In a recent blog post and press kit on Building Confidence in Cloud Computing, Microsoft's General Counsel, Brad Smith, calls for government action to "ensure that a robust privacy and security legal framework exists to protect and provide user rights and benefits in the cloud." Microsoft's statement rightly suggests that in order for the promise of "cloud computing" — be it applications, software infrastructure for developers or physical computing capacity — to be realized issues of data protection must be better addressed. The statement appeals to the US government to to update, modernize and strengthen two existing pieces of legislation — the Electronic Communications Privacy Act (ECPA) and the Computer Fraud and Abuse Act (CFAA). The statement also promotes greater transparency regarding security provided by cloud services providers as well as global collaboration around rules governing access to data for law enforcement purposes.
These are all notable objectives. However, the statement seems to miss a broader issue facing cloud customers that must be met by greater transparency on the part of providers. Many customers need to know not only what security measures are provided, they need to know where their data is located. And, they need help in understanding what the implications of that location may be.
Despite the buzz about its promise, global cloud computing adoption rates remain low. Security and privacy are often top of mind as potential customers weigh the advantages and risks of moving their applications — and consequently their data — into the cloud. That concern lies not only with the security measures provided but where the data will actually be located, and consequently the legislation which may apply. With the amorphous, cross-border and global nature of the cloud customers can get spooked by the idea of their data leaving their country. And, what that means from a regulatory perspective. But often that perception of how restrictive data protection laws are with regard to transfers out of country are exaggerated.
Improving security and data protection legislation is clearly one step in overcoming barriers to adoption. But so is a greater transparency on the part of vendors about where data is located, and in what that means from a regulatory perspective. Advice to vendors: location, location, location… and a good dose of education. That's the transparency that we need.
Take a look at my recent Forrester report "As IaaS Cloud Adoption Goes Global, Tech Vendors Must Address Local Concerns."
[Cross-posted on www.b2bbeyondborders.com]