By Sramana Mitra and Siddarth Garg
Sramana Mitra: I get your point from an adaption point of view, but today we are at a somewhat more mature stage of adoption in the cloud world, right? We are a good five to six years into serious cloud deployments, so we have a lot of very large deployments where IT does get involved and they do scrutinize the security issues; there is a lot of integration happening. There are a lot of analytics happening in CRM systems, for instance, maybe a hybrid configuration of private and public cloud and all sorts of things. So, IT is involved and the CIO is paying attention, the CIO’s office is paying attention, and security is an issue.
Now, one thing I have picked up from my extensive interviewing in the past nine months or so is that people are not really worried about data in the public cloud right now; they kind of assume that the cloud vendors are providing a very secure environment. Where my question to you came from was more about if you put yourself in the head of the cloud vendor, addressing the same kinds of issues that you are addressing for the public cloud or private cloud data centers. What is going on in their head when they think through the security strategy?
Chris Burchett: Well, I think if you look at it, they obviously are going to be driven by their customers. You see the advances and the changes that have been made by Salesforce over the past year or two and you are right, they have matured. They do have federated identity back in MySpace, whereas they didn’t at the beginning, and they have other capabilities.
But if you look at their security model, it is very much about protecting [against] intrusion. That has been the primary initial protection. In the past year or two they have done pretty sophisticated auditing, and they have done everything but encryption in many cases. Often I think it is because if they encrypt the data with a key that only the customer can open, then there are certain classes of things they might want to be able to do in their platform that become harder, you know, offline indexing and some of these things.
But ultimately, I think the provider would like to worry about key management. They would like not to have to worry about encryption. They would like to leave themselves open to doing these other functions. I think until customer requires that – “you can’t open my data unless you have to; make it cryptographically impossible to open data unless I am logged in to it.”
The providers have other incentives that may be noble and good for avoiding encryption inside of their applications. I think it is different, though, if I am building an application on somebody else’s platform. In that case I have the responsibility, as the enterprise building that the application, to make sure data is protected. Or if I am building on somebody else’s infrastructure, I have a responsibility to protect my data.
SM: OK, all right.
CB: You get the reason why, right? Because in the SaaS case, I can use the service agreement, and I can use the contract as a way to put some of the onus on the provider.
SM: Sure. I get the service level agreement and everything, but I’m still trying to put myself in the head of the software service provider – not the customer of a SaaS provider, but the provider itself. They have the same issues, right? Now they are bound by service level agreement to provide certain level of security and a certain level of data security. For them, the problem is exactly the same as what you were describing earlier.
CB: Well, yes and no.
SM: If I am a SaaS provider, I have responsibility for somebody else’s data, and I am bound by contract and by the service level agreement to protect that data.
CB: I honestly don’t know. I am not a SaaS provider, so I can’t tell you exactly what a SaaS provider would think, but I think they are bound by the same [things as I am] and they do have the same [obligations] from a compliance perspective. I guess the only thing I would say that is different from compliance’s perspective is that the data owner is the one who has the obligation. So, the enterprise really has the obligation whether they are using a SaaS or platform service or infrastructure. They really have the obligation to make sure their data is not disclosed.