On Security, Legislation and Cloud Vendors

Friday, March 16, 2012

Ben Kepes


While in the US recently, I spent some time talking with vendors about the security of Cloud data, in particular the impact of the DCMA and Patriot Act on non US customers of vendors.

As part of my research I spent some time talking with Lindsay Finch, Senior Global Privacy Counsel for Salesforce and Box.net co-founder and CEO Aaron Levie.

I wanted to meet with these guys and get their read on the situation – ever since the MegaUpload case, when innocent customers of an admittedly generally dodgy cloud service lost their data after a global take-down notice, it has concerned me that more mainstream vendors might have an impending issue they need to think about.

My perspective is simple – given that the federal approach towards DCMA enforcement is a seemingly random and external factor, it’s simply not good enough for organizations to have a “we’ll be fine” attitude that simply says their customers are legitimate and hence the issues impacting on MegaUpload customers would never happen to them – it only take a shift in regulators attitudes, someone deciding that Box is an awesome place to share illegal content, or some other unknown variable to bring their own walls tumbling down.

This “we’ll be fine” attitude was displayed by Levie in a FastCompany interview where he said;

"There’s a lot of lumping of services that’s going into this conversation. It’s challenging, because this is a case where the technology and the companies are actually polar opposites. While they can all host content, obviously the way they are monetized and used is vastly different."

I put this to both Finch and Levie and their responses were well reasoned and interesting. Finch pointed out the very low number of takedown requests that salesforce sees and pointed out that even Google, a more consumer-centric provider and hence likely a vendor with a higher chance of having breaching materials within its servers reports a relatively low number of takedown notices.

I asked both Finch and Levie about reporting these statistics for their own organizations – Levie in particular was adamant that this was unnecessary stating that the number of DCMA requests Box receives are so miniscule as to not even be an issue worth talking about. And it’s when these requests come in that the differences between credible and nefarious providers comes in;

"The DMCA is pretty clear: You have to be removing this content as soon as you get a request in."

And to demonstrate just how differently the two services are used, Levie boasted of the fact that companies in the entertainment industry are some of Box’s biggest clients – the same folks crying foul over Megaupload. Levie sees this as a proof point for the difference between what Box and less legitimate vendors are doing.

In turn Finch told me that she sees very few requests relating to data that Salesforce customers store within their services. She also says that Salesforce.com does not publish a similar report because, as a B2B company, the number of requests they receive is substantially smaller than the number published by Google.

While the perspective from these two leading vendors is interesting – I’m still seeing a need in the long term for tighter options beyond the words of comfort. While some carefully worded spin will suffice in the short term, in the long term something far more substantive will be required to answer these concerns.

Cross-posted from Diversity

Possibly Related Articles:
Cloud Security
Service Provider
Cloud Security Storage Cloud Computing Managed Services legislation Law Enforcement Data Recovery vendors Megaupload DCMA
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.