Cloud storage tools and the impact of security breaches, data sovereignty and …
Vendors claim cloud storage offers various benefits to organisations, including cost savings and increased flexibility. But with such things as security breaches, data sovereignty and the united states Patriot Act breeding doubt in customers’ minds, the way forward for cloud storage just isn’t certain.
“The cloud” has become one of the crucial used (perhaps overused) terms in IT discussions today. Vendors and repair providers like to explain how some of the styles of cloud computing can free your workers from the chains in their desktops, unlock the time of your IT staff, and let you move your IT spending from CAPEX to OPEX.
Public cloud storage tools – remote storage, usually accessed via the web, paid for in an on-demand fashion – were available for some years now. Typically, all of them offer remote data storage, are (usually) accessed via the net and are paid for in an on-demand fashion.
The various tools have naturally fallen right into a couple of categories and use cases for the various sorts of cloud storage are getting evident.
While these tools all have the broad strokes in common, they have a tendency to fall into considered one of two distinct categories, differentiated by the complexity of the services surrounding the storage itself. Each category lends itself to precise use cases.
Tools within the first category are simple remote storage, with little or no within the way of features or services surrounding that, and are frequently called ‘dumb’ cloud storage. These services really only contains storage located in some remote data centre, and never much else – it’s only a place to store your files that’s not your office. Customers typically access the storage they’re renting via an API.
Examples include Amazon S3, Ninefold’s Cloud Storage and Rackspace’s Cloud Files.
Given that it’s essentially only a remote dumping ground in your data, this dumb service lends itself to less cerebral storage tasks, like simple backup.
It’s commonly accepted that good backup practice involves storing your backups in a distinct location on your primary storage. In any case, backing up your business’s data to a NAS inside your personal office is not any good if a fireplace rips through your office, destroying both the backup together with the principle copy of your data. Dumb cloud storage offers a comparatively easy solution to back up your company’s precious data to a remote location, without the necessity for ferrying tapes across the place.
Clive Gold, Marketing CTO at EMC, which gives hardware to cloud storage providers, says there are “a lot of organisations who want an off-site backup, who’ve recognised the ‘tape and truck’ is dead and gone, but they do not have a substantially secure and reliable second site” who’re using dumb storage on this way.
Dumb cloud storage also can help with recovery after a disaster. If one of these calamity does wipe out your primary storage, it is a relatively simple matter to transfer the backup from the cloud back on your new machines.
This style of storage has applications for content distribution. “eBay is a huge user of that. Whenever anybody uploads a photograph, it’s stored on that kind of infrastructure,” says Gold.
But consistent with Dr Kevin McIsaac, analyst at Australian firm IBRS, this category of dumb cloud isn’t all that exciting for many organisations.
“The whole idea about backing as much as the cloud – I hear about it from the vendors but nobody’s asking me about it. Vendors are all very fascinated by it – i do not get a robust sense of that from my clients,” he says.
He says that there are “some” small and “some” big customers using the technology, but “it’s a niche”.
“The idea of a cloud storage infrastructure which you generically leverage such as you leverage a SAN – i do not see it [happening now or setting out at some point].”
This is because plain storage itself isn’t all that useful. “For large volumes of information, it’s essential have your compute next on your data.”
As for using dumb cloud storage for backup purposes, it’s hard to locate a cloud service that gives an easier value proposition than simple tape backup.
“I have no idea that the [dumb cloud storage] prices are that competitive. Tape libraries today are pretty darn cheap. And when you have two data centres, backing up from one to a tape library inside the other is set the least expensive way you’ll ever do a backup.
“On the opposite hand, if you are a small organisation and also you would not have that stuff, well, why do you’ve got your infrastructure anyway? Get some other person to run it and get them to fret about that.
“There are use cases for it, but it is not a broad use case,” McIsaac says.
A smarter option
The second category of public cloud storage is available in the shape of collaboration tools. While dumb cloud storage is solely some space on your data in a remote data centre, tools within the second category include a host of features around that basic storage, to assist workers collaborate. Probably the most famous example of this category is available in the shape of consumer tool DropBox.
Users typically download and install a native client, which presents the remote storage as a native directory at the user’s machine. Multiple users around the organisation can each treat it similar to they’d a neighborhood folder, creating and editing files within it, while not having to grasp anything about the way it all works.
These tools typically allow users to access previous versions of files saved at the shared drive and include functionality to permit sharing of files with people in or outside of the organisation. Additionally they usually offer an online interface, allowing access to the remote data even on machines that don’t have the software installed.
In fact, these collaboration tools are so popular among consumers that they are beginning to bring them into the workplace themselves, using them without the information of IT management. Given the potential of these tools to steer to an information leakage, this causes concern for CIOs and IT managers.
So these enterprise-grade collaboration tools add inside the extra features that make CIOs and IT managers happy.
“It gives the handiest of both worlds. It gives the users the liberty they would like, however it gives the CTO some measure of control around versioning, security and monitoring,” says Peter James, Chairman and co-founding father of Australian cloud enterprise Ninefold.
Both Ninefold and Rackspace offer these enterprise-grade Dropbox alternatives, imaginatively named Ninefold Cloud Drive and Rackspace Cloud Drive.
According to IBRS’s McIsaac, these cloud-based collaboration tools offer a far more interesting proposition for businesses than dumb cloud storage.
