Well, we're about two weeks into the NSA/PRISM story, and it just doesn't seem to be going away.
I keep having this feeling that cloud vendors need to get further in front of the story than they currently are. Most of the responses to the story have centered around company-specific best practice with regards to managing security and privacy. I certainly think that this is a story that needs telling -- many organizations still inexplicably think they can do a better job at privacy and security in a small or medium-size business environment versus what can be done by a cloud provider at scale -- but that is not the story that needs telling in this particular context.
The story that needs telling, and users are going to be struggling with this issue for the next few years, is how are users who wish to implement cloud-based solutions supposed to deal with the myriad number of geographic restrictions that are inevitably going to arise as a result of the NSA/PRISM story?
In my younger life I spent time running the lobbying activities at the American Electronics Association. At that time, the worst thing that could happen was when legislators and regulators started wandering into the area of technology-specific legislation and regulation, rather than pointing legislation at desired outcomes. The reason this was so inefffective is that when legislators got involved in specific technologies, they almost always attack yesterday's technologies and yesterday's problems rather than what would come next. Technology-specific legislation -- as opposed to outcome-defining legislation -- was almost inevitably a disaster.
So now we find ourselves in an environment in which there inevitably will be an increasing volume of country-specific legislation pointed specifically at cloud and privacy concerns. And users will be left trying to sort through all of this as they consider the economies of cloud-based solutions.
I guess what I would like to see at this point is more aggressive work by the cloud solution providers to help their users prepare for these coming challenges. For many organizations, moving to the cloud is a somewhat controversial approach to begin with, especially for those with more traditional IT staffs. If you start adding requirements to the cloud that require a particular piece of information to be held in a particular server in a particular country, you have massively increased the complexity of cloud solutions for user organizations -- and have added a significant hurdle to adoption.
So instead of simply describing how good their own privacy and security is, I would like to see some of the cloud companies get out in front of this issue. They need to start evangelizing the concept that country-specific restrictions relative to the location of cloud-based information is an oxymoron in the first place. That won't stop this this legislation from occurring in the face of the NSA/PRISM revelations, but it may slow it down a bit.
Recent Comments