Cloud computing seems to still be one of the reigning buzzwords in high-tech these days. Everything is either “in the cloud”, “powered by the cloud”, or some variation on the theme. I remember when hosted email was just that: hosted email. Today, such offerings are considered cloud offerings even though they have not changed in any substantive way since being first offered well over 15 years ago.
This is to take nothing away from the significant technology shift cloud computing represents. Without question, virtualization, storage services, and even application tier services such as Heroku, have fundamentally changed the way applications are both developed and deployed. And yet, we are still working with the same essential technology that we always have: compute, network, and storage. The reason cloud computing is so attractive is because it affords us incredible flexibility in how these basic elements are utilized. The cloud provides us both speed and specialized toolsets.
But cloud computing also raises questions in both the minds of engineers and managers. Who owns and controls my data? Is my intellectual property secure? Can I really trust my cloud provider to treat my technology assets and intellectual property with the same care I would expect of IT employees?
I have written elsewhere on the importance of establishing trust with cloud service providers. Cloud service providers become an essential member of a customer’s IT team and should be treated as such. This means constant communication, a clear understanding of policy, and regular, what I like to call, “mini-audits” to ensure cloud resources are being used in a manner consistent with regulatory requirements as well as internal IT policies.
So while cloud computing is a disruptive technology, it is not so because of new technologies, but because cloud computing delivers existing technologies in new, efficient and novel ways. As such, the essential unwritten—yet widely recognized—code of ethics that have informed IT operations for decades, apply to cloud computing as well. However, as cloud computing involves 3rd party service providers, as a matter of course it is important to broadly review this code to determine if cloud computing introduces new challenges or presents new ethical questions. In this article I will outline some of the core principles that govern IT operations and I’ll discuss where such ethical mandates come from in the first place. I have found that when dealing with ethical questions, understanding the why is often just as important as knowing the what.
IT Ethics
Perhaps the most widely recognized ethical rule in IT is to respect the privacy of system users. IT admins, engineers, and others, will often have access to employee email and personal files. It goes without saying that these admins absolutely need this access in order to troubleshoot issues and even simply manage a system.
Years ago I was involved with troubleshooting some problems on an email gateway. This required me to closely examine email headers to identify potential routing, or TTL problems/misconfigurations. What was most interesting about that experience was that I consciously did not look at the contents of the emails I was examining and kept my focus only on the headers or portion of the raw email messages pertinent to solving a particular problem. As funny as it sounds, I actually taped a piece of paper towards the bottom of my monitor to block my view of raw email I was examining in a simple text editor. I think that most email admins feel the same way I did. They respect the privacy of users—regardless of where that user sits within an organization.
Of course, there are times when it is essential that IT admins and management have access to email with the need to examine its contents; this especially true in industries that are highly regulated with strict rules on email content and retention. Most firms do this programmatically by using technology to scan and analyze email as it leaves the firm. For example, if an employee includes a customer’s social security or account number in an email, these outbound scanning solutions will often flag and capture the email before it can be delivered. In this way, an employee’s right to privacy is trumped by both regulatory requirements and also the responsibility firms have to protect customer data.
This brings me to another widely known and accepted ethical rule in IT: protect customer data—especially sensitive personal, health, or financial data. When a customer pays for a firm’s service, the customer has placed a great deal of trust in the firm and consequently, the firm has an absolute duty to protect its customers from data theft or misuse. If a data breach does occur, the firm then has a duty to make the customer as whole as possible.
Protecting customer data is more difficult than some outside IT, may imagine. It involves the use of technology, engineering, and even forensic expertise. A firm must have the resources and expertise available to fulfill this duty. If a firm is unable to secure the appropriate resources or expertise, they should avoid putting themselves in a clearly unethical position, because they have no way to guarantee the protection of their customer’s data.
