Cloud interview: Security, privacy, and reliability
As the cloud grows in popularity concerns about security, privacy, and reliability become more important. The enterprise cloud is inevitable, but the time has come to develop greater sophistication about these issues.
As the cloud grows in popularity for business and consumers concerns about security, privacy, and reliability become more important. The enterprise cloud is inevitable, but the time has come to develop greater sophistication about these issues.
As this chart from Computer Economics shows, investment in software as a service is growing substantially:
This rapid growth is driving scary incidents, such as these:
April 2011: Part of Amazon Web Services goes down, leaving high profile sites unavailable
April 2011: Sony Playstation network loses personal information of more than 100 million members to hackers
June 2011: Game maker, Sega, is hacked and loses personal information belonging to 1.3 million people
Last week, as part of the Boston leg of Salesforce.com's Cloudforce tour, veteran journalist, Peter Coffee, interviewed me to discuss privacy and security. We also talked about the importance of standards to help cloud buyers connect different services into a seamless whole.
Here are written answers to his questions, that I prepared as notes for myself in advance. These notes add additional perspective and depth to the interview:
PETER COFFEE: You’ve written a few things lately on the subject of terms of service for consumer clouds. Do enterprise adopters understand the difference in business model between those consumer services and enterprise platforms?
MICHAEL KRIGSMAN: In the enterprise, we need to distinguish between end users and the IT department. Experienced IT departments should certainly understand differences between consumer and enterprise cloud models, however, end users may not. Facebook, Twitter, and other consumer services have trained users to expect easy, cheap, and simple cloud services.
Enterprise IT, however, must consider the broader context of governance, security, compliance, and so on. For the enterprise, "shadow IT," created by departmental end users, is definitely an issue.
In the end, IT departments' legitimate claim on governance and system ownership must balance against end users' legitimate demands for flexible, adaptable systems. There may be conflicts, but both sides are right; they belong to the same team and must work together.
PETER COFFEE: Do service providers need to do a better job of communicating the security and control that an enterprise cloud can provide?
MICHAEL KRIGSMAN: Communication is important, but substantive protection and prevention is more important. For example, when Sony Playstation online loses personally identifiable information belonging to 100 million people, there's clearly a problem. Routine data theft is unacceptable and too many companies address the security problem only after something bad happens.
Responsible enterprise cloud vendors take security seriously, as a top priority, to prevent intrusions. Given that context, communication of course is important.
PETER COFFEE: Has the cloud become that kind of friendly place for people, where vendors and service providers can personalize their service without people getting nervous about how much they know about their customers?
MICHAEL KRIGSMAN: Personalization requires customer-specific data; the more information cloud providers possess, the greater their opportunity to create a personalized experience for users. However, there is a tension between consolidation of data and the risk of privacy breaches, exposure, and even vendors misusing that data. When it comes to privacy, trust inspires confidence but trust is not a given and must be earned.
PETER COFFEE: Is anyone, in your opinion, setting the example of how to be social without being scary?
MICHAEL KRIGSMAN: Interesting question. When Google first started, I think most people felt comfortable they genuinely would do no evil, to paraphrase their motto. Today, with their vast consolidation of information, trust is a big concern. Former CEO, Eric Schmidt, seemed to dismiss the importance of privacy in pronouncements he made during an interview.
What about Facebook? Their goal is to slice and dice our personal information to make as much money as possible for themselves. Does that motivation lead to trust?
PETER COFFEE: Three years ago, we had to focus on the credibility of the cloud. Today, it seems as if everyone understands the capability, but now the question is the balance of power between the provider and the customer. What should customers be demanding, and what should service providers be doing, to address those concerns?
MICHAEL KRIGSMAN: Customers want to remain in control, so we must start with that perspective. Service providers should ask customers what they want, and what's important to them. Talking with customers is a great best practice.
Both customers and cloud providers have become more sophisticated about the need for data interoperability and transfer. The ability to move data in and out of a system creates flexibility and encourages innovation, so it's important.
PETER COFFEE: As much as I might wish for it, we’ll probably never see a Boston Globe headline that says “salesforce.com stays up and uncracked for yet another day.” On the other hand, the rare event when a big cloud service has a hiccup is headline news. Are enterprise adopters hearing enough of the success stories, as opposed to the scary hype (and sometimes propaganda) about the risks of the cloud?
MICHAEL KRIGSMAN: We take cloud success for granted in the services we use every day. Gmail loads when we click. Check. Salesforce comes up when we click. Check. And so it goes every day.
We become jaded when vendors talk about success because everyone sings their own praises. In addition, most people find it more interesting to complain about the exceptions than to praise ongoing success. Failure is always more entertaining than success.
Disclosure: Salesforce reimbursed expenses for two cab rides.