This post is part of an Intel-sponsored series of posts we'll be doing here at Techdirt on the topic of innovation. Posts in the series consist of a video interview of myself (which you'll see below), the post, and another video interview with an Intel representative and others. That second video, obviously, is content from Intel, but my video and what I've written here was done with complete and total editorial independence. We hope you enjoy the content and take part in the overall discussion, either via the comments or through the interactive ad unit to the right of the post.

Security is a touchy subject, these days. There's a fine line between legitimate security concerns and blatant fear mongering, but there's no doubt that security, in general, is an important subject. One key point that I think too often gets lost in the discussions around security is the question of trust. First up: the short video of me discussion a bit about security today: Trust is one of the key elements of security, and while I only really had a chance to discuss it briefly at the end of the video, it is something that deserves a bigger discussion. After all, the "strongest" security in the world from an untrustworthy party isn't any security at all. I've been thinking more and more about this now that "cloud" storage has become a bigger issue. There are some out there who think that cloud storage means that you have "less" security, since your data is "out there." And, in some cases, that might be true. But, consider this: if you store the data yourself, you're responsible for your own security, and you might not be nearly as good as whoever is on the security team at the cloud storage provider.

Of course, there are also different factors at play here. If you do it yourself, you're likely a smaller target than a larger cloud provider, but that doesn't mean you're not a target. As the video below notes, you either you know you've been attacked, or you've been attacked and you just don't know it. Point being: everyone's a security target. Relying on the fact that you're not big enough to be a target is a naive game to play. So, if we're to accept the idea that cloud storage may be important, the security chops of the crowd storage partner you're working with becomes key. And that's where trust is important.

Suddenly, "trust" becomes almost as, if not more, important than the type of the actual security. When you hand off your security to someone else, its almost entirely based solely on trust. Unless you're directly a security professional who is going to dive in and fully test the technology itself, most people (and many organizations) aren't making their security decisions based on whose security is "best," but on which company they trust the most not to screw things up.

Based on that, I'm often surprised at how little some security companies do to really build up and keep that trust. Too often it feels like security vendors focus just on the nuts and bolts. Obviously that's important, and having good technology is always going to be a major component of trust. But it has to go beyond that as well, showing how responsive and clear a firm is about security issues.

Trust has filtered through into a number of different tech categories, but it still seems to be something that many overlook. In the next few years, I fully expect that to change, as more and more companies seek to play themselves up as the "trustworthy" partner in security.

Below is the Intel video discussing computer security today

A reminder for folks that tomorrow, Wednesday May 26th, at 9am PT/noon ET, we'll be holding the next webinar in our IT Innovation series, What IT Needs To Know About The Law. I've been working on the content for this webinar with Dave Navetta and Larry Downes, and it's shaping up great, covering many of the issues we talk about here on a regular basis. In fact, there's so much good stuff, that we're down to figure out what we're leaving out -- perhaps to revisit at a future date. Either way, it should be chock full of good info that will be useful for any IT person, so don't miss it. Sign up now, and stop by tomorrow with questions ready. As with our past webinars, this one will be interactive. We'll be taking questions from attendees throughout the webinar. Please join us.

You may recall that, a couple weeks ago, we had a webinar on cloud security, with Jake Kaldenbaugh of CloudStrategies and Sam Quigley of Emerose, that was well attended and well reviewed (thank you!). The feedback on it was tremendous. If you happened to miss it, we've now made it available to watch, and also have put up the actual PowerPoint document for download as well. And... bonus time. The PDF file contains a series of extra slides, detailing some of the state of the cloud security market today -- as well as some details about Amazon's cloud security initiatives. Even if you caught the original presentation, there are probably some useful additional nuggets in there as well.

And, in the meantime, don't forget to sign up for our next Webinar, coming up this Wednesday at 9am PT/noon ET on What IT Needs To Know About The Law, with Dave Navetta and Larry Downes. The signups on this one have been through the roof and we've been working hard putting it together. The conversation should be very, very interesting, so definitely come ready with questions as well.

A few weeks ago, we had a post about why IT people need to be knowledgeable about the law, rather than just about technology. It was based on an excellent article by Dave Navetta on The Legal Defensibility Era (pdf). For years, IT folks have recognized that they often wear two hats, switching between a technology one and a business one, as they often have to explain or justify the business tradeoffs of the IT decisions they make. But these days, they also really need to add a legal hat.

Given the immense interest we received in this particular topic, we've decided that it will be the topic of our next webinar in our IT Innovation series: What IT needs to know about the law to be held next Wednesday, May 26th at 9am PT/noon ET. We're thrilled that Dave Navetta, who wrote the article that sparked the original discussion, will be participating and discussing this "era of legal defensibility" that IT people need to understand. Dave has built a career around bridging that gap between IT folks and legal folks, and is obviously perfect to be part of this discussion. With him will be Larry Downes, most recently the author of The Laws of Disruption, which is all about how the legal realm is hugely important to understanding business and technology in the world today, and how anyone looking to succeed in the internet age needs to understand some of these key legal principles. Larry's a well-known writer, speaker, pundit and consultant on this important intersection of the law and the technology world, and between David and Larry, the discussion should be quite a lot of fun. Once again, I'll be moderating.

