Making the cloud work: The federation connection

In my previous column (“Google Wave Could Crush the Competition,” Jan. 11), I raised some questions about how Google’s Web applications, principally Wave, fit with policies regarding ownership and custodianship of data. Of information stored in Wave’s piece of the Google cloud, I asked, “Will it commingle with nonfederal data? Is that OK?” Surprisingly enough, someone at Google took the time to write me a response. It’s not every day in academia that someone reaches out and answers your questions.

I was sent a pointer to the Google Wave Federation Architecture white paper, a straightforward, high-level concept piece on how Wave's server-to-server communications will work. The company realizes that most organizations will not want to simply toss their information on Google’s server or one maintained by a random service provider. That is especially true of the federal government. Agencies operate under the provisions of the Office of Management and Budget’s Circular A-130, which contains guidance about data custodianship. With Wave, Google understands that some folks — for instance, the federal government — might want their own Google boxes, appliances or services that live someplace other than Google’s data centers.

Making Wave or any other mega-sharing browser-based application work for government or most other large organizations essentially boils down to the issue of trust. People inside and outside government might want to work together and share information, but they have to trust one another to do it. Technologists and policy-makers view trust differently. Google’s white paper has the right technical pieces to make a computer engineer or information systems director happy. Wave’s network protocol is largely borrowed from the Extensible Messaging and Presence Protocol, a set of Extensible Markup Language technologies used by Apple iChat and Jabber. Transport Layer Security handles authentication and encryption of connections. Those and other well-understood protocols allow Google’s engineers to say they have thought about a federated model for the control of information.

But what does that mean in practice? Let’s dig out information security’s favorite cardboard cutouts. Alice and Bob, who work at different organizations, can create waves, with the component wavelets each of them produces sitting on their server and replicated to others. Wave has a good idea of what Alice or Bob wrote or added and where each resides by assigning lots of unique ID numbers and tying them to Alice's or Bob’s Wave server. The behind-the-scenes server-to-server connection allows them to communicate while keeping out that ever-malicious Eve, who’s had a bad rep since the days in the Garden.

Government approaches the issue of trust a bit differently. It’s also thinking about federation — the problem of how trustworthy folks can share information and work together. But instead of thinking in terms of computer code, it’s more about that other code, the legal stuff. The good news is that people in the U.S. government are thinking about it. The bad news is that it’s complicated. More on that in next month’s installment.