Risk
11/5/2009
07:10 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Microsoft Expresses Cloud Privacy Commitment, Concerns

In a policy paper, Microsoft affirms its support for privacy in the cloud and calls for regulatory clarity.

Cloud computing continues to evoke privacy concerns, so Microsoft has published a position paper that attempts to address the questions it's been hearing.

The paper's publication coincides with the 31st International Conference of Data Protection and Privacy Commissioners, which is taking place this week in Madrid, Spain.

"We know that cloud computing is getting a lot of attention these days and we've heard from customers and external stakeholders that they'd like to hear what we're thinking about it," said Brendon Lynch, senior director of privacy strategy for Microsoft's trustworthy computing group. "Privacy and security are the number one concern of organizations that are thinking about going into the cloud space."

Lynch contends the issue isn't really new, noting that Microsoft has been storing Hotmail user data on remote servers for about 15 years.

Nonetheless, the diversity of information being stored in cloud services, the extent to which cloud services are being used by consumers and businesses, and the architectural differences of cloud data storage all provide a reason for Microsoft to clarify its thinking about cloud privacy.

The good news is that the privacy principles Microsoft supports through the architecture of its software -- notice, consent, and choice, among others -- are the principles the company supports for the cloud.

The bad news -- if you accept the premise that Microsoft's interests are aligned with the user's -- is that Microsoft isn't always calling the shots.

Cloud service providers "can be caught in an impossible position when governments impose conflicting legal obligations and assert competing claims of jurisdiction over user data held by these providers," Microsoft's paper states. "Divergent rules on data privacy, data retention, law enforcement access to user data, and other issues can lead to ambiguity and significant legal challenges."

Lynch says that Microsoft is working on these issues, trying to encourage the harmonization of privacy laws and a consistent global privacy framework that can accommodate the reality of global data flows.

"In order to maintain trust and confident in cloud service, we really feel that cloud providers need to put forth strong privacy protections and to be very transparent," said Lynch.

Attend a Webcast on the application grid approach to modern data centers. It happens Tuesday, Nov. 3, 2009. Find out more and register.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0993
Published: 2014-09-15
Buffer overflow in the Vcl.Graphics.TPicture.Bitmap implementation in the Visual Component Library (VCL) in Embarcadero Delphi XE6 20.0.15596.9843 and C++ Builder XE6 20.0.15596.9843 allows remote attackers to execute arbitrary code via a crafted BMP file.

CVE-2014-2375
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to read or write to arbitrary files, and obtain sensitive information or cause a denial of service (disk consumption), via the CSV export feature.

CVE-2014-2376
Published: 2014-09-15
SQL injection vulnerability in Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2377
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to discover full pathnames via an application tag.

CVE-2014-3077
Published: 2014-09-15
IBM SONAS and System Storage Storwize V7000 Unified (aka V7000U) 1.3.x and 1.4.x before 1.4.3.4 store the chkauth password in the audit log, which allows local users to obtain sensitive information by reading this log file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
CISO Insider: An Interview with James Christiansen, Vice President, Information Risk Management, Office of the CISO, Accuvant