I'm really excited about this particular topic and the two speakers. We've been preparing for the webinar over the past few days, and there are a ton of interesting topics to discuss, concerning how the law is impacting security, privacy and the wider IT world. Depending on timing, we may dip into some other areas, including intellectual property law, Section 230 and the like. Given the discussions we regularly have on this site, and how important legal issues have become in the IT world over the past few years, this is going to be a can't miss discussion, so sign up now. As with previous webinars, the discussion is designed to be interactive, and we can take questions from the audience via the web interface during the event, so please come ready with questions.

Every so often we get complaints from people who point out that this site is called "Techdirt," and yet quite frequently talks about the legal issues. There are a few different responses to this, but one of the key points is that, if you're in the tech field these days, you actually really do need to be pretty familiar with the law in a lot of ways. This is a point that I've been thinking about a lot lately, so it seemed like great timing when Michael Scott directed our attention to an article about how IT and security folks now need to recognize that legal risks are a big part of the security realm:

The era of legal defensibility is upon us. The legal risk associated with information security is significant and will only increase over time. Security professionals will have to defend their security decisions in a foreign realm: the legal world. This article discusses implementing security that is both secure and legally defensible, which is key for managing information security legal risk.

It certainly takes things pretty far outside the world where information security folks are used to living. And while there may be a sense of being able to defend the technological decisions should there be a security breach, reaching the level of "legal defensibility" involves a whole different set of issues.

The blog post linked above notes that we're still early in realizing this overlapping arena of security and law, and it's important to have folks from all of these disciplines work together:

Now is the time for legal, privacy and security professionals to break down arbitrary and antiquated walls that separate their professions. The distinctions between security, privacy and compliance are becoming so blurred as to ultimately be meaningless. Like it or not, it all must be dealt with holistically, at the same time, and with expertise from multiple fronts. In this regard we must all develop thick skins and be not afraid to stop zealously guarding turf. The reality is, the legal and security worlds have collided, and most lawyers don't know enough about security, and most security professionals don't know enough about the law. Let's change that.

Indeed. In fact, this is part of the reason that I made sure there was at least some legal discussion in our upcoming webinar on security in the cloud -- because it's an important aspect of security these days, and the cloud raises some serious legal questions (if you haven't registered yet, please do!). But making sure that legal and security/IT people are talking about this regularly is important. Otherwise, you can bet that the legal folks are going to make decisions that are going to come back to haunt those in the IT and security worlds...

One of the more annoying things concerning the ever changing technology world is the trouble that the law has in keeping up. We're seeing that a lot lately. For example, a few months ago, we talked about 4th Amendment issues when it comes to cloud data. There are a few different camps on this, with a few different thoughts -- and so far, no one's exactly sure who's right. We predicted the issue was going to come up more frequently... and we're already seeing that. A few months after that post, we had a court ruling that (on a questionable basis) found no 4th Amendment privacy protections for emails once delivered, using similar logic to the debate over the cloud. And such cases are becoming more common.

The Citizen Media Law Project has a good discussion about the FBI getting access to documents stored in Google Docs as part of a spam investigation. In that case, the FBI did go through the process of getting a full search warrant (which should have satisfied some of the 4th Amendment concerns), but it's the first case on record of the FBI getting access to Google Docs.

Part of the problem here is that this sort of stuff is covered under a law that's nearly a quarter of a century old, and is not even remotely designed for a modern technology world:

The current federal statute on the issue, the Electronic Communications Privacy Act (ECPA), 18 U.S.C. § 2510, et seq., basically extended the rules regarding government access to older technologies like the telephone (e.g., wiretapping) to electronic communications. The USA Patriot Act, passed after the Sept. 11, 2001 attacks, modified these old rules a bit.  But the basic, underlying statute was passed in 1986, before the advent and widespread use of email, text messaging, social networking websites, and the myriad other means of modern communications.

As others have explained at length, ECPA creates an exceedingly dense and confusing statutory framework, and relies on a series of archaic distinctions, such as whether a communication is "stored" or "in transit."  This complexity creates uncertainty about what showing law enforcement has to make in order to access user materials stored in the cloud. Is a search warrant, a subpoena, or an informal request required?  Under what circumstances can service providers voluntarily cooperate with law enforcement?