“It is storage, but what it really does is serve an extremely specific purpose, about methods to ensure the files i would like are available in where i want them. It isn’t really about ‘storage within the cloud’, it’s about synchronising data across multiple platforms,” he says.
IBRS, itself a small businesses comprising several analysts that work of their own environs, utilizes several such cloud-based collaboration tools, including Sugarsync and Google Drive.
Causes for concern
While these tools may offer increased utility or productivity, many businesses still baulk at trusting an outdoor organisation with sensitive business data. For the reason that security breaches at large organisations are making headlines further and further frequently, and considering the fact that small hosting companies have had wide-scale breaches recently, concerns about such data breaches seem fair enough.
But in step with IBRS’s McIsaac, large cloud organisations typically have environments which are safer than those small companies that experienced breaches.
“If you visit a bigger-scale, more professional organisation – like Google, or Microsoft, or Fujitsu, or Telstra – would they have got a greater environment? Yes, i think they might. Wouldn’t it be bulletproof? No, not likely. But they’d have more robust processes and such,” he says.
“What’s required is for the vendors to have standards, otherwise you even have an audibility clause for your contract. So a 3rd party will actually audit the processes [of the cloud provider] up front, after which ongoing, and provides you an opinion about whether the processes are sufficient to fulfill the protection or availability guarantees that they make.”
Of the whole concerns customers have about cloud storage, data sovereignty is much and away the only most mentioned and the person who receives essentially the mostsome of the most press. But opinion is blended on how relevant it’s.
In simple terms, ‘data sovereignty’ refers back to the concept that any data is subject to the laws of the rustic wherein it’s stored. So, the theory goes, in the event you upload a gaggle of documents to a knowledge centre located in China, that data is now within the jurisdiction of Chinese law and will potentially be seized by Chinese authorities, should they be allowed to under Chinese law, and will they have got reason to have a look at it.
This wouldn’t be the case, the idea says, if you’d kept that data on a difficult drive for your organisation’s Australian head office.
Beyond that, the speculation says that if the corporate that stores your data for you is predicated out of the country, your data is again subject to that country’s laws – no matter if it’s stored in a knowledge centre on your own country.
Much of the noise regarding data sovereignty surrounds the united states Patriot Act, an Act of america Congress that was signed into law below two months after the Sep 11 terrorist attacks, ostensibly to present US authorities greater power to fight terrorism.
These extra powers make it easier for US law enforcement agencies to extract information from American companies. The key is, if American federal agencies want access in your data for some reason, the Patriot Act makes it even easier for them to get it.
Ninefold’s James stresses the significance of knowledge sovereignty.
“We are Australian owned, as a business, and we’re subject only to Australian law. We’ve all of our data, all of our equipment, based here in Australia. So the information is subject to Australian jurisdiction when it comes to the information sovereignty,” says James.
This is necessary “particularly you probably have data it’s sensitive, and which may be government data, it may be educational, it can be financial or personal data”.
“If a business has any concerns about where its data could wind up, then it is going to have its data stored in an information centre this is in Australia, managed and owned by a corporation that may be Australian. That is the purest and safest way of ensuring which you know where your data is, and who has access to it, both physically and by law,” he says.
However, EMC’s Gold means that even though a employer were ordered at hand over a customer’s data to any third party, this knowledge will be meaningless without the keys to unlock it, which, if the cloud provider is determined up within the safest fashion, they wouldn’t have. Only the client would have that ability, as only the buyer need to have the relevant encryption keys.
“With encryption, the digital rights management and the tips controls that we have got as portion of our security suite, we will be able to have a cloud provider who cannot get access on your data, whatever,” Gold says. “Practically, it’s impossible.”
Rackspace, a US-based cloud provider whose data centres can be found within the US, UK and Hong Kong, says the Patriot Act itself is nothing particularly special.
“It is something that’s standard in every country. It’s law enforcement. In case you are breaking the law, or suspected of breaking the law, any government has the power to serve a court order, or to request another government that they have got a legal enforcement treaty with to serve a court order, to come up with that [data],” says Mark Randall, Country Manager for Australia and New Zealand, Rackspace.
“If you’re suspected of breaking the law, and the federal government had an inexpensive case against you, then, in the event that they desired to get your hands on your data, it really wouldn’t matter who you were hosting with or which country you were hosting [in],” he says.
IBRS’s McIsaac says: “Quite frankly, if an American company wants your data, they visit the Australian courts, and the Australian courts finally end up coming and taking the knowledge. Or, if it’s an Australian company, ASIC will.”
In any case, he says, the knowledge sovereignty debate is the incorrect argument to have. Instead, consider the adaptation between security (the likelihood that your data is leaked to a law enforcement organisation) and risk (the wear and tear on your company should this kind of leak occur).
In other words, assess the possible damage of getting foreign governments combing through your data and weigh that against the advantages of offshore hosting (that can include price).
“Do a risk/cost benefit trade-off. So there is a very small risk that that data would be made publicly available. What if i’ll [use cloud storage] in a better service, at a miles lower price, would the business be willing to have that trade-off? In most instances, the business would say yes, counting on the information,” he says.
Remember: Voice+Data isn’t a lawyer! In case you are interested in foreign entities (including governments) pawing through your data, you want to obtain legal advice from a precise legal expert.