Cloud Privacy : Easy to comply with as a SaaS Developer

Some people look at Cloud computing technologies with suspicion on its abilities to comply with effective privacy policies. This equally applies to a cloud software developer, when he tries to recommend the technology for his prospective clients. If you are a SaaS provider, you may have to sell for the Cloud provider also!. It works out something like this. As a SaaS provider, you may collect personal information relevant to extending the services as required. Now you have to assure the use of the personal information you collected from the end customer will comply with an internationally acceptable framework with reference to data privacy. As an organization or even as a specific application you can do this by adhering to the 'Safe Harbour' principles, such as, notice, choice, onward transfer, access, security, data integrity and enforcement.

Reproduced from the Directives provided by U.S.Department of Commerce, below
"
Principle 1: Notice

Organizations must notify individuals about the purposes for which they collect and use information about them. They must provide information about how individuals can contact the organization with any inquiries or complaints, the types of third parties to which it discloses the information and the choices and means the organization offers for limiting its use and disclosure.

Principle 2: Choice

Organizations must give individuals the opportunity to choose (opt out) whether their personal information will be disclosed to a third party or used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by the individual. For sensitive information, affirmative or explicit (opt in) choice must be given if the information is to be disclosed to a third party or used for a purpose other than its original purpose or the purpose authorized subsequently by the individual.

Principle 3: Onward Transfer (Transfers to Third Parties)

To disclose information to a third party, organizations must apply the notice and choice principles. Where an organization wishes to transfer information to a third party that is acting as an agent(1), it may do so if it makes sure that the third party subscribes to the safe harbor principles or is subject to the Directive or another adequacy finding. As an alternative, the organization can enter into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant principles.

Principle 4: Access

Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated.

Principle 5 : Security

Organizations must take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction.

Principle 6 : Data integrity

Personal information must be relevant for the purposes for which it is to be used. An organization should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current.

Principle 7: Enforcement

In order to ensure compliance with the safe harbor principles, there must be (a) readily available and affordable independent recourse mechanisms so that each individual's complaints and disputes can be investigated and resolved and damages awarded where the applicable law or private sector initiatives so provide; (b) procedures for verifying that the commitments companies make to adhere to the safe harbor principles have been implemented; and (c) obligations to remedy problems arising out of a failure to comply with the principles. Sanctions must be sufficiently rigorous to ensure compliance by the organization. Organizations that fail to provide annual self certification letters will no longer appear in the list of participants and safe harbor benefits will no longer be assured.

"

This is important even for small SaaS developers. Invariably a cloud application will be using some sort of authentication and authorization before allowing the access to its end customers, mostly provided by open id providers or at least an email id. Looking at the scope of cloud reaching out to all the seven continents, complying with the safe harbor principles is important. For example, assume you are a start-up getting into the business as a SaaS, leveraging some of the Cloud providers out there. Your application should spell out its privacy policy more rigourously than earlier. Remember, on the internet, your application represents your business.

If you are a product development service provider on the cloud technologies, recommend only the 'Safe Harbour Compliant' cloud provider , build the application clearly announcing the safe harbour policies '  and encourage your client to join the safe harbour framework.  Let us save ourselves and our clients from unwanted litigations.

For more details on what you mean privacy policy,  visit  http://www.export.gov/safeharbor/doc_safeharbor_index.asp

Google App Engine : Now pay as you go !

Google App Engine platform could be an ideal cloud environment for the entire spectrum of business. Pre-release was made in April 2008, supporting Python Runtime and Bigtable as storage. The free quota was generous enough for entrepreneurs and small businesses.

Now, Google App Engine is available as a pay-as-you-go service. The resource pricing is highly competitive compared to other players in the cloud computing field. What is interesting is Google has maintained its commitment for Free plan as promised during the April 2008 launch.

Visit http://code.google.com/appengine for more details.

Intel Investments - A positive push for cloud computing

Cloud computing also means a more efficient use of internet , it looks like. The very large data centres means the smart economies of scales for power, man-power and communication bandwidth apart from the hardware, software costs for procurement and upgrades. If such data centres are populated with energy-saving servers the business and economy stands to gain. A simple reduction of mother board consumption from 115W to 85W in idle, estimates an energy savings of USD 8M on a cloud data centre 50,000 servers in three years time. This brings down the OpEx of cloud providers under the energy spending. Intel is serious about the intiative and may invest USD 7B over the next two years in the chip manufacturing facilities in US. Let us hope, the future of cloud computing is becoming brighter day by day.

The 9th Estate - The bloggers

The usage Fourth Estate stood for press and probably the most widely accepted, undisputed and popular. I referred to wikipedia on this. It tells me the following. First Estate ( Clergy ), Second Estate ( Nobility ), Third Estate ( Commons ), Fourth Estate ( Press ) - so far no multiple claimants. Fifth Estate traditionally referred to trade unions, the poor and organized crime. The list of claimants does not stop there- politicians, visual media got added soon and later bloggers got added to it. You see there is no consensus. Traditionally, anything outside the first four estates were put in the fifth estate. Let us leave the fifth estate for unions, politicians, poor and organized crime. Then Sixth Estate can be motion pictures and television. Great ! Bloggers now can choose the Seventh Estate slot onwards! It would be fair to leave the seventh and eighth estates for the groups who emerged earlier, but didn't bother to press for. Logically, then bloggers can be on the 9th Cloud, looking at the strong emergence of the new internet evolution - cloud computing; the new internet experience. 9TH ESTATE can remain on the NINTH Cloud with all bloggers.

Above the Clouds: A Berkeley View of Cloud

This paper tries to present a very useful, but simplified taxonomy on the cloud computing paradigm. There could be a little murmer about its attempt to keep aside the 'private clouds' in its discussion paper. Private clouds presents an excellent new business for box, software, bandwidth and storage vendors. Industry leaders such as IBM, Sun, HP and Oracle are sure to capitalize on this momentum. UC paper defines its taxonomy on the Public Cloud, and places Amazon EC2 on the beginning of the spectrum , places Google App Engine platform on the far end and puts Microsoft Azure in between them for justifiable reasons. The taxonomy on the Public Cloud presents Cloud Providers-( SaaS Providers/Cloud User) - SaaS User in three distinct tiers. It discounts all other 'XaaS' where X cloud be Hardware, Platform, Communications etc. This is a diring approach and really serves the purpose well. The paper also consolidates the well discussed 'inhibitors' into a Top 10 and suggests opportunities against all of them. The paper takes a highly practical approach based on 'what is available in the market' rather than mixing it with 'what is/could be happening in the laboratories'.  I recommend   this paper for all beginners as well as practitioners on cloud computing.  

Captive Data Centers

Yesterday, I attended a product launch and seminar from Hitachi Data Systems. The conference was discussing case studies with a focus on Service Oriented Storage Solutions from HDS. The seminar was well organised and the speakers were from HDS and HDS user community. I wondered how would organizations take a positive decision on the capital expenditure despite there is an urgency to bring down operational expenditure. HDS storage solutions leverages the virtualization technologies for better managing existing data centers, and you have to buy boxes and racks invariably. Rather than ROI , the sales pitch was on ROA. Interestingly HDS business in India has beaten the overall market performance of its competitors in the year 2008.

What would be the future for box-bound service-oriented solutions in the short-run and long-run?  HDS can help in building a captive data center, and do a good short-term business. When 'Hardware as a service' is slowly becoming the customer expectation globally, I believe the long-run for this kind of businesses would be tough.