What's interesting is how little attention these issues seem to be getting -- even though they can have a pretty large impact. And, even though this may seem like legal details, it applies well outside the legal field as well. While it won't be the key focus, we're even going to include a short section on these kinds of legal issues in the cloud in our upcoming webinar on cloud security (register here). While this might not seem directly like a security issue, if you're in charge of keeping data secure, it's pretty important to know what it means when the feds knock on your door... or the door of the third party "cloud" provider to whom you outsourced your company's data.

While the term "the cloud" is still pretty loosely defined, there's no doubt that more and more services are being offered over the internet, and many of those are enterprise-type offerings. For example, lots of well known companies are using Google docs, and Salesforce.com has really become quite the standard in many, many places for any type of CRM/Salesforce automation. But what does that mean for IT folks, who are used to having full control over the technology being used by employees? How can they make sure that the services that employees are using are secure and protected? And, for companies building their own online services that they hope will be used in enterprises around the globe, how should they best prepare to build a system that meets the security requirements of in-house IT staff? On top of that, beyond traditional "technology" security, there are serious legal security questions as well. How protected, legally speaking, is the data stored in the cloud? Is it covered under different laws? And do the answers to these questions depend on if you're "webifying" legacy systems as compared to building entirely new systems?

Well, we're hoping to answer a bunch of these questions with a new webinar that we're putting on next Tuesday, May 11th at 9am PT/noon ET (register here), as a part of our ongoing IT Innovation series -- sponsored by Oracle and Intel. I'll be moderating the discussion, and the discussion will be led by two of the most knowledgeable folks I know on this topic: Jake Kaldenbaugh of CloudStrategies, and formerly an exec at NEC, where he drove early strategic efforts focusing on virtualization and cloud computing, and Sam Quigley of Emerose, a leading expert on cloud security, who previously was a founding member of EDS's security and privacy services group, an open source developer at security appliance vendor Astaro, the sole security person at Xign (which became JP Morgan Treasury Services) and Vice President of security and operations at Wesabe, the online financial startup.

The webinar will consist of a brief presentation, followed by discussion -- and we're hoping to make it as interactive as possible, so come ready with questions. If you'd like to attend, please register now!

Separately, it's worth noting that we recently refreshed the IT Innovation website, to reflect that it's sponsored by Oracle and Intel (Oracle taking over from Sun following the acquisition), and we've also refreshed the resource center with a series of new whitepapers, including (but not limited to):

• Best Practices for Managing Datacenter Costs via Application and Server Consolidation
• Why Solid-State Drives Usage Scenarios Are Expanding for the Datacenter
• New Blades and Networking Solutions Ensure Solid Return on Investment
• Reassessing Server Costs for Midsize Companies

Also, while there is plenty of overlap in posts between Techdirt's main site and IT Innovation, some posts are reserved just for folks following IT Innovation. So, if you're not following that site, you may have missed stories questioning what comes after silicon as we (perhaps) approach the limits of Moore's law and a discussion on the popularity of certain programming languages.

The idea of using man-in-the-middle attacks to spy on encrypted conversations is hardly new, but there hasn't been a really thorough discussion of the likelihood of its use against SSL connections (the encrypted connections you see in your web browser on https sites, such as online banking sites, with the little lock shown in the corner of your browser). A new paper highlights not only how this works, but also how there's a company selling the technology to governments to use. Of course, to make it work and be an effective man in the middle, you need a certificate authority to grant you a fake certificate -- but there are some fears that gov'ts could do this by force or by trickery -- and hackers could certainly do it by trickery. The Wired article above quotes people at both GoDaddy and VeriSign insisting that they've never issued fake certificates to the gov't, but it is suspicious that a company is selling a device to gov'ts to do exactly this. The real problem is in the basic implementation of SSL, which right now involves too much blind trust. Apparently, the EFF is working with some security researchers to make some suggestions on ways that this could be fixed.

While I'm always a little skeptical of the numbers found in vendor surveys, it wouldn't be too surprising to learn that the recent findings that half of all data centers find themselves understaffed are at least close to accurate. About 16% of the total surveyed claimed that their data centers were "extremely understaffed," with another 34% saying they were just somewhat understaffed. Reasons for the understaffing included both the difficulty of finding qualified people for more technologically complex datacenters and general economic cutbacks -- neither of which are particularly surprising.

The bigger question is what impact this will have. Chronic understaffing in a data center could lead to serious security issues, increased downtime (decreased reliability) and certainly decreased responsiveness to problems. With many of the survey respondents also claiming they're hoping to decrease headcount even further, this could become a bigger issue going forward.

The report also claims that the survey's creators were "surprised" to find out that mid-market companies were more likely to experiment with new technologies, as compared to the big companies, but I don't find that surprising at all. Big companies are pretty resistant to change (especially if they have some big IT project that is "working.") Still, if those companies are finding their data centers regularly understaffed, it could create more difficulty in getting getting new projects successfully off the ground. So I'm curious how companies are dealing with these issues and trying to avoid problems with understaffed data centers, while still being able to try out new technologies and services.