The Channel logo


By | Trevor Pott 29th April 2015 08:02

Paranoid about the NSA? The case for dumping cloud's Big 3

Can you achieve security through the obscurity of regional ISPs?

Internet Service Providers (ISPs) may be the most important public cloud providers of the next decade. Hosting your data with an ISP has a number of advantages over choosing the dominant American cloud providers: advantages that run the gamut from technical to political.

ISPs have been in the co-location business practically since the internet began. Many have offered hosted services (typically e-mail and web server space) for at least as long as the World Wide Web (and the browsers required to interpret it) have been around.

The idea that ISPs might be interested in hosting cloud services is thus not particularly novel, nor is it particularly hard for them to stand a cloud service up today. HP will cheerfully sell you cloud servers, and all of the software to make it go, too.

Almost every start-up wants in on this too. Maxta is in bed with Mirantis to form a hyper-converged compute + storage "Openstack cloud in a can" offering. Yottabyte is building its own fully hybrid cloud unicorn thing... even newly out of stealth Springpath is planning a pre-canned cloud in a box via partnerships.

Companies that don't quite qualify as start-ups anymore like Nutanix are all over this, and the big boys are trying to buy in too. Look to Cisco's Metacloud purchase or the Dell-Microsoft franken-pesudo-Azure thing.

A quick web search shows that many ISPs already have their own public clouds. BT in the UK, Verizon in the US, Telus in Canada and Optus in Australia are all examples of ISPs in the four major Register reader countries that offer cloud services.

Chances are almost all of the majors (and most of the not-so-majors) either have a cloud offering today, or will within the next 18 months. So why are they doing this?

The technical argument

The technical argument for ISP-based clouds is actually pretty simple. If you are a business that is located only in one restricted geographic area, you can probably have all your business locations using the same ISP.

It's not particularly hard to get great deals on really high-speed data links to your ISP – what's hard is getting high-speed data links to the internet at large for cheap. If I want to slam a large amount of traffic back and forth between several locations, all within the same province and a data centre that is owned and operated by that ISP in that same province, there's a really good chance I'll be able to pay "on net" rates for my cloud traffic.

On net rates are cheap. I can then set up something with the ISP such that any of my traffic that does go out to the internet at large gets charged to me per gigabyte, but because that will probably be just some general browsing it's not going to cost much. The real bandwidth is between me and my data centre, and by staying within my ISP's network, that traffic won't break the bank.

If I maintain a back-up link through a second internet service provider, then whenever I failover to that connection, the traffic will have to go through "peering" and thus "over the internet" to get from me to my ISP's data centre. In this case, those data costs would be the same as if I were using one of the big American cloud providers, but I don't have to use the back-up link unless my main ISP's link has fallen over.

One of the other advantages to ISP-local clouds (or, really, any regional cloud provider located physically near you), is that physical proximity enables services that are otherwise difficult.

Take data recovery as an example. For those using cloud services simply as an offsite back-up repository there is always the problem of getting your data back when a restore is required. Downloading can take a long time. A local cloud provider can pop the data onto a drive and courier it over the same day. A cloud provider in another country takes longer, if they even offer that as a service.

It's about ease of use, stupid

The most obvious reason to stand up a regional cloud is to meet requirements that simply can't (or won't) be met by the three big American cloud providers (Amazon, Microsoft and Google). Chief amongst these are data sovereignty, regulatory and legal concerns.

Data sovereignty is an issue regardless of how many data centres around the world a company holds. Microsoft's Irish fracas is a great example of this issue. If a company is headquartered in the US, then they may be beholden to American law, regardless of where their data centres live.

The same is true of any company, headquartered anywhere. A Canadian company with a data centre in Europe will be beholden to Canadian law, European law and the law of the country where the datacentre in question is located. That's before we look at who is intercepting data as it transits from A to B.

Oddly enough, there are a lot of companies (and a growing number of consumers) that just don't want to deal with this. Cloud computing is supposed to make life easier. Trying to cut through who owns your data, who can look at your data, who can subpoena it, when, where and why – and whether or not they'll tell you about it – is just too complex.

