Enterprise 2.0 and Cloud Computing Conference

Filed under: Uncategorized

I attended a very interesting panel discussion yesterday evening called “An Evening in the Cloud” at the Enterprise 2.0 Conference at the Westin on the Waterfront in Boston. It was a sort of conversational panel between vendors of cloud computing platforms (”Cloud Players”), namely Google, SalesForce.com (through Force.com), and Amazon Web Services, and a group of potential buyers (”Cloud Customers”) from several different types of organizations, from both the public and private sectors. The “Cloud Players” each took their turn presenting a compelling argument to the buyers to move their IT infrastructure as much into the cloud as possible, ideally completely. The “Cloud Customers” then had the chance to react by asking the panel questions and bringing up any possible anxieties they might have in embracing this model to such a degree.

One of the main conversation points centered around the analogy to the utility companies and the “power grid”. The idea is that most people don’t produce their own power and for the most part don’t need to, and do better just plugging into the massive national power infrastructure. Another interesting analogy, made by Jeff Keltner, Business Development Manager for Google Apps, relating to the safety and security of data in the cloud, is that driving is much less safe than flying even though it might not feel that that’s what the statistics would show. The sophisticated infrastructure and incredible engineering in the airline industry makes it possible to be much safer than driving, just like SalesForce.com, Google, Amazon and the others have much more secure and powerful IT environments than what the overwhelming majority of businesses can match.

So I guess controlling and maintaining our own private data is like driving cars. :) I don’t know which I would pick if I had to choose only driving my own car or flying in airplanes (neither really, maybe this once it can fly), but overall I think the argument for cloud computing is sound. There is undeniable momentum towards the utility computing model, and the adoption numbers for Google, SalesForce.com, and Amazon as major players in this space is staggering. Despite the fact that they all have different approaches, with Google and SalesForce.com pursuing a multi-tenant model much more than Amazon as far as their cloud platform story, they are all strongly committed to cloud computing and often consume each other’s services either indirectly or through direct partnerships.

I absolutely love the idea of cloud computing. I want the big “Jukebox in the Sky”, frictionless commerce, social networking driven by semantic personalization, and the multimedia bonzanza that cloud computing will undoubtedly unleash. However, I still also have some reservations, primarily related to what I think is a huge missed opportunity instead of just the commonly-raised concerns concerns around security, privacy, and reliability. I believe there is one key missing element in the equation that I will get to later.

As far as the power grid analogy, one of the “Cloud Customers” on the panel, Carolyn Lawson, Chief Information Officer for the California Public Utilities Commission, made a funny quip in her talk about how it might not be the most appropriate and convincing analogy given some of the recent history of California’s power grid. Then, Dr. Richard Mark Soley, Chairman and Chief Executive Officer of the Object Management Group, Inc. (OMG®) and Executive Director of the SOA Consortium, mentioned he was actually just starting to his produce power for his own home, and that he saw a lot of momentum in the direction of much more distributed energy infrastructure. In my own recent trip to Haiti, I couldn’t imagine anything except highly distributed solar and/or wind power making much sense in even the remotely near term.

One of the central themes throughout the conversation between the two sides, could be associated with the term Vendor Relationship Management. There was an overarching desire from those consuming cloud computing services, whether individuals or businesses, to have a basic level of control over their own context. Aside from legal issues, of which there are plenty, there were a string of comments related to concern about the leverage that such companies would have over pricing and abrupt changes in privacy policies, especially in the event of acquisitions and leadership changes. One audience commenter brought up the Patriot Act, which the cloud computing vendors freely admitted is causing them some grief in providing services to an international audience.

As part of introducing myself and my company to any participants of the conference who might be reading this blog, I would like to offer my own analogy to help frame the debate that is centered around encryption. First, for some background on our company, we recently released an Open Source web browsing and searching product called SupraBrowser. It’s a browsing, research, and messaging system used by a number of financial services companies in Boston. We use it ourselves daily for our development and other types of collaboration. One of it’s core attributes is that it’s based partly on a distributed security algorithm called the Secure Remote Password Protocol that reduces or eliminates the need for a central trust authority in all communication traffic.

