Reading about Microsoft General Counsel Brad Smith's recent speech at the Brookings Institution got me thinking about the issue of security and privacy related transparency at Cloud providers.  I fully agree with his statement that "... it should not be enough for service providers simply to say that their services are private and secure....there needs to be some transparency about why this is the case."  However, a key word here is "some."  There has to be a balance, but it shouldn't be achieved through legislation. That process would be so slow and would only further murk-up the balancing process.  Security and privacy professionals don't agree on how much security is enough, so we certainly can't expect legislators to do a good job of it.  There are plenty of areas that should keep the law-makers busy, such as modernizing existing laws that never contemplated the Internet and Cloud models, as well as sorting out conflicting international laws (where you must do something in one jurisdiction, but doing so puts you in violation in another jurisdiction).

How do we find the balance?  It should stay with the open market and be further matured through industry codes of conduct and certifications.  Security and privacy should be a feature of the various Cloud service offerings, and organizations such as the Cloud Security Alliance and the Kantara Initiative are working to help Cloud providers find the balance.

I find it helpful to compare what is going on now - in this context of the Cloud - with what we experienced in past years in traditional enterprise IT.  If we look at how enterprises "managed and secured" their sensitive data and applications of the years, I think overall we can say it was very messy with breaches and spills seemingly around every corner. Only over the past few years have we witnessed more effective control.  Over-simplified, enterprises did a relatively poor job of IT security because it was allowed (or forced) to operate as a black box, with non-IT management either not understanding or not caring enough to know what was going on with sensitive applications and data.  This let the security/privacy investment balance go out of balance for too long.

I would like to say that I see an aggressive and proactive position on security and privacy from the Cloud providers, but I don't.  There is this unfortunate tendency toward the security black-box again, which when done to extremes is unhealthy. 

Buyers of Cloud services, let your money do the talking.  Demand effective security and privacy and be willing to pay for it.  And don't accept security and privacy as a pure promise, as Brad Smith points out.