Sunday, February 27, 2011

A Tester's perspective: Privacy in Design by Microsoft

A month ago I promised to blog about privacy solutions the cloud vendors apply at this time.
This post will discuss Microsofts efforts in handling privacy.
When googling for Microsoft the first hit's a bullseye.
A portal about how Microsoft deals with privacy issues and links to relevant information, ordered in a structured way. Regarding usability,a good start.
A portal is nice, but does it have info about how Microsoft deals with privacy issues?
Privacy by Design is a hot topic in the privacy community and also organized in Microsofts business, in both development and operation.
Bold words, but how is this done?
First, Microsoft deals with Privacy by following the Microsoft Privacy Principles, which address Accountability, Notice, Collection, Choice and Consent, Use and Retention, Disclosure of Onward Transfer, Quality Assurance, Access, Enhanced Security, and Monitoring & Enforcement.
An example of the use of these principles is the link Privacy
available at the Windows Live Hotmail-site.
Wow, Privacy Principles, but who assures me, the user, these principles are lived by Microsoft?
Microsoft's Chief Privacy Officer (CPO, I just love those abbreviations), is responsible for managing the risks and business impacts of privacy laws and policies.
The CPO and his team had a great influence on the new Microsoft's U-Prove (former CardSpace) and the Tracking Protections in IE9.
OK, Microsoft is concerned about the user's privacy, are there any negative sides to its policy?
Well, you could say the long development and at the end elimination of CardSpace in favor of U-Prove, but is this privacy-related? The Geneva-project was, IMHO, always a bit mysterious, but when Credentica was bought by Microsoft in 2008 things started to make more sense. Then it's more an issue what to use for identity control and if it's usable?
Believe me, I have enough experience with software projects where the architect says his design is flawless, but that during end-to-end-test the software its performance is just plain lousy.
Another reason to involve testers at the beginning of a project.

Concluding,Microsoft commits itself to privacy, but it's still an evolution of development and process, do not expect miracles!
People at Microsoft are also just people.

Sunday, February 20, 2011

Got the flu last week, what did I miss?

Last week it was my, once in two years, out-of-the-office-because-of-the-flu-week.
More simply said, I was bugged :-(.
No worries, I'm back on my feet and now I'm looking what I missed out on testing, SaaS, security and identity last week.
Fortunately, my fellow bloggers weren't ill and could produce a daily/weekly news for me, like Frank Wray's Identity in the Cloud Weekly,Christophe Primault's The Daily, EPA's blog and Jaap Kuipers his PIMN. Great stuff guys, saves a lot of Googling.

If I would exclude testing now for keeping it short, what did I miss out on SaaS, security and identity?
Well, one nice thing to mention on SaaS/Cloud computing is a webcast Maurice van der Woude, general director EuroCloud Europe, gave on Brighttalk about Managing Hybrid Clouds from a Supplier and User Perspective. Here, next to explaining what a hybrid cloud is, he also discusses the interoperability needed in a hybrid cloud and the privacy issues. A very informative talk, which is suitable for both business and tech-pro's.

Going further to security, well, the biggest news was the RSA-conference held in San Francisco, attended by some of my fellow UMAnitarians and also PIMN-members.
For UMA, Congratulations to the SMART team for their win of an IDDY award in the Proof of Concept category from Kantara for their UMA development work! This is good news for a possible adoption of UMA by the industry.
Another interesting RSA-item to mention is the panel-discussion, co-led by Ikuo Takahashi on Legal issues occurred by international cloud computing. This means, cloud computing is more and more seen by policy-makers as something to happen and legal issues must be attended. It now only depends on how this policy will be governed, and on what geographic scale: globally or per country?
Mr. Takahashi, thank you for your feedback on my questions to this, it gave me a lot of insight, which I will further explore the coming weeks.

So, this is just my humble view of last week. One week knocked-out by the flu, but luckily I can rely on my fellow-bloggers, as they can rely on me, to keep the news posted.

Sunday, February 6, 2011

USA responds to the changing EU Data Privacy Directive, where's Asia?

Last week I blogged about that the EU Data Privacy Directive is going to be changed in response to the adoption and development of Cloud Computing.
IMHO, I thought the USA couldn't lag behind and I was not surprised that the NIST , the U.S. National Institute of Standards and Technology, has issued two new draft documents on cloud computing for public comment, including the first set of guidelines for managing security and privacy issues in cloud computing. Next to this, NIST has developed a Cloud Computing Collaboration site on the Web to enable two-way communication among the cloud community and NIST cloud research working groups.
So, it seems both USA and the EU are initiating efforts to guide the secure adoption of cloud computing by industry and consumer.
Now, I'm wondering about one thing, compared to Europe and the USA, what are the Asian countries doing to guide a secure adoption of cloud computing?
For a testpro like me it is very nice guidelines are being made for the 'Western' countries, but a lot of the 'cloud' is build in the 'East', so this I can't neglect.

Asia is not unified like Europe or the USA, so government guidelines here are not easily made for the many different countries forming Asia.
Private consortia like Asia Cloud Computing Association (see Europe's EuroCloud ) have been developed. But wat about the Asian governments, are they making unified guidelines for Cloud Computing?
John Galligan, Microsoft Asia Pacific's regional director for Internet policy, discusses this, with an emphasis on Singapore, on and

Challenges there still are, one of the sentences made here I want to citate:

'One significant concern regarding cloud technology is the uncertainty over the location where data is stored and how strong data protection is to safeguard against criminal intent.'

This is also the case in the Western world, and as in the West, secure IT-auditing by the Asian governments and private sectors is necessary to test the security of their continuously innovating IT-infrastructure.

Galligan also says :"It's very interesting when people start to look at reliability, the level of redundancy and individual's access to the system, it can move decision makers to understand that maybe their current infrastructure is not as stable and secure as they think it is."

OK, it's a response from an employee of a private firm, but, IMHO, this is the single problem now with Cloud Computing, only with tackling these risks of reliability, redundancy and access, policy makers all over the world can be moved to adopt Secure Cloud Computing.

And that's a mutual challenge for all global parties involved in Cloud Computing: Business, IT-auditing, development and test!!

I'm no expert on Asian law, this example of cloud computing in Singapore does not have to be the case for other Asian countries, it only wants to illustrate an Asian response to Cloud Computing