Risk
11/5/2009
07:10 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Microsoft Expresses Cloud Privacy Commitment, Concerns

In a policy paper, Microsoft affirms its support for privacy in the cloud and calls for regulatory clarity.

Cloud computing continues to evoke privacy concerns, so Microsoft has published a position paper that attempts to address the questions it's been hearing.

The paper's publication coincides with the 31st International Conference of Data Protection and Privacy Commissioners, which is taking place this week in Madrid, Spain.

"We know that cloud computing is getting a lot of attention these days and we've heard from customers and external stakeholders that they'd like to hear what we're thinking about it," said Brendon Lynch, senior director of privacy strategy for Microsoft's trustworthy computing group. "Privacy and security are the number one concern of organizations that are thinking about going into the cloud space."

Lynch contends the issue isn't really new, noting that Microsoft has been storing Hotmail user data on remote servers for about 15 years.

Nonetheless, the diversity of information being stored in cloud services, the extent to which cloud services are being used by consumers and businesses, and the architectural differences of cloud data storage all provide a reason for Microsoft to clarify its thinking about cloud privacy.

The good news is that the privacy principles Microsoft supports through the architecture of its software -- notice, consent, and choice, among others -- are the principles the company supports for the cloud.

The bad news -- if you accept the premise that Microsoft's interests are aligned with the user's -- is that Microsoft isn't always calling the shots.

Cloud service providers "can be caught in an impossible position when governments impose conflicting legal obligations and assert competing claims of jurisdiction over user data held by these providers," Microsoft's paper states. "Divergent rules on data privacy, data retention, law enforcement access to user data, and other issues can lead to ambiguity and significant legal challenges."

Lynch says that Microsoft is working on these issues, trying to encourage the harmonization of privacy laws and a consistent global privacy framework that can accommodate the reality of global data flows.

"In order to maintain trust and confident in cloud service, we really feel that cloud providers need to put forth strong privacy protections and to be very transparent," said Lynch.

Attend a Webcast on the application grid approach to modern data centers. It happens Tuesday, Nov. 3, 2009. Find out more and register.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.