Home Forums Article Discussions Article Discussions by Author Discuss Content Posted by Jacob Sebastian Getting started with SQL Azure RE: Getting started with SQL Azure

  • October 23, 2009 at 7:58 am

    #1070041

    Sam,

    The points you make with respect to the convenience of using the cloud as a mechanism for continuous, 24/7 operation and distribution of data to business partners are compelling from an IT operations point of view, but the assumption that large companies have thought out the legal ramifications of doing so is not necessarily valid. For data-centric companies or companies whose primarly line of business it is to manipulate and/or sell data, yes, it is likely that they have at least considered the possibilities of litigation as a result of cloud computing for more than a brief moment. The kinds of companies that I would expect would have considered such would be companies like Microsoft, DataQuick, MSNBC, Google, and the like. Notice that these are largely companies that produce cyber products or products that are used primarily to manipulate and shape data.

    Companies that I would suspect have only given passing attention to these issues would be small to medium size companies that produce tangible products or that deliver services. Why? Their economic position is not as strong as that of global companies and they are far more concerned about making the sale as the first order of business. In such companies, marketing and sales departments carry far greater weight, relatively speaking, than their counterparts in global companies. This is not to say that global companies are slouches when it comes to seeking and closing deals; rather it is to say that the degree of influence that those departments in smaller companies have over fundamental business decisions is greater as a result of economic need.

    I see significant hazards in making the assumption that if Microsoft uses and promotes the cloud, it must be okay because they wouldn't use and promote it if it were legally hazardous. For companies with a physical global presence and which have enormous budgets, dotting all the i's and crossing all the t's is feasible because of the capital they can throw in to protect their interests while at the same time engaging in and promoting cloud computing. Large global companies maintain parallel data paths, one for day-to-day operations and the other for legal protection. They categorize e-mail messages as they arrive, sort and archive each version of a document, make referential copies of each published press release and publicly released document, and take many other steps to ensure that in the case of litigation, there is a complete library of everything the company has ever said, published, or done so that an overwhelming presentation can be made in court to defend their interests. They have an army of in house attorneys and outside retained counsel to represent them and to verify periodically that they are continuing to keep up the archival processes that will result in their prevailing in litigation. Doing so consumes an enormous amount of money, far more than the entire annual collective budgets of multiple small nations.

    Companies of the scale of IBM and Microsoft, as influential as they are on business and government, however, neither employ most of the world's workers nor produce most of a nation's GDP. The big players in both regards are the aggregate of small companies world wide that employ the vast majority of people and produce most of each nation's GDP. Companies of this smaller scale lack the budgets to sustain the kind of protective efforts that a company like Google would perform. What this simply means is that what is safe for Microsoft is not necessarily safe for a 100 employee company that manufactures fuel pumps for the automobile industry. They don't have the same mindset, economic advantage, legal staff, or budget to do so. If, therefore, they tread out into the cloud in order to reduce business costs and complexity, they do so without the expensive armor that global companies put on before taking the same steps, resulting in a far more hazardous adventure into cyberspace.

    Let me give an actual example of the kind of thinking that goes on when entities consider moving to the cloud. Recently, the City of Los Angeles, faced with a budgetary crisis of historic proportions, was approached by Google and offered its cloud computing services. Google had already brought the Washington, D.C. into its cloud computing fold, so the Los Angeles city council wondered out loud if such an arrangement should be considered as well for itself. After all, if Washington did it, why not L.A.? What the city was considering putting into the cloud were tax records and police databases. Its confidential database of gang member affiliations, strategies and scenarios for breaking up gangs and criminal organizations, pending actions, personnel records, and the like would all be out in the cloud. Does that sound like good, legally defensible planning, or does it sound like someone only listening to the ringing of the cash register?

    Breaking into a computer system isn't all that difficult. We have all heard of the Nigerian e-mail scam, phishing attempts on the part of Israeli and Russian cyber criminals, identity theft of credit card numbers, and a long list of largely untraceable criminal activities that have occurred over just the past five years, and the impression one has from the reports of these activities is that such invasions of corporate and personal privacy result from spyware, hacking, or breaking unbreakable computer security. In fact, most successful thefts of information result from errors of human judgment. A person calls a data center claiming his is John Jones in sales engineering, that he is out of the office at a customer site and wants to show a customer a spreadsheet on his workstation, but he just changed his password and can't recall it. So he asks, "Could you [the support desk attendant] give me a new password so I can complete the demo?"

    Even simpler, is to physically call on a company claiming to represent a firm that has the world's best widget that will make the company lots of money and costs virtually nothing. You get a tour of the facilities, and as you stroll through the operations area, you notice that someone has posted his password on a sticky note attached to his monitor (there is always someone in every company that does this). You pause and make pleasant conversation with that person and learn his name from the business cards sitting on his desk. Later, when you try to enter the system remotely, you try various user names based on the name of the person you spoke with and just add the password. Eventually, you gain access to everything that person can see, and it is often surprising just how large the corpus of information is that each person in a company can see as a result of the company being "customer-driven." The information includes customer names, addresses, account numbers, methods of payment, last purchases, lines of credit, tax ID numbers, notes about the dealings with the customer including personal information about family members (birthdays and anniversaries).

    Now, imagine that the data is located in a part of the world where the prevailing regional attitudes toward data privacy are not those that we embrace. Google has more than 23 world wide data centers spread across the globe operating under the laws of at least a half dozen or more countries and employing foreign nationals. In some cases, the data centers are simply computers set up in leased space in existing facilities owned and operated by non-Google entities. To the extent that the people who actually put their hands to the keyboards in those facilities do not share our understanding of the words "confidential" and "private," we are exposing our business, government, and personal data to theft.

    The unfortunate truth is that because of the way that we as people choose to do business in order to appear to be approachable and friendly, we greatly enhance our likelihood of leaking information that can come back to bite us very hard. When we choose to conduct business in the same way within the environment of cloud computing where the data stored, from a legal point of view, has diminished privacy privileges to begin with and when we as business enterprises are not prepared either from a psychological or economic perspective to undertake the considerable additional measures to protect our legal and financial interests from the hazards of cloud computing, it creates a scenario that increasingly resembles playing Russion roulette.

    From he perspective of a small business, using cloud computing tools seems like such a no-brainer. It's cheap, easy to use, doesn't require us to do updates or maintenance, and it's accessible from every branch office we could ever want to open. In a perfect world, all that is true,and it looks like a gift wrapped in pretty paper and tied up in a ribbon. In the real world, however, where people get sued, where people steal, where business ethics are constantly challenged, and where budgets tend to define what companies think they "ought" to do, all that is still true, but it is wrapped in caveats that are a mile thick and tied up with barbed wire.