Cloud interview: Security, privacy, and reliability

Cloud interview: Security, privacy, and reliability

Summary: As the cloud grows in popularity concerns about security, privacy, and reliability become more important. The enterprise cloud is inevitable, but the time has come to develop greater sophistication about these issues.

TOPICS: Security

As the cloud grows in popularity for business and consumers concerns about security, privacy, and reliability become more important. The enterprise cloud is inevitable, but the time has come to develop greater sophistication about these issues.

As this chart from Computer Economics shows, investment in software as a service is growing substantially:

This rapid growth is driving scary incidents, such as these:

  • April 2011: Part of Amazon Web Services goes down, leaving high profile sites unavailable
  • April 2011: Sony Playstation network loses personal information of more than 100 million members to hackers
  • June 2011: Game maker, Sega, is hacked and loses personal information belonging to 1.3 million people

Last week, as part of the Boston leg of's Cloudforce tour, veteran journalist, Peter Coffee, interviewed me to discuss privacy and security. We also talked about the importance of standards to help cloud buyers connect different services into a seamless whole.

Here's a video of my discussion with Peter:

Here are written answers to his questions, that I prepared as notes for myself in advance. These notes add additional perspective and depth to the interview:

PETER COFFEE: You’ve written a few things lately on the subject of terms of service for consumer clouds. Do enterprise adopters understand the difference in business model between those consumer services and enterprise platforms?

MICHAEL KRIGSMAN: In the enterprise, we need to distinguish between end users and the IT department. Experienced IT departments should certainly understand differences between consumer and enterprise cloud models, however, end users may not. Facebook, Twitter, and other consumer services have trained users to expect easy, cheap, and simple cloud services.

Enterprise IT, however, must consider the broader context of governance, security, compliance, and so on. For the enterprise, "shadow IT," created by departmental end users, is definitely an issue.

In the end, IT departments' legitimate claim on governance and system ownership must balance against end users' legitimate demands for flexible, adaptable systems. There may be conflicts, but both sides are right; they belong to the same team and must work together.

PETER COFFEE: Do service providers need to do a better job of communicating the security and control that an enterprise cloud can provide?

MICHAEL KRIGSMAN: Communication is important, but substantive protection and prevention is more important. For example, when Sony Playstation online loses personally identifiable information belonging to 100 million people, there's clearly a problem. Routine data theft is unacceptable and too many companies address the security problem only after something bad happens.

Responsible enterprise cloud vendors take security seriously, as a top priority, to prevent intrusions. Given that context, communication of course is important.

PETER COFFEE: Has the cloud become that kind of friendly place for people, where vendors and service providers can personalize their service without people getting nervous about how much they know about their customers?

MICHAEL KRIGSMAN: Personalization requires customer-specific data; the more information cloud providers possess, the greater their opportunity to create a personalized experience for users. However, there is a tension between consolidation of data and the risk of privacy breaches, exposure, and even vendors misusing that data. When it comes to privacy, trust inspires confidence but trust is not a given and must be earned.

PETER COFFEE: Is anyone, in your opinion, setting the example of how to be social without being scary?

MICHAEL KRIGSMAN: Interesting question. When Google first started, I think most people felt comfortable they genuinely would do no evil, to paraphrase their motto. Today, with their vast consolidation of information, trust is a big concern. Former CEO, Eric Schmidt, seemed to dismiss the importance of privacy in pronouncements he made during an interview.

What about Facebook? Their goal is to slice and dice our personal information to make as much money as possible for themselves. Does that motivation lead to trust?

PETER COFFEE: Three years ago, we had to focus on the credibility of the cloud. Today, it seems as if everyone understands the capability, but now the question is the balance of power between the provider and the customer. What should customers be demanding, and what should service providers be doing, to address those concerns?

MICHAEL KRIGSMAN: Customers want to remain in control, so we must start with that perspective. Service providers should ask customers what they want, and what's important to them. Talking with customers is a great best practice.

