Month: June 2012

The Cloud and Corporate Compliance

Posted by

0

I think a main point of consideration for any company looking to use the cloud, in any of it’s various forms, needs to be to have a strategy before going hog wild. Not only to asses for cost, but also to expand existing policies, such as data governance, to include rules and guidelines for when and how to use the cloud.

For example lets say you already have data classifications of “green”, “yellow” and “red”, green being data that is already publicly accessible and red being data that is deemed to be so confidential that it could be damaging if released. I’m simplifying things a bit, but you get the idea. Because all of your data, and any applications accessing it, already fall into these classifications, you can go through an exercise wherein you certify a cloud platform, first as being suitable for green, then yellow etc. These certifications should be setup with guidelines and security protocols that also needed to be implemented in order to be considered in compliance. You could find that initially you do not certify it for red. Not so much because you feel the platform has security issues, but perhaps because Legal may feel the risk is too high based on their understanding of the platform. (Yes Legal should have a hand in your data governance policies.) In a case like this you may go through a cycle of educating Legal and the business in order to reach this certification, or you may decide that you never use cloud resources for certain aspects of your business. There is no rule that says you need to use the cloud for all of you business needs.

I’ve also heard concerns about data access and international law. I’m not a layer, but do want to try and address this to some degree. The argument I recently heard was that if a company in the UK uses the cloud and then that date ends up on a server in the US, the government can then go after the data on the US servers and that grants them access to the data in the UK servers as well, even if the data in the UK didn’t exist in the US.

I’m not going to disagree with this per se, but with respect, I do feel that this argument simplifies the legal aspects to the point of being misleading. For example, in all of the PAAS cloud platforms I’ve ever worked with (I’m not including SAAS models like salesforce), they don’t just place your data in a random location. You have to explicitly specify where you want your data to live, and this includes CDN’s. A CDN doesn’t just drop your data everywhere, it only replicates to the nodes you select. One of the main reasons for this is because of the very root of the previous concern (The other being cost differences). The argument is not actually cloud specific, and applies equally to a UK company doing business in the US, with data hosted on their own servers living in a building owned by the company. In fact, in that case it’s even easier to for a law enforcement agency to get the court to grant access to the data, as there are no concerns of accidentally granting access to another company’s data. OK I’m guessing as to whether a judge would take this into consideration, but that guess is based on having spent a few years in the electronic discovery industry. As a part of that job I performed litigation readiness assessments, and had to be versed in US laws involving electronic data discovery.

So while the concern is valid, it isn’t just valid because you are considering moving to the cloud. It’s why I encourage clients to evaluate the cloud in the context of current policies, rather than thinking those policies don’t apply, just because they don’t own the servers. If you’re a serial litigant (you get sued a lot), or are a target for government investigation due to your business practices, chances are you already know that and have policies in place to compensate. For example; in the US if you also do business in China, you already have a whole series of policies and procedures to make sure you stay in compliance with federal law. Those same policies don’t stop becoming relevant just because you are now using cloud computing, and need to be incorporated into your overall cloud strategy.

__I originally posted this as a response to a thread in the LiDNUG forums. While I’ve tried to modify it enough to stand on it’s own, please forgive any incongruence’s.__

The Death of AJAX

Posted by

0

Lately I’ve been working on a few side projects written in node js, and have been using socket.io quite heavily. In fact I made a conscious decision to use sockets exclusively rather than ajax. Now, truth be told, behind the scenes ajax will still be used on any browser that does not support html5 sockets, but the point is that there are no explicit ajax services in server code.

If you listen closely you can hear the death knoll of ajax ringing. The promise of html5 web sockets on the client in combination with server side technologies such as socket.io (node js) and signalR (asp.net), will eventually shift the paradigm of how web pages communicate with back-end servers.

Everyone talks about html5 as a flash and silverlight killer. I believe that we’ll soon start to hear more developers talk about it as an ajax killer as well. Of course this will never be as sensational as the flash/silverlight argument, but will be true all the same.