You *can* take it with you: musing about cloud principles

Clouds There was a time when the “high street” bank was a disconnected silo, an island of tranquillity. Except when it came to a busy afternoon and you wanted to withdraw money. Your money. Because the only place you could withdraw it from was the branch with which you held your account. If you weren’t near it, tough. If it was too busy to serve you, tough.

There was a time when the only way you could draw money from a hole in the wall was to use your bank’s ATM network. It was private. Disconnected from all other bank networks. So if you weren’t near an ATM belonging to the bank you banked with, tough.

There was a time when you could only use the cards you had in the country you lived in. If you had to travel anywhere else, tough. Try cash or travellers’ cheques.

There was a time when there were no guarantees for what happened if someone impersonated you, if your cards were stolen, or, for that matter, your bank had a problem.  No guarantee schemes. No nothing.

Thankfully, we’ve moved on from those times. Today we can choose who to bank with, draw money from any branch, any ATM, anywhere, anytime. Securely, efficiently, conveniently. Underpinned by the trust that comes from feeling secure, having guarantees.

And because of all this, we trust our banks with some of our most precious assets. The financial system has had its problems (which system hasn’t?). But people continue to use banks rather than revert to paper money and metal hidden under mattresses.

So it is with the cloud. Your data is a precious asset. Which means that you really have to think about where you keep it, whom you trust to look after it.

The “bank” where you keep your data must use a network that provides you access anywhere in the world; it must support a large variety of “data ATMs”, your mobile devices. It must provide you access swiftly and securely. It must have transparent pricing and charging. If there are legal reasons why someone else seeks to look into your “account” it must tell you about it.

The cloud, like the banking system, like any truly global system, is about openness and standards and transparency and trust and guarantees.

Which is why I’m delighted with what my employer Salesforce is doing, in putting forward a series of “cloud principles”, principles we work by, principles we seek to adhere to. This is something the company has been working on for a while now.

Here they are, ten guiding principles, in draft form:

  • Transparency: Companies that provide enterprise cloud computing platforms should explain their information handling practices and disclose the performance and reliability of their services on their public Web sites.
  • Use Limitation: Companies that provide enterprise cloud computing platforms should claim no ownership rights in customer data and should use customer data only as their customers instruct them, or to fulfil their contractual or legal obligations.
  • Disclosure: Companies that provide enterprise cloud computing platforms should disclose customer data only if required to do so by the customer or by law, and should provide affected customers prior notice of any legally compelled disclosure to the extent permissible by law.
  • Security Management System: Companies that provide enterprise cloud computing platforms should maintain a robust security management system that is based on an internationally accepted security framework (such as ISO 27002) to protect customer data.
  • Customer Security Features: Companies that provide enterprise cloud computing platforms should provide their customers with a selection of security features to implement in their usage of the cloud computing services.
  • Data Location: Companies that provide enterprise cloud computing platforms should make available to their customers a list of countries in which their customer data related to them is hosted.
  • Breach Notification: Companies that provide enterprise cloud computing platforms should notify customers of known security breaches that affect the confidentiality or integrity of their customer data promptly.
  • Audit: Companies that provide enterprise cloud computing platforms should use third-party auditors to ensure compliance with their security management system and with these principles.
  • Data Portability: Companies that provide enterprise cloud computing platforms should make available to customers their respective customer data in an industry-standard, downloadable format.
  • Accountability: Companies that provide enterprise cloud computing platforms should work with their customers to designate appropriate roles for privacy and security accountability.

As I said, these are in draft form right now. Comments welcome. Our intention is to publish them in a more accessible form soon, and to make it possible for you to participate more fully in shaping them and improving them. Watch this space for details.

(Cross-posted on my blog "Confused of Calcutta".)