Additionally, we will be launching shortly a distributed web service called dealtac.com. It’s an exclusive social network for deal makers and connectors, which allows users to monitor and mine their email, bookmarks, feeds, and documents for personal connections from their existing business social network of contacts. Users can also collaborate through a real-time messaging system and leave comments about their contacts.

From what I’ve learned through the odyssey of building this company, I think it’s incredibly necessary to provide a personal, private context to individuals in “the cloud”, and that the absence of this core artifact will severely hamper the success of cloud computing regardless of its early adoption. One of my most interesting conversations of the night was one I had with Jeff Keltner from Google. At one point in the earlier debate, when the potential buyers all really started harping on the issue of privacy, Jeff was the first to mention encryption as a practical way to maintain privacy in the cloud. If you encrypt your data before storing it, it remains adequately private for the majority of cases. This is true, as long as you don’t access it while it’s still in the cloud, but I think encryption itself provides the best analogy for why the “multi-tenant” approach can and should only work up to a limited point.

The very fact that encryption can be mentioned by him in the context of being a raw, foundational element to build privacy and trust upon, actually proves my point. If the US (or any other) government demanded the inclusion of a “skeleton key” for all encryption protocols and programs that only they had full access to, not only would the security be much, much weaker, but also people wouldn’t trust it nearly to the same degree. Even if a government or other central body employed the vast majority of cryptologists and mathematicians in the world, people would still trust a transparently developed algorithm with no known backdoors and known ways to cheat the math more than a closed algorithm. The fact that Google has “root access” to it’s users’ data is the equivalent of maintaining root access to an encryption algorithm.

All the cloud computing vendors in some way mentioned trust as one of the most important elements in their relationship with their customers and users. So, when Google or another cloud platform company denies the need for a place in the cloud that can contain completely private data with no known way for anyone other than the individual to view it, even in theory, while still having all the positive attributes of cloud computing, i.e. more secure, redundant, accessible, and mobile, it’s quite disingenuous and practically the same as if they provided an encryption “service” with a backdoor for the “governing” operator.

The panel was actually incredibly well run and conceived overall, and it was part of a fascinating and important dialogue going on around cloud computing that ultimately touches on deep issues of trust, governance, self-determination, and even sovereignty. I look forward to continuing to be a part of the dialogue and trying to transcode our own privacy policy into the architecture, algorithms, and software code of our products and services as much as possible.

So, which would you want? To be stuck in “the cloud”, or to see a sky full of clouds? We have presented our version of the sky and have only just begun in our quest for what perhaps might be called “Sky Computing”. Since it’s open like the air, we welcome all breathing collaborators. :)

Storing Private Health Information in the Public Cloud.

Filed under: cloud, security, sphere

There have been numerous announcements recently from Google and Microsoft related to storing health information on their servers in their grid. There has also been some controversy around these initiatives over privacy concerns, particularly because it comes from these two companies where they have already consolidated a lot of other information and leverage with respect to the IT infrastructure of both individuals and businesses.

So, let’s leave aside a question of whether it’s those two specific organizations that manage health records over any other, and whether it’s better to have any particular large corporation instead of a government entity, non-profit, or other-worldly organization in the first place. Let’s first start with abstract theory! :)

I’m going to begin by asserting that I don’t care what a company’s privacy policy is. If any organization were so good at codifying and following a particular privacy policy, why don’t they actually code it in code instead of in legalese? That way they can get specific and avoid any of the semantic dances to skirt around responsibility for which lawyers have become so infamous. Famously, possession is 99% of the law anyway, and letting others possess your data means they own it.

But I want to go even deeper than that. First, there is generally the issue of privacy. Is there any expectation of privacy in this digital age in the first place? Why should anyone need privacy if they have nothing to hide?

Well, I don’t need any privacy, but I want it. It’s that simple. Until I behave irresponsibly, defined in as context-specific and inter-subjective way as possible, then I deserve it and should have the right to it. Otherwise, we go down the slippery slope of starting with the assumption that everyone is a criminal until the individual proves otherwise, and the problem is that people over time and in aggregate generally behave about as highly as what is collectively expected of them.

There are people who think that having the oversight of some big brother who can read/monitor our thoughts will make us better as individuals and as a society. Then there are those of us who feel that the only path to true order and security in society rests with personal responsibility, and that the best the rest of us can do with respect to an individual is hope that eventually each person finds that sense within themselves with the help of loving external reinforcement. But, make no mistake about it, the external reinforcement is no substitute for personal responsibility; that type of substitution is a prostitution.

One of the highest hopes of society is that common, ordinary people will often do extraordinarily good things, and we are increasingly entering an age where unless that is the case, no amount of tracking, incarceration, punishment, deterrence, or stick will prevent people from doing stupid things.

Now that we have all that out of the way, I want to get back to technology. We are at a time where there is unprecedented research going on, with a convergence of so many disciplines, and as a result we are hitting a point where a lot of what we see with respect to the computer industry starts to become analogous to biology and life. So, who controls the PC, you or Microsoft, Apple, or the government? Is it ok for Microsoft or any other entity (RIAA) to be able to shut off your computer without your permission or control? How about delete files from your computer? What happens when computers start to become integrated?

Well, if you’re still with me and interested in seeing where I’m going with this as far as health records, access to health information is presumably of critical importance to patients. It seems to be of great use to doctors to have access to medical history from previous visits or other doctors (although sometimes I think it would be interesting to be able to get a “blind” opinion without access to *any* records…not sure that’s even an option), and part of the promise of some of these online medical initiatives is that it can be potentially very valuable to have that information readily available for things like sharing and collaborating around x-rays, or with emerging fields such as telemedicine.

So, what sort of rights do I then have to that vault of information created about me? What if a company wants to start charging me a lot of money for continued access to it, or changes that privacy policy to something that I don’t like, or shares it with people where I don’t approve, or won’t share it with people where I insist? What happens when there is an outage and my doctor(s) can’t access my information in a timely fashion?

Then, let’s suppose that sometime down the line (not sure how long, but it seems to be happening), a company develops a mechanism to monitor an individual’s vital signs and administer drugs automatically and accordingly. Who has control over that? Will it be more like ADT or like OnStar, where they either just monitor things remotely or start to exercise certain levels of remote control, such as changing doses? Will there be a kill switch? Will there be a black box in case anything goes wrong? These issues are directly and highly related to the problem of control and access to health information, because they reflect the growing trend of a SaaS world where data lives in the cloud, and individuals have no significant leverage once a certain level of monopoly or oligopoly becomes established. What good is choice, if there are only lies to choose from?

In order to avoid a situation where people and individuals have no practical choice in these matters, we need to establish a place in “the cloud” where the individual starts by having total control, where they can then require other individuals and external entitites come to them where the default will be privacy, if not secrecy, if not security;. At least then there will be an understood and practical alternative and reference point for what private and personal even means, where people can actually decide if they want to surrender or share a certain level of control with some external entity.

From an architectural and technological standpoint, we can relatively easily provide a private and secure place for the individual to store their own medical records. Then, if they want to give access to their doctor, they can do so. If the doctor requests permission to be able to reference their case in the future, they might provide that, providing that the doctor agrees not to share that with others. If that information somehow gets out, they will know that it was that particular doctor, and word will travel pretty quickly that the doctor didn’t honor the doctor/patient relationship.

Off the top of my head, I can’t think of a single organism that has succeeded/survived/thrived where the individual in the end didn’t have final say and control. Does anything remotely resembling the borg actually exist anywhere in nature? I don’t actually know, it’s a non-rhetorical question.

If not, then why are we heading further and further down the road where individuals, as a part of larger organizations, no longer have any real decision-making power? Have you ever talked to a cell phone company representative? You might as well be talking to the company’s computer system, where the representative can only really follow policies that have been set somewhere centrally by some sort of bean counter. I have thankfully not had to deal with a case of an insurance company overriding the judgment of a doctor, but I imagine it is quite the same.

We should start moving in the opposite direction, where people are in control of their own context, in their own community, without anything “above” them in authority that can sweep down from the sky/net and literally take their life at any time. Do we know that these behaviors have definitely made the world a better place? That question, on the other hand, is rhetorical. First, let us all do no harm.