Comment If you send your data to the cloud today you might be sure of a big surprise: it could vanish. SwissDisk users know this and T-Mobile Sidekick users know that Microsoft is quite capable of losing their data, too.
Stephen Foskett is Director of Consulting at cloud storage provider Nirvanix. He writes:
Subpar offerings from flaky vendors hurt the whole industry... The truth is... not all managed storage services are created equal. In fact, lots of them are, to put it bluntly, not worth much. Many cloud backup and archiving services use bare un-protected disk drives to store data, have no redundancy built into the system, and try to scrape up every cent by using home-brewed hardware. This is especially true in the consumer space, where bargain-basement (or even free) pricing has driven a race to the bottom in terms of quality. No business should use junky consumer solutions.
That's clear enough, but his brickbats are not restricted to the consumer space:
Even service providers that presume to sell in the enterprise market often miss the mark. Forgetting the inappropriate per-month credit card billing method and laughably poor support services, many providers adamantly refuse to comply with basic corporate governance principles.
How can this be done? How can we ensure that cloud data protection isn't cloud data destruction?
Dealing with potentially poor suppliers
One approach is to expect poor quality service and deal with it. Cloud storage supplier LiveDrive’s general manager, Dominic Cross said:
I think businesses just need to be intelligent in how they use cloud storage services – as they do with any third party they deal with. A business that uses a single courier, or has no backup payment processor, or relies on just one web server, is likely to have problems along the way. Redundancy and diversification at every stage is a key business concept – and cloud storage actually helps businesses achieve that simply and cheaply by reducing the reliance on internal architecture only.
But if the cloud isn't a valid replacement for local data backup then a large part of its value goes away. So you need a safeguard.
EMC RSA's approach to the issue is to verify by inspecting the service provider. Here is a section of its documentation (pdf) on the issue:
Trust cannot be granted on the cloud provider’s reputation alone; it should be validated through thorough assessments to determine if the cloud provider needs to take additional steps to comply with the organization’s information security requirements and policies. Furthermore, performance conditions and standards must be written into SLAs and managed services agreements.
RSA goes on to talk about seeing a supplier's activity logs, understanding its audit rights and physically inspecting their data centres.
Nirvanix's Foskett is a big believer in openly available verification:
Managed services must allow auditors to verify their claims. I am a car nut, so I definitely wouldn't trust a garage who whisked my car off to an undisclosed location so unseen mechanics could work on it. I wouldn't eat at a restaurant that didn't allow the health department to inspect it. So why would I put blind faith in a managed service provider who held my critical data? Cloud vendors must perform their own security and operations audits and allow their customers to do the same. You can't pass the buck on governance: If you require SAS70 or PCI or a third-party audit, then your service providers must step up and allow it, too.
Clearly only large customers would have the clout to insist on verification of an unwilling supplier, and the internal ability to undertake and assess candidate cloud storage service providers in this way. It's not reasonable to suggest that SMEs and consumers should all do the same thing, but verification facilities should be made available to them, so that they can if they wish.
Gartner's Valdis Filks, research director for Storage Technologies and Strategies, was asked how can the industry communicate to customers that a provider can be trusted and that it won't lose their data? He's with RSA regarding SLAs and contracts.
There should be "Availability and integrity guarantees or assurances" such as "standards or RTO, RPO assurances", backed up by contract terms and conditions.
Does there need to be independent verification or self-certification against standards, with peer group review as with SPEC benchmarks? "[It] would be nice, but we cannot even do it for the storage arrays that have been in the market for 10 years, e.g. many do not take part in the SPEC benchmarks."
This is not helpful to those of us looking for a CSP verification framework. Gartner is, practically speaking, saying nothing can be done and users should look to contracts and contract law for recompense if data gets lost.
Trade body and/or code of conduct
Professionals such as lawyers, doctors and engineers belong to and are certified directly or indirectly by professional bodies, such as the UK's Gerneral Medical Council (GMC). These trade organisations help ensure that practitioners are competent and reliable. They also police their members and eject them if they are found to be unfit to practice. We have a trade body police and threat model here.
