Cloud providers shrug off liability for security

Ok, maybe it is just me. Maybe I just have a narrow-minded concept of "responsibility" or "expectations", but this sounds totally wrong to me.

<i>"We're not an insurance company,"</i>

No one is asking or expecting them to be an insurance company. They are only being asked to take responsibility for protection of the data they are being entrusted with.

<i>"If the offering does not meet customer needs, maybe the cloud is not a realistic offering."</i>

I couldn't have put it better myself. This is exactly what a lot of people have been saying from the very beginning - without the proper safeguards and definitions of responsibility, the "cloud" is a sucker's game.

<i>"When your data can be anywhere in the world, so can your legal headache."</i>

This is a perfect closing statement for the story. When you put your data "in the cloud", it can end up anywhere in the world, whether you want it to or not, and no one is going to take responsibility for that happening. No one, that is, other than YOU. Think carefully.

jw 12/2/2010

Microsoft seems a bit schizophrenic here; Brad Smith, Microsoft General Counsel

Brad Smith, Microsoft Vice President and General Counsel <a href="http://www.microsoft.com/presspass/presskits/cloudpolicy/docs/20100120_transcript.pdf">talking at the Cloud summit last month:</a>

We need Congress to modernize the laws, adapt them to the cloud, and adopt new measures to protect privacy and promote security. Thats why weve concluded that we need a cloud computing advancement act that will promote innovation, protect consumers, and provide the executive branch with the new tools needed for a new technology era.
We need Congress and the Administration to address three issues in particular: privacy, security, and international sovereignty.
But at the same time, the cloud also creates bigger targets for hackers and thieves. We cant close our eyes to that reality. There is no benefit in underestimating the savvy of potential attackers now or in the future. Across the industry we first need to continue to dedicate ourselves both separately and together to strengthening the security of the cloud. This is going to remain a daily fact of life. We also need to take new steps throughout industry to implement new security standards such as those from the International Standards Organization and under the Federal Information Security Management Act.
As the federal government moves data to the cloud, we believe it needs to continue to adhere to procurement policies that ensure that it too implements these types of security standards.
These principles should ensure theres transparency over how data is protected. They should ensure that service providers maintain a comprehensive written information security program. They should disclose whether the service providers architecture, infrastructure, and controls, satisfy well-recognized and verifiable security criteria. They should convey in plain language how their information will be accessed and used by service providers so consumers know what they can do and know whether and how they can reclaim their documents and data in the future.
Simply put, it shouldnt be enough for service providers simply to say that their services are private and secure. There needs to be some transparency about why thats the case."
M

Thats what I thought they where doing, so why the change in approach? bloody morons, how hard can it be to sit around a table and agree on some standards.

The simple truth is that once data is in a public cloud, the "owner" has lost control of it. No cloud service provider will accept liability for data loss or theft (don't forget many employees can and will steal company data for a quick buck - as HSBC recently testified) - just placing a value on it would be horrendous. The software exists to enable SMBs to create their own in-house cloud (broolz) - why would a company hand over control of its lifeblood?