How can the storage industry prevent cloud bursts?
Out of sight, out of mind - but not out of harm's way
Comment If you send your data to the cloud today you might be sure of a big surprise: it could vanish. SwissDisk users know this and T-Mobile Sidekick users know that Microsoft is quite capable of losing their data, too.
Stephen Foskett is Director of Consulting at cloud storage provider Nirvanix. He writes:
Subpar offerings from flaky vendors hurt the whole industry... The truth is... not all managed storage services are created equal. In fact, lots of them are, to put it bluntly, not worth much. Many cloud backup and archiving services use bare un-protected disk drives to store data, have no redundancy built into the system, and try to scrape up every cent by using home-brewed hardware. This is especially true in the consumer space, where bargain-basement (or even free) pricing has driven a race to the bottom in terms of quality. No business should use junky consumer solutions.
That's clear enough, but his brickbats are not restricted to the consumer space:
Even service providers that presume to sell in the enterprise market often miss the mark. Forgetting the inappropriate per-month credit card billing method and laughably poor support services, many providers adamantly refuse to comply with basic corporate governance principles.
How can this be done? How can we ensure that cloud data protection isn't cloud data destruction?
Dealing with potentially poor suppliers
One approach is to expect poor quality service and deal with it. Cloud storage supplier LiveDrive’s general manager, Dominic Cross said:
I think businesses just need to be intelligent in how they use cloud storage services – as they do with any third party they deal with. A business that uses a single courier, or has no backup payment processor, or relies on just one web server, is likely to have problems along the way. Redundancy and diversification at every stage is a key business concept – and cloud storage actually helps businesses achieve that simply and cheaply by reducing the reliance on internal architecture only.
But if the cloud isn't a valid replacement for local data backup then a large part of its value goes away. So you need a safeguard.
EMC RSA's approach to the issue is to verify by inspecting the service provider. Here is a section of its documentation (pdf) on the issue:
Trust cannot be granted on the cloud provider’s reputation alone; it should be validated through thorough assessments to determine if the cloud provider needs to take additional steps to comply with the organization’s information security requirements and policies. Furthermore, performance conditions and standards must be written into SLAs and managed services agreements.
RSA goes on to talk about seeing a supplier's activity logs, understanding its audit rights and physically inspecting their data centres.
Nirvanix's Foskett is a big believer in openly available verification:
Managed services must allow auditors to verify their claims. I am a car nut, so I definitely wouldn't trust a garage who whisked my car off to an undisclosed location so unseen mechanics could work on it. I wouldn't eat at a restaurant that didn't allow the health department to inspect it. So why would I put blind faith in a managed service provider who held my critical data? Cloud vendors must perform their own security and operations audits and allow their customers to do the same. You can't pass the buck on governance: If you require SAS70 or PCI or a third-party audit, then your service providers must step up and allow it, too.
Clearly only large customers would have the clout to insist on verification of an unwilling supplier, and the internal ability to undertake and assess candidate cloud storage service providers in this way. It's not reasonable to suggest that SMEs and consumers should all do the same thing, but verification facilities should be made available to them, so that they can if they wish.