There not currently any signs of such bodies emerging, but we do have a possibility for a cloud IT service suppliers' code of conduct in the UK. There is a newly formed wannabe self-regulatory body called the Cloud Industry Forum (CIF). It is a sub-group of FAST (the software licensing protection people), and Investors in Software (FAST IiS) that has been set up to develop a public-facing Code of Conduct, to standardise and certify Cloud Computing service providers.
Andy Burton, chief executive at web-hosting company Fasthosts, and FAST IiS’s chairman of the CIF Group, said:
The role of CIF is to... work alongside this fast-evolving industry, making sure it follows certain standards and therefore deters potential cowboy operators from misleading customers and thereby bringing the industry into disrepute. If we can develop a standard that users trust, much like the padlock symbol has done in the browser relating to website security, then it will be an asset not only to the user but also to the... companies operating in this space.
CIF will shortly announce the formation of a working group made up, it says, of informed industry leaders to drive the creation and launch of a Code of Conduct in the UK, with a possible brand or icon to signify adherence by suppliers to it. Let’s hope it succeeds and the code has teeth.
Unsuitable for mass market
Dan Conlon, MD of UK cloud storage provider CSP Humyo, had this to say about branding or badging of CSPs:
We find that our customers feel secure knowing that their data is stored in a bullion vault but don't feel any affinity with the technological aspects of our service in terms of resilience, security, redundancy and controls. A stamp or badge if communicated directly might wrap all those techy aspects up in a package which the mass market understands, but there's always a risk with these things that they never really guarantee to the end user what they claim to.
Could the SNIA (Storage Networking Industry Association) be the body we need to certify, regulate and police cloud storage service providers?
What does the SNIA think?
We went and talked to the vice chairman of the SNIA, Vincent Franceschini. He doesn’t think the SNIA, a standards-encouraging and education body, is right for the job: "[The] SNIA does have a passionate interest in having users trust storage service providers but it is not the vehicle to drive the industry and represent it."
The SNIA would clearly want to talk to any industry body, much as it talks to the US EPA today. But it is not the EPA and shouldn't be, and the same goes for any cloud storage provider body. The SNIA is a source of industry expertise for it to use but it is not the driver for the body to form or the body itself.
Franceschini is not keen on the threat model - the idea of a trade body policing its members: "The individual professional can be policed and certified and ejected. The big company cannot. No trade bodies exist which can police, certify and regulate big companies providing a service. It takes a Nellie Kroes to take on Microsoft."
The threat model doesn't work unless the State or the EU is involved: "You need to have the big hammer."
There will be some level of public sector oversight: "The public sector will have something to say about it, if it becomes as widespread as we hope it will. The EU (European Union) will want service providers to the public sector to be properly organised; maybe regulated is too strong a word."
The industry has to bootstrap itself
We're in a hole with some untrustworthy cloud storage service providers and no easy way to identify them until they foul up and lose your data. The various approaches to this topic range from "Tough; deal with it", through "Verify all the way", "Rely on contracted SLAs", the industry setting up a code of conduct, threat-based policing by a trade body, up to the State regulating and policing the area.
The ultimate backstop is a code of conduct with state regulation. But this is unlikely, isn't it? Possibly it's more likely in the EC - with its more nanny state approach - but we can't see it happening in the USA. It would be an element of big government rejected by many policy makers. They'd say that general data isn't money: a cloud service provider is not a bank or financial institution and people and businesses won't get ruined if they fail.
To which we in the storage industry would say 'wake up and smell the coffee.' If a business has all its data in the cloud and the service provider fails, that business is ruined.
To inspire reliable trust, the cloud storage industry just has to bootstrap itself and get a grip.
Nirvanix's Foskett puts it like this:
I'm mad, and I'm throwing down the gauntlet. I want every service provider to start now, protecting data, upholding policy, demonstrating operational excellence, and allowing audits. Anyone who doesn't is a disgrace to the industry, and their customers ought to seriously reconsider where they place their data.
For now the advice is to not rely on the cloud for your data storage unless you have contractually enforceable SLAs, and can afford to lose it or spread it across more than one provider. Five final words: "Buyer beware" and "Trust, but verify". ®