I read this piece by Bruce Schneier: IT Security in the Reputation Economy. It's a very interesting argument from one of the most respected IT security professionals around.
Bruce starts with the common position that computing is now a commodity. Price and trust as the two factors driving sales of a commodity. Many IT services are free (for consumers at least, and also in education) so that leaves trust. As IT commodiditizes further providers are incentivized to protect their reputation by improving security to greater levels than their customers would demand on their own. Why? An individual company can afford to lose their own data, but no service provider can afford to lose their customers data, as soon after they will lose their customers.
Thinking of universities as service providers, this makes me think we should give greater protection to personal data (eg student databases) than to confidential data (eg financial reports). More generally it is interesting to reflect on two recent cloud computing stories in this light.
First the disaster which befell Sidekick users. Sidekicks are (or were) a popular brand of smartphones in the US. Users had their contacts, photos, appointments etc stored on Sidekick servers, with only transitory cached copies of the device itself. In a spectacular database failure the data vanished. Originally it was announced that all data had been lost with no possibility of recovery, although some has now been found. It is a major embarrassment for T-Mobile and for Microsoft (who acquired Danger two years ago). Perhaps Microsoft will now redouble their efforts to ensure nothing like that can happen again.
Secondly, Google announced a 'government cloud' to attract US federal government customers. It will operate only from Google data centres in the US. They are aiming for accreditation under the Federal Information Security Management Act (FISMA). There are no customers signed up yet, but it is good that Google are trying to demonstrate their trustworthiness, and in particular are taking public sector concerns more seriously. How about an EU government cloud, Google?
Bruce highlights one problem with his argument - markets only work if customers have accurate information. Therefore service providers have a motivation to hide their security problems. Not good. My problem with the argument is that IT may be a commodity, but not to the same extent as electricity or water. Switching from one cloud provider to another is too difficult. Lock-in, as ever, bedevils the IT industry.
Getting back to universities again: my purely personal view is that the case for moving student email to the cloud is now almost overwhelming, but that the trust issues (are the US/Chinese/French governments reading my email??) are currently too great for us to do the same with staff email. If Bruce is right about the reputation economy expect Microsoft and Google to work hard improving our trust in them. In a couple of years time we may think differently - especially if other Russell Group universities decide to make the switch first.
Posts
No comments:
Post a Comment