Security and Privacy in the Cloud

  • Article

Security and privacy in the cloudAlthough the benefits of using cloud computing to provide IT as a service appeals to many end users, IT professionals in Canada tend to bring up two main barriers to adoption: loss of control over data and the implications of the US Patriot Act should the data reside in the US.

Mary Allen, from IT in Canada, did an extensive interview with John Weigelt, National Technology Officer at Microsoft Canada, about how these perceptions stack up against reality. The resulting article can be read on the IT in Canada website and I would encourage you to read it in its entirety. However, for those in a hurry, here is my condensed version of what John has to say:

  • On the issue of datacentre location: Microsoft currently has no datacentre in Canada, but depending on the type of service, customers may be “comfortable putting services out on a consumer, commercial type of cloud regardless of where it exists in the world, while some services may be a little more sensitive or require direct customization – in these cases, a hosted partner would probably be the best provider”.
  • On the challenges of locating cloud services in a specific region: “Cloud services are based upon economies of scale so the more people you can service with your environment, the lower the cost for each individual becomes…If you start to make exceptions for particular customer sets, or if you start to do customization, those economies of scale start to disappear”.
  • On the notion that Canada could become a cloud destination of choice because of tighter policy legislation: Jurisdictional issues are more complex than you may think. “At first glance it may appear that there is an opportunity for other nations to host their data within Canada, but there may be governments around the world with similar legislation [to the US]: providers in these jurisdictions would explain “If I have a European customer and their government were to ask for information that resides in Canada, I would be obliged to provide it, even if this access ran counter to local legislation.”” It’s more about where control of the data resides, not the location of the data. For example, “US legislation would oblige that US company to provide that information regardless of where it was hosted.”
  • On helping small business owners with issues of privacy, security or jurisdictional conflict in the absence of an international framework: There are actually “only very select communities that are prohibited from sharing only a certain type of information across the border” but often the abilities and permissions are not clearly understood. The real issue for most organizations should be safeguarding their information. Security doesn’t become the cloud provider’s responsibility – organizations need to consider local tools such as encryption, what information should be hosted outside and what should be kept in-house and also ways to take advantage of the flexibility the cloud provides. “[Y]ou can divide up your particular services and use cloud in an innovative way that allows you take advantage of cloud scalability while protecting privacy.” 
  • On who has ultimate legal responsibility for hosted data: Microsoft makes it very clear that the customer owns their information and does not lose control of it. The customer is provided with information about their data and access is audited by a third party. “[I]f there is an entity in Canada interested in that information, they will go first to the [customer] organization and ask for the data with the lawful authority that they have. If we have a John Weigeltbusiness that is concerned about the discoverability of that information within that remote location, we provide advice and guidance around how you can safeguard against that, and there are security controls such as encryption in which information is blocked to us or splitting up the workload.” 
  • On the perception that there is an increased risk of hacking in cloud scenarios: Microsoft properties are popular sites for hackers but “we have developed a resilient service that has until now resisted those attempts.  And one of the things that this has allowed us is to have is a deep understanding of the threat level that is out there on the Internet. Because we see so much activity, we are able to be proactive in our security services – and build in that safeguard and those controls so that those individuals don’t get in.” 

John also talks about bringing cloud philosophies into internal data centres to make IT operations more efficient with better control and visibility. I’ve talked a lot over the past years about Core Infrastructure Optimization and this is one way to move your IT organization along that continuum from basic and reactive to more dynamic and strategic.

Read the entire interview or go to the Microsoft Cloud Power site to learn more about our cloud offerings.

And here’s a teaser for you..we’ll be touching on some of these issues during the upcoming Align IT tour. Yes, that’s right we’ll be out on tour again starting in mid-March. The official tour site hasn’t launched yet, so I can’t divulge all the details just yet but suffice to say that there will be something for development managers as well as infrastructure managers and a cloud discussion will definitely be in the mix. Stay tuned for more information coming soon!

signature2 (100x78)