Box CEO: Full technical disclosure will come - but cloud's too young for it yet

Until the cloud market gets bigger, companies will have no motivation to disclose the innards of their IT infrastructure to the public, according to cloud storage company Box's chief executive Aaron Levie.

While Box will give technical details to its large customers, it makes them sign non-disclosure agreements so the cloud storage company can retain its "secret sauce", Levie said. It's a strategy used by other cloud companies - ZDNet understands that Netflix gets more information on AWS's cloud than is publicly disclosed, and is also bound by NDAs.

"I think there's a lot of very productivity-centric reasons for why you'd want to be transparent about it, it makes you competitive when you can do that," Levie said, before acknowledging that there are still "parts of your infrastructure or process that due to your competitive secret sauce are important from a privacy standpoint."

As the market for cloud computing grows, companies may need to disclose more information at the behest of customers, but for the time being the infrastructures of cloud-focused companies will remain hidden, Levie believes.

"Right now there's so much competition and such a heated marketplace that people are way more focused on innovation and competing that that marketplace has not yet required that level of openness," he said. "You're always testing the line of how much information you share and expose."

By example, although Levie told me that Box uses MySQL to store the pointers that link to customer data, he would not tell me what open source filesystem Box uses to store the data. Equally, while he eventually disclosed that Box is likely to choose Amsterdam as the site of its first European colocation datacentre, he would not tell me whether the facility sits in Amsterdam's Schipol datacentre hub, or is located in the city itself where a lot of fibre is.

It's a general problem with the industry, according to Yale academic Brian Ford. Cloud providers' secrecy could lead to cascading failures due to unforeseen bugs in colliding software, according to Ford -- a prediction which was borne out by the weird flaws that appeared in Amazon Web Services' infrastructure during a recent outage.

However, Ford sympathises with companies that want to keep their details private, but thinks they should at least be disclosing full technical details to someone, even if it's a third party information brokerage.

"I think ultimately disclosure for the class of risks that I was talking about, I think some form of disclosure is really critical," Ford told me. "It doesn't necessarily have to be disclosure to the public, it could be disclosure to some trusted third party or certifier or something like that. There's a lot of both technical and probably political and economic questions."

Box's Levie thinks that disclosure will come with time, arguing that the opaque way providers treat their infrastructure is more a sign of the immaturity of the "nascent" cloud market: until customers start demanding information be put in the public domain, companies have no motivation to put it there.

"Customers don't fully [understand] enough those differences between Microsoft and Google and Amazon in terms of what is in their stack and maybe in time they will and that will force more vendors to care about their technology," Levie said.