Cloud Security and the Enterprise

Thursday, March 29, 2012

Ben Kepes


Recently I spent a remarkably enjoyable hour chatting with Steve Gillmor and John Taschek on a special enterprise-focused Gillmor Gang.

Somehow I was roped in to be the provocateur and judging by many of the comments on the back channel – it would seem I was successful. Over the next little while I’m going to write about different issues we discussed on the show.

MegaUpload, the Patriot Act and Vendor Arrogance

See, I said I was going to be provocative! On the show I raised the issues around MegaUpload and talked about how I saw them as very much the start of an ongoing series of US Federal authorities coming down hard on providers at the behest of the recording industry and Hollywood studios.

Prior to MegaUpload, the general view espoused by vendors was that cloud services were safe overall and that copyright infringement was potentially a risk to individual users connectivity, but not to service providers offerings.

Well the takedown notice on MegaUpload put paid to that contention. So vendors have come out with a response that I have to say smarts of cloudwashing – they’re contrasting the service they provide with that of the less scrupulous service providers. The word “trusted provider” gets thrown around freely.

I’m not sure where these vendors get the justification for taking this line – if end users store data with them (as in the case of MegaUpload) and that data is shown to breech copyright (again as in the case of MegaUpload) then there is the risk that these providers too, no matter how much they profess to being a trusted provider, could also face the wrath of the authorities.

I believe that two distinct things need to happen, and soon;

Change the Law

Now I’m no lawyer (but have studied law enough to be dangerous) but it would seem to me that legislation and regulation falls greatly behind the realities of technology. I’d never suggest that MegaUpload is a shining bastion of virtue.

But the fact is that honest users had legitimate data stored on MegaUpload servers and the actions of the federal authorities denied those users access to their data. I believe this is untenable and undermines the rights of legitimate individuals and organizations.

Regulations need to mature such that they no longer take such a scattergun approach but rather have the ability to target the specific data that breaches copyright and the specific users who upload that data. Anything else is plain unfair.

Give us Geographic Granularity

Swayed perhaps by the fact that I live outside of the US, I believe that it is simply not viable for cloud vendors (be they infrastructure, platform or software) to provide services where data is located in only one, or a small number of locations.

While some would argue that giving users more geographical options fundamentally negates the economy of scale benefits that cloud providers enjoy, I believe that until we offer users highly flexible options around data storage and transfer, that a significant proportion of potential users of cloud services will avoid doing so.

It’s plain arrogant for vendors to pass off this issue as of no consequence or invalid – real customers around the world hold grave fears about the impacts of the Patriot Act and issues around privacy regulations.

What Will Happen?

Some of these issues will be resolved by an increasing demand for cloud services – Amazon’s recent opening of a South American facility, Salesforce building out data centers rapidly and a host of other indicators speak to this point. But my contention is that we need to give natural supply and demand a boost, vendors need to hyper-invest ahead of the supply and demand curve as a strategic move to allay the concerns of users.

At the same time we need to ensure that legislation and regulations truly reflect the realities of the cloudy world we live in and do not allow for a shotgun approach to compliance that primarily meets the needs of just one powerful interest group.

Cross-posted from Diversity

Possibly Related Articles:
Cloud Security
Service Provider
Legal Compliance Cloud Security Enterprise Security Cloud Computing Regulation Managed Services Data Recovery vendors
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.