Wednesday night I went to the TiE event on cyber security in the age of the cloud at the Nerd center. Among the panelists were Michael Sutton of Zscaler and Chris Wysopal of Veracode. In each case they are kind of in the cloud and kind of not in the cloud. Veracode delivers is product on a SaaS basis from the cloud but maintains its own data facilities because it can’t really put client code on the cloud – why? For security reasons.

The conversation turned to regulation, which was probably the topic of the evening. It seems clear that privacy regulation is a huge impediment to the development of the cloud. For example, hospitals can’t use the cloud (at least today) because of HIPPA compliance issues. HIPPA, is of course, the result of deep social concerns about patient privacy. In order to get hospitals, and others with analogous security concerns, to move to the cloud, cloud providers are going to have to be able to assure them categorically and without ambiguity, qualification or reservation that their information is secure and compliant with all applicable regulations. It seems like right now, they may be able to provide reasonably compelling assurances that information is secure and compliant, but I don’t think reasonably compelling assurance is going to be enough.

It may turn out that information is more safe in the hands of an appropriate cloud provider than in the hands of your IT department, but that (even if it can be demonstrated) isn’t going to be enough. It is like car travel versus air travel. I am under the impression that car travel is generally thought to be more dangerous than air travel, in the sense that you are way more likely to die in a car crash than a plane crash. But, plane crashes are way more spectacular and way more publicized. 

Cloud based security leaks are going to be like airplane crashes. They will be far less frequent that the issues companies now have, but they will be spectacular and will get the kind of publicity that will lead to big law suits, massive negative publicity and regulatory activity slowing the development of the cloud.

The economies of the cloud are so compelling that it will ultimately overcome these regulatory issues. Look at it from a macro point of view. If every company has to build for its individual peak capacity, then as a society we are going to way way way overbuild. Not going to the cloud would be like having every town build its own power plant. In the end, it just does not make sense.

So, a massive battle is shaping up between privacy concerns and compelling economics. Here is my prediction: Soon (just a few years) we will be living with airplane crashes.