent decades, it continues to progress. The next frontier is quantum computing and quantum computers-technologies that, if fully realised, will render today’s supercomputers obsolete and make them appear as slow calculators by comparison.
However, there is a downside to such efficiency and speed: all’our security systems will become obsolete and, as a result, more or less easier to bypass. The problem will impact the entire digital landscape, affecting everything from communications to cloud storage, where we unknowingly accumulate vast amounts of data every day.
But this is music of a future yet to be written, if anyone ever writes it (in May 2023, IBM announced plans to develop a quantum computer by 2033. The cost? $100 million). But is there a definite date? "As with other advances in this field, it is always a matter of 5-10 years," explained Cesare Pautasso , Professor at the Faculty of Informatics at Università della Svizzera italiana, with a touch of irony, because deadlines are rarely met. However, scholars and researchers have been studying and worrying about this evolution for some time. Nevertheless, for us mere mortals, the question does not yet arise, nor, it seems, will it arise for quite some time. So we might as well focus on the present and ask ourselves whether our data and our cloud are secure.
The third wheel
"The issue at hand involves three parties: two who are communicating and a third who aims to intercept their communication," Pautasso replies. In this scenario, we have the cloud, our digital devices (such as mobile phones and PCs), and the Internet facilitating their communication. However, the same Internet also enables potential interference from outside parties. According to experts, therefore, "the key security challenge is ensuring that the information transmitted to the cloud remains confidential." Is it all plain sailing? Not at all, as things quickly become complex, given that "there are actually two versions of the cloud, one private and one public. The private cloud version means that the entire system is controlled by a single organisation (for example, if I am at university, I have control over the computers on the desks and also over the cloud)." When control of the cloud is given to a third party such as Amazon, Google, Oracle or other providers, "responsibility is shared: the data in the cloud should continue to belong to the organisations that generated it, while the cloud infrastructure belongs to the service providers. So the model changes." After all, this is also one of the reasons for the success of the cloud - there is no need to make large investments since one rents the space needed. However, "from a security standpoint, matters become complicated." It is challenging to determine which of the two systems is superior because security cannot be quantified like speed; it often relies on perception and trust.
And in fact, "companies that want to sell cloud services often claim that security is difficult." It is true that these companies have a multitude of experts and engineers working precisely "to ensure the security of these large cloud centres," so in general it is possible to say that they are "much more secure than what you would get if someone tried to set up a security system at home on their own."
However, absolute security does not exist in either system. For example, data "can disappear for various reasons, such as external factors related to the natural decay of the universe, as everything eventually breaks down. More seriously, data loss can occur due to intentional actions, such as a series of cyber attacks that make access to a system and its data impossible, followed by a demand for ransom to restore access. This situation is known as ransomware." These attacks can also "intercept communications or gain access to sensitive data and then threaten to make it public if you do not pay." This happened to Professor Pautasso once: "I had a database with scientific data that ended up connected to the Internet. Within a couple of hours, the data disappeared, and I received a message stating that if I did not pay a ransom, the data would be published. Fortunately, the issue resolved itself because we had a backup copy. From a scientist’s perspective, this turn of events was actually beneficial, as researchers typically aim to make their work public and share their findings. However, if a similar situation had occurred with a bank or another company, it would have been far less amusing."
The Forever Factor of Redundant Data, for better or worse
On the eternity of data, however, we are witnessing a "digital paradox, because it is challenging to create a system that guarantees that the information I want to delete is actually removed while preserving the most important information over time". All it takes is a minor accident, such as losing your login password, and your data becomes inaccessible. Not to mention that cloud companies, like all companies, can have problems or even fail, with unpredictable consequences for the data stored. Consequently, for Professor Pautasso, the only "strategy to guarantee the eternity of our data is to try to have as many copies as possible, both locally and in the cloud. And not just in one cloud, but in multiple clouds. To preserve it, the recipe is redundancy". In this sense, "there are very interesting engineering solutions that copy, transfer and replicate data between different disks, computers and data centres around the world", but this brings us to the other side of the paradox: "If I create this redundancy and want to delete something, how can I be sure that everything has been removed from all copies?"
In short, there are many different problems. For example, "another interesting aspect concerns data sovereignty. The cloud is an abstract concept, making it unclear exactly where data is stored. However, it is very much a concrete reality controlled by companies from Europe, America, Asia, and Switzerland. There is a perception that the Internet has a "customs office" that can control and block access. Still, since communication on the web is universal, if my data is in Switzerland and I do not take steps to prevent access from, for example, America, it is clear that it can be accessed." The turning point for security was the Snowden case, which revealed that "if you store data in the cloud, it is no longer private", as the American government had taken everything that had been put there without any restrictions. Consequently, "since then, the use of encryption has significantly increased to make these practices more challenging."
Encryption on, Encryption off
However, encryption is likely to come to an end, at least as we know it, due to the advent in the not-too-distant future of quantum computers, "with exponentially higher computing power than current computers". They can perform calculations in a matter of moments that would take current machines years to complete. This capability could enable them to "decrypt all’encrypted data." Currently, "store now, decrypt later" attacks are already occurring, where hackers steal data to decrypt it in the future using post-quantum algorithms. This is a significant area of research at USI, led by Professor Stefan Wolf, as the potential problems arising from this issue could be numerous and serious. Pautasso mentions just one, but it affects us all: "If I possessed a computer capable of decrypting all credit card transactions on the Internet, it would spell disaster for e-commerce." As mentioned, quantum computers have the potential to perform complex calculations in a very short time, which could make current cryptographic algorithms obsolete. These algorithms rely on the difficulty of solving mathematical problems, and the advancement of quantum computers poses a risk, making our systems and communications vulnerable to attacks. This is a significant concern, as it affects not only privacy and online commerce but also data stored in the cloud, where sensitive information is kept. To address these threats, post-quantum cryptography (PQC) will need to develop new algorithms that can withstand such attacks. Digital companies like Google and Apple are already collaborating with leading global research centres to create new security protocols. These may involve pure post-quantum methods or hybrid approaches that combine traditional and quantum cryptography-another promising research area. Ultimately, companies and organisations utilising cloud services must update their security infrastructures to incorporate post-quantum technologies. It will be crucial for them to comply with emerging quantum security regulations.
