There are some audience questions you can see coming a mile away.
I was hosting one of our ComputerWorld Interactive events this morning in Edmonton, where we were discussing IBM’s proposal that Linux is an ideal OS on which to develop a cloud computing strategy. Although most of the people in the audience have introduced some level of virtualization into their IT infrastructure, the concept of clouds was, to some extent, still new to them. I knew this because early in the Q&A one IT executive put up his hand and asked how any company could be comfortable enough with the privacy issues around handing data to a third party.
Although I let our IBM guest speaker tackle the question first, I followed up by suggesting that the IT industry has sometimes been too focused on the service-level agreements, or SLAs around the delivery of technology services through cloud providers and not enough on how data will be used or managed. This is particularly true in Canada, where provincial laws often prohibit any situations where local data is being housed in the United States, and therefore subject to the Patriot Act.
“What we need,” I said, “is to be more focused on setting up privacy level agreements that govern the data usage in a cloud environment.”
Yes, I just made up “privacy level agreements” on the spot, but I think the idea is valid. We have service levels because there are different demands placed on compute infrastructure depending on what’s going on in your business. Similarly, although enterprises collect all sorts of information about their customers, partners and employees, not all of it is subject to the same stringent collection, storage and disposal policies. There are levels of privacy.
A privacy level agreement, or PLA, would set out in contractual terms how a third party provider will ensure that the information it hosts will not be seen by the wrong sets of eyes. I would imagine there are already some provisions to that effect in certain cloud computing deals today. However the PLA would also include more detailed information about the escalation procedures should a privacy breach occur: how the breach would be reported, how quickly a report could be delivered to the customer and who would have responsibility for contacting the appropriate authorities. I would be surprised if this level of depth has been established in many cloud agreements today, if only because most businesses are too focused on simply shifting from a traditional model of on-premise applications and infrastructure. Privacy, as always, is something you deal with later.
Our event, which we called The Linux-Powered Cloud, didn’t dwell all that much on public clouds, because that doesn’t seem to be where the majority of the action is in Canada. But PLAs would still be a good idea in private cloud projects, as would a privacy impact assessment before the first virtual servers are deployed. If your SLAs – internal or otherwise – aren’t being met, you won’t be able to run your business properly. If your PLAs – internal or otherwise – aren’t being met, no one can trust you. You tell me which problem is worse.