Both customers and cloud providers have become more sophisticated about the need for data interoperability and transfer. The ability to move data in and out of a system creates flexibility and encourages innovation, so it's important.

PETER COFFEE: As much as I might wish for it, we’ll probably never see a Boston Globe headline that says “ stays up and uncracked for yet another day.” On the other hand, the rare event when a big cloud service has a hiccup is headline news. Are enterprise adopters hearing enough of the success stories, as opposed to the scary hype (and sometimes propaganda) about the risks of the cloud?

MICHAEL KRIGSMAN: We take cloud success for granted in the services we use every day. Gmail loads when we click. Check. Salesforce comes up when we click. Check. And so it goes every day.

We become jaded when vendors talk about success because everyone sings their own praises. In addition, most people find it more interesting to complain about the exceptions than to praise ongoing success. Failure is always more entertaining than success.

Disclosure: Salesforce reimbursed expenses for two cab rides.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • And the smokescreens continue....

    Reliability is likely to improve as that's just hardware but Security and Privacy won't. Oh, they'll try to improve Security and might well do so (I'm pessimistic about it myself) but Privacy is something they just won't get and won't deliver.
    • RE: Cloud interview: Security, privacy, and reliability

      @Tholian_53 Where's the smokescreen, I just don't see it?

      Security and privacy are big, hard issues that will need sustained and long-term effort to solve.
      • See how well it works?

        Works really good if you don't see it. But I'm sure that you do.

        The "problems" will (likely) never be solved. There will always be security problems (the proposed solutions are often worse than the existence of the problems) and privacy doesn't exist out in the "cloud" because someone else has control of what you put out there. There are not even assurances that what you put in the "cloud" will even be in your country.

        It's all in the EULA anyway and they change those (to their advantage) all of the time. The only way I can change those things is to not use the services.
  • Architecture is for architects, not vendors

    I agree with you that security, reliability, and privacy are important issues for the cloud. However I think you are looking to the wrong group to deliver these.

    In general, these are not cloud vendor issues, these are cloud application issues. The cloud may not be perfect yet, but it is far better than the applications that run on the cloud. If we want good application architecture, we need to look to those who are responsible for the application architecture, not to those responsible for providing the platform for the application.

    I discussed the architectural requirements for cloud optimized applications (as opposed to cloud enabled applications) in my recent white paper, "Cloud Optimized Architectures." This paper focuses on public sector applications, but most of the conclusions are relevant to large, mission critical private sector applications as well. This paper is available at

    - Roger Sessions
    • RE: Cloud interview: Security, privacy, and reliability

      Ok so you think that we'll take the road away from an alleged antiquated computer era & obsolescence in order to follow this "Cloud" computing temptation? What about Cloud data
      extortion forcing you to upgrade your new tablet continuously (more and more) for maintaining an access to your personal informations? What about your personal thoughts (political,
      sexual orientation, various opinions related to insurances, banking, diseasis...) beeing spied, exploited, selled, hurting you in the end? What about software alienation, not today, sure, but tomorrow certainly, when there will be no more alternative than keep upgrading? Software alienation implies never ended rising prices... Small hardware fee? Yes but stronger sofware sellings disconnected from real value or quality... You can compare that with this supposed banking crisis, threatening everybody for loosing the hard earned money. What about loosing your spirit? Yes the Cloud is a direct connection to your own spirit... and your wallet. The Cloud is nice, the cloud seems cheaper, the cloud "means" hype, ok, but the cloud may reveal lethal. What about this path to dumb simplicity? You don't like the TV ads (that can be resumed with taking somebody & letting him/her know he's stupid)? You hate liars, spies, intruders, amorality, commercial invasion? You won't like the cloud, but don't be afraid, despite this freedom postulate, we don't really have the choice. I can't persuade you or buy your opinion: Giant companies can & do it right know... Best regards.