How can a small business look a regulator in the eye and say "yes, we're compliant" when in all honesty even the regulators don't have the foggiest clue whether or not storing our data elsewhere is legal. Canada has been issuing mixed signals on this for ages, and the EU is currently duking this out in various layers of courts and political backroom dealings.

Choosing your local ISP's cloud gives you a better-than-average chance that your data won't leave your own local jurisdiction and shouldn't come under the laws of another nation. Unless, of course, your ISP sub-contracts their cloud services to one of the big three. That's something you should ask about before purchasing.

Perhaps more to the point on all of this: the "privacy versus security" battle has only begun. Much like it took decades to hash out other major cultural changes (feminism, LGBT rights, the adoption of basic civil liberties for peasants), this will run for a long, long time before the people grind down the machine.

If history is any guide, we'll get a massively paranoid security state in virtually every jurisdiction that will slowly – and probably over the course of the next three generations – be beaten back by civil liberties activists. Then will come reactionary ultra-conservative jurisdictions that will try to make it illegal to store your data in jurisdictions that respect privacy. Then, after enough time, civil liberties will (hopefully) win.

So even if it is legal today to place your data elsewhere, it may not be tomorrow. Why risk it, especially if that data is only for internal consumption in your organisation?

But, but... encryption

The counter argument to data sovereignty, regulatory and legal issues is almost invariably some sort of magical encryption world. Upon inspection this almost always falls down.

Microsoft evangelists will quickly stand up and start talking about how (some parts, but not remotely all) of Microsoft's cloud services can be secured using encryption where you control the encryption key. They get real quiet when you start asking about price, applicability to small businesses, or why businesses should trust the encryption system in question.

If you're worried that, for example, the American government can't be trusted to respect the privacy laws of your nation, then I'm not sure a key management system that is run as a cloud service on Microsoft's cloud is really something we're going to trust to protect our encryption keys. Or, for that matter, that the whole system hasn't been back-doored from the start.

Cloud of uncertainty

This is the real pickle of public cloud computing. It isn't just about protecting your company and your clients from evil hackers. It's about protecting your company and your clients from government overreach, and yes, economic espionage.

Say you're running a small biotech firm out of a university start-up incubator and you're doing promising research into what may be a viable treatment for Alzheimer's disease. You know that that the entire pharma industry would love to get their hands on your research, especially before you have it patented.

If you store that on your own servers, chances are you're not going to get hacked. Your tiny little company is hard to find amongst the noise, and it's a pain in the neck to hack you anyways. Even if you host that with a regional provider, there are tens of thousands of tiny little providers all over the place. The pain-in-the-neck factor is pretty large, and it's not really worth it for a nation-state to risk playing that whole economic espionage game with such a broad diversity of targets. Each provider has a different set-up, different defences and the rewards for any penetration efforts are not guaranteed.

Now, let's say that you use a large American cloud provider. Instead of being one among a few thousand clients of this cloud provider, you're one among millions of clients.

The spooks now only have to crack the defences of one cloud provider to search through the data of millions of companies looking for juicy tidbits like your Alzheimer's research. They can then quietly hand that off to companies within their own nation and, well... when and if this happens it's not only really, really hard to prove, the American courts won't even hear the case because of "national security".

Of course, the Americans (and every other nation, for that matter) claim they don't conduct economic espionage. Even if you believe that's true today, will it be true tomorrow? The more of those pesky foreign companies that use the big three American providers, the more tempting that pot of gold becomes.

And, of course, that pot of gold is tempting to everyone. Amazon, Azure and Google are three very tempting targets to attack. They have some of the best security people in the world, but they are attacked continuously by the best hackers in the world.

To be successful, Amazon, Azure and Google – like any provider or you, when you run your own infrastructure – must defend against every possible attack. To be successful, a hacker only needs to find one vulnerability.

Crack open Amazon and the candy inside that piñata is unending. Crack open a regional ISP and you could have spent years getting through the front door to find there's nothing of value inside.

So ISP clouds are faster than the big three. They are less legally ambiguous, and they are a less attractive target, both for governments and for blackhat hackers. The regional cloud and the ISP cloud are far from "dead" concepts. Quite the opposite – with such obvious value, it's a market about to explode. ®

comment icon Read 32 comments on this article or post a comment alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe