Battlestar Galactica and the Trusted Cloud
In my previous two posts about cloud computing through the lens of classic sci-fi, I looked at fairly upbeat stories of a shiny & happy future world. In both Star Trek and Star Wars, technology was usually the “good guy” – an enabler of amazing things. Beaming up. Swords of light. When these stories played on our collective imaginations, it usually evoked childlike wonder. But what happens when that imagination plays on some of our biggest modern fears? And really it would be difficult to write this blog series without addressing the fear/question: can I trust cloud? I’ll come back to the question in a minute, but first I want to talk about Battlestar Galactica. Not the original show from the 1970s, but the reimagined noughties version: edgy, cerebral and often disturbing.
A man walks into a remote space station…
He sits at one end of a table, ready to engage in diplomatic relations with the Cylons: sentient robots with whom humans waged a long and bloody war forty years prior. While waiting, he takes a look at the “latest” technical specs of his former enemy, which look like walking toasters. Then he nods off. He’s awoken suddenly by the sound of an approaching cylon. But instead of a clunky chrome machine, in walks a statuesque blonde in a bright red dress and high heels. As the man sits wide-eyed and dumbfounded, this new enemy proceeds to destroy the entire space station. Welcome to Battlestar Galactica.
A few scenes later, the same statuesque blonde[1] is in the home of the worlds’ foremost (and perhaps most arrogant) computer scientist explaining how she was able to disable the entire human defence system. She attacked the cloud. The only surviving source of defence? The Battlestar, Galactica, whose captain – Bill Adama – refused to allow networked devices to be installed on his ship.
Given that show premiered in 2003, right around the time that enterprises began to take a serious look at cloud computing, it’s no surprise that it echoes many of the concerns businesses had – and continue to have – about whether or not they can trust the cloud.
Is the cloud less safe than on premises computing?
This is probably the biggest area of concern for enterprises considering the cloud. In a recent report from the Cloud Security Alliance, 73% of IT and business executives said that concern about the security of data is the top challenge holding back cloud adoption. The argument goes something like this: the cloud makes it easier for people who would do me harm to access my secure systems, but keeping off of the network will make me safer. It’s the same basic premise that runs through Battlestar Galactica.
But there’s a basic flaw in that thinking. In the show, those responsible for security spent their time looking at outdated (like 40 years out of date) schematics of their threat and didn’t anticipate that threat’s evolution. The hubris of the foremost computer scientist made him complacent about the possibility of intrusion and data breaches. Had the good guys used better cloud service providers, it would have been a very different, and much shorter show.
In reality, few companies have both the scale and relentless vigilance to keep on top of ever-evolving threats that Microsoft does. This means ensuring security through several layers of protection: data, application, host, network and physical. We also own the software we’re deploying for cloud security, which means we are in control of maintaining and updating the same software stack being used to run on-premises data security for enterprises around the world. In short we’re continually anticipating new threats, and are best positioned to be proactive about mitigating their impact. Maybe that sounds a bit like hubris? Hopefully not, because our confidence in our ability to ensure security is in no way a sign of complacency. We constantly run simulations with internal teams of very smart individuals actively trying to identify and exploit system vulnerabilities. We also have an equally sharp team who actively try to stop them.
On top of this, our services operate on the assumption that even if our system is compromised, your data is not. This means continually expanding and improving encryption of data as well as restricting access to your data to only the right people inside and outside of your organization. So, is cloud computing safer? The bottom-line is that it would be extremely difficult and cost prohibitive for an on-premises solution to offer the same level of vigilance and dedicated resources that top-tier cloud providers such as Microsoft can provide.
Can I trust what you’ll do with my data?
After addressing the question of safety from attacks, the next big hurdle in learning to trust to cloud is the question of whether or not your cloud provider will use your data in ways you don’t want them to. The answer to that one is simple: it’s not our data to share. It’s your data, and we’re just the trusted custodians of it. We will not use your data to market to you, and there are no advertisements in our enterprise cloud services.
What’s more, we’ve worked with numerous industry and government standards bodies in order to meet a broad range of compliance standards from ISO/IEC 27001/27002 to the UK Government G-Cloud. The privacy authorities from all 28 EU member states found that Microsoft’s implementation of EU Model Clauses in our enterprise cloud contracts meet the high standards for international data transfer in the cloud.
And speaking of governments, we don’t provide any government or any other third party with direct, unfettered access to customer data, and do not provide any means of circumventing encryption protecting customer data. In 2014, Microsoft received 65,496 requests from law enforcement agencies for access to customer data; 8,608 of those were for UK accounts. In none of those cases did Microsoft disclose enterprise customer data. In other words, if a government agency asks “What do you hear, Microsoft?” Our answer most often is “Nothing but the wind.”
Will I have control over my data?
Your data doesn’t stop being your data just because it’s on our servers. We will only use your data to provide the cloud services you purchase. If you store data through any of our cloud services, we respect your ownership of that data at every step of the way. We don’t scan it. We don’t share it. We don’t exploit it.
That means we’re transparent about how your data is stored. You can learn about our security standards online, as well as explore data location maps, examine service level information and understand the key privacy and security commitments we make to all our cloud service customers.
It also means you always control access. You control which accounts from your domain can access the data you store with us, using the same sets of permissions and controls that you likely use today, using your Active Directory federated to our services in the cloud.
You get to decide what devices can be used to access your data. You’ll get numerous features built into our services which give you and your administrators the ability to manage your data.
All along the watchtower
All along the watchtower/Princes kept the view…
Outside in the cold distance/A wildcat did growl
Two riders were approaching/And the wind began to howl
Fans of Battlestar Galactica will recognize the importance the song plays in the show’s finale. For our purposes, though, the song brings us back to the main question: Can I trust the cloud? Given the level of vigilance about security, compliance with privacy standards, and client control of the data we have, though, I’d say Microsoft has certainly earned the trust (and works relentlessly to keep it) of our cloud computing clients. To paraphrase the song: we are on the watchtower, keeping the view; always on the ready for whatever strange new riders approach. We delve more into our view of the cloud in our eBook, Cloud Confidence. It was written to help demystify the cloud for non-technical business decision-makers. Even if you already have a good understanding of how the cloud works, this book may still provide some new perspectives for you to consider. If you’re working with managers and executives who, like Captain Adama, are still sceptical of the cloud, this can be a good primer for them. Please feel free to share.
So say we all.