Here are the first two areas of concern for cloud computing.
Privacy. So your data is out there in the cloud. The cloud is an abstraction; your data is sitting on somebody else’s disks in one or more of their computer centers. Who is managing those disks?
From one perspective, it’s a bunch of people who you know very little about. You didn’t hire them; your cloud supplier did. No matter what procedures are in place, they can get at your data. Are they selected for their probity? Their scrupulousness? Their lack of curiosity? Their financial stability and immunity to extortion by others? Maybe so, maybe not. Do you even know what country they’re in, and what laws they should obey?
From another perspective, those disks are managed by a company. Much do you know about that company? Do you understand their privacy policies? Do you know the procedures that they use to enforce those policies? Do you understand how important privacy is when compared to other management objectives? If it comes down to rattling legal sabers, do you know whose laws govern your contract with them?
Even if you understand where your cloud provider stands today, it’s really hard to figure out where they’re going. Are they are vulnerable to takeover by a company whose privacy policies you detest? What if the acquiring company’s business model revolves around selling client information? Acquisition is not the only game changing event that can happen to a company. Is your service provider in danger of going out of business? If they do go out of business, what happens to your data? With all the disks be written seven times with random numbers before they are sold? Or will the company be down to a skeleton staff by the time they think about what they’re going to do with the disks, and just sell them as is to the highest bidder?
Scott McNealy famously said once, “You have zero privacy anyway. Get over it.” I don’t think it’s that simple. There’s a risk/reward calculation involved in using a cloud-based service. The reward has to be pretty darn high for me to risk putting financial data there.
Security. Security in the cloud context usually means network security, and that’s a lot like privacy, except that you’re worried about access to your data by anyone with an Internet connection. One of the arguments for cloud computing is that the companies who provide the service are generally motivated to spend more time, money, and effort on security than are people at home or in small offices. I think that’s true as far as it goes, but it needs to be balanced against the fact that the cloud computing companies are much bigger targets, and therefore more likely to attract the attention of ne’er-do-wells. Why go to all the trouble to hack a homeowner’s computer to get one or two credit card numbers when you can hack a big company and get millions? And make no mistake; the big companies do indeed get hacked. Just last Thursday, Citigroup reported that person or persons unknown had made off with more than a hundred thousand names, email addresses, and credit card numbers.