The Microsoft announcement that it is moving the cloud service into an appliance and semi-private service comes at the same time that the Amazon CTO calls private clouds “false clouds”.

Stepping aside from all the marketing about what is real and what is false, I think this move by Microsoft raises some great security and compliance questions.

First, I seem to remember Salesforce rumbling about this public-private service model as far back as 2005, around the time of the Google search appliance. The idea then was to take a web service and package it so it can receive updates but that’s it. This allows an entrance into a market that has a natural fear of getting into a service like cloud. It also helps reduce the expense of Salesforce trying to establish a meaningful cloud compliance or confidence message.

Microsoft is taking steps in this direction now. ComputerWorld reports that Muglia offers details on Microsoft Azure Appliance

Once settled in the data center, the appliance will be connected to Microsoft’s own instance of Azure. “We will maintain a flow of new software down to all of the appliances so they will be kept up to date,” he said, adding that the customer will retain control over factors such as when to apply updates and which services to deploy.

That sounds a lot like having another Microsoft product in a private environment that gets new software through the update service. Cloud? Ooops, nevermind I started to get into the definition again.

I am more interested to know what kind of logging, monitoring and access controls are in place. Naturally it is completely absent from the ComputerWorld article. The word “security” and the word “compliance” are not used a single time! Here is a good example question: does Microsoft, or Salesforce for that matter, maintain their own accounts with access to data in these appliances? That would make “change vendor defaults” for regulations and compliance very difficult to achieve.