Click here to close now.

Welcome!

CloudExpo® Blog Authors: Pat Romanski, JP Morgenthal, John Wetherill, Elizabeth White, Ian Goldsmith

Related Topics: Server Monitoring, CloudExpo® Blog

Server Monitoring: Article

Data Danger Lurking in Public Cloud Contracts

Providers Protect Themselves - Your Data, Not So Much

Last month, in an article titled, Tiny Company Solves Giant Problem in Cloud-Based Document Management, I wrote about CloudPointe and their unique approach to addressing the perils of cloud-based document management.  I looked at how nearly all cloud services that handle documents, media files, and other forms of data suffer from a common weakness:  they force customers to entrust their data assets to the cloud service provider and in so doing take on several big, largely unacknowledged risks.

If my article were not enough to draw sufficient attention to this issue, there is an exhaustive new study out that should give enormous pause to organizations considering or already using public cloud services, especially for storing data and documents.  The research was conducted by The Centre for Commercial Law Studies at Queen Mary, University of London and it examines the "Ts&Cs" in the service agreements from a who's who of cloud service providers, from Akamai to Zoho.

The survey covers many different aspects of the agreements, including things like jurisdiction, fair use, arbitration, etc., and it finds many troubling details and patterns that lead the authors to conclude:

"The main lesson to be drawn from the Cloud Legal Project's survey is that customers should review the Terms and Conditions of a Cloud service carefully before signing up to it."

Even after signing cloud services agreements, though, the survey shows that, to be as safe as possible, customers should review them again and again.  In the words of one of the researchers,

"Perhaps the most disconcerting discovery of the Cloud Legal Project's survey was that many Cloud providers claimed to be able to amend their contracts unilaterally, simply by posting an updated version on the web.  In effect, customers are put on notice to download lengthy and complex contracts, on a regular basis, and to compare them against their own copies of earlier versions to look for changes."

Yikes!  That makes those slippery packaged software