Cloud security: Google won't like the enterprise view, neither will Facebook

Last week I was at the grandly titled Cloud Computing World Forum for pretty much the whole of the week. Apart from chairing three sessions and participating in another I wanted to get a feel for what EU people really think about this topic du jour.

The panels gave me an opportunity to explore issues around security/privacy with people who are living the issues as end user representatives. Here's a potted round up of views from some of those sitting in the check writing seats:

1. Generally, panelists are interested in and actively exploring opportunities presented by cloud services though they have plenty of caveats.
2. Gordon Penfold, CTO British Airways for example explained that as representative of an industry we all love to hate, data location is a sensitive issue.
3. Mary Hensher, CIO and IT partner, Deloitte UK and Switzerland said her company has regulatory requirements that demand data be stored up to eight years. She is under pressure to utilize cloud storage but is skeptical about whether such methods will allow her business to remain compliant. Many of the documents and emails that pass between clients and Deloitte are of a commercially sensitive nature and having them the subject of possible scrutiny by virtue of storage location was not something the firm is prepared to risk without a full understanding of what happens in a cloud environment.
4. Robert Johnson, head of front office technology Mitsubishi UFJ Securities International was adamant that while he is prepared to consider cloud for many types of data, counterparty data is off limits.
5. Miles Gray, hardware solutions architect, UK National Health Service argued that understanding how identity management impacts the various systems being integrated in the cloud is taking on greater importance.

From the vendor side, there is a willingness to help but life isn't easy:

1. Sriram Chakravarthy, head of cloud services and product strategy, TIBCO made the point that business should draw distinctions between data at rest i.e. stored and data in flight i.e. data on the move, with each requiring its own approach.
2. Ron Brown, director of cloud computing services CSC believes the days of throwing a solution over the wall and walking away are over. Cloud services imply exactly that - a service - where the provider has to offer assurances that can be validated. The question of data in the cloud is one example. Right now validation is difficult.
3. Philipp Huber, co-founder SymetriQ and Brian Klingbeil, EMEA MD, Savvis agreed, arguing for more mature business models aimed at satisfying the needs of enterprise rather than being tweaked consumer models.

These panels were a solid reality check for those that believe cloud economics outweigh many of the security and privacy issues faced by large enterprise. It emerges for example that Google will not, or cannot, tell you where data is residing. That was seen as a red flag by all panelists. Amazon on the other hand is prepared to assure that for UK and EU businesses, data is stored on servers located in Ireland.

Speaking of Google, I raised the point that Google's terms of service have historically been less than consistent. While GAPE sounds attractive when pitched at $50 pa per user for all you can eat, there have to be serious questions raised about what Google does with customer data. All panelists agreed, expressing concern that low cost providers are less willing to negotiate over terms. Another red flag.

Over the weekend, I noticed that Google has fallen foul of French courts in an action that talks to its monopoly position. Long story short, a company was successfully using AdWords to drive its business only to find that at a crucial point, Google chose to pull those ads, claiming the company was acting illegally:

The company took its case to the French Competition Authority; last week, the regulator issued its ruling on the matter: a) Google acted in a monopolistic way (in France, it controls 90% of the search market); b) Navx business didn’t break French laws governing radar detection devices or services; c) Google did act in a discriminatory way, without any legal ground for so doing.

Google was given five days to reinstate Navx Ad Words account, and four months to clarify its Terms of Service. (The full ruling, in French, is here).

AdWords is different to email or document storage but it is an indication of how Google's murky algorithms can bite a company. Could something similar happen with GDocs and GMail? Google will argue that its customer list suggests confidence in its services. That may be true but then the case studies they chose to showcase at the event are old.

The underlying concern on everyone's lips was the potential impact of The Patriot Act. While everyone recognizes the US needs to take whatever steps it deems necessary to protect its sovereign interests, I sensed a degree of distrust in how that might work out for non-US businesses with data located in the US. That's a political and perceptual issue rather than one born out of fact. But it is something that makes European CXOs think twice before committing to the cloud. That should be a concern to US based providers given the EU is an economic entity at least the size of the US.

But there are broader issues. When someone writes this:

While cloud security is still a critical issue and something that must be taken extremely serious by all vendors, the mood is shifting towards general acceptance of security in the cloud.

John Soat summed things up nicely in his blog post on this very topic. “It’s not that security in the cloud isn’t still a concern for both [health care and finance] industries, but it’s a known, and perhaps better understood factor…So while security is still a legitimate concern, it doesn’t seem to be the show stopper it used to be…” So with your SaaS vendor taking care of you[r] security concerns, you can now worry about where Lebron James will be playing basketball next year.

...you could be forgiven for thinking that everything is hunky dory. One company I spoke with after the event asked a pointed question: 'Where are the real risks?' In enterprise land nothing is that simple. This kind of narrow view avoids the broad business issues expressed by those on the panels. It is, not to put too fine a point on it, naive.

To round this one out, I wanted to get a feel for EU attitudes to privacy generally. It is common in the US for commentators to argue something like this: privacy is an illusion..and then trot out their favorite reason why this should be the case. Those same commenters frequently poo-poo European attitude to this issue, arguing it holds back progress. I understand why the argument is made but consider it based on a falsehood.

During one of the panels, I asked the audience whether they agreed Mark Zuckerberg, CEO Facebook and his stance on privacy, was madness. A significant majority of hands went up in agreement. The backlash against Facebook proves the falsehood: when a lack of privacy impacts the individual and the way their account is handled then the privacy tune quickly changes. Imagine then how enterprise views this topic?

Panel session photo courtesy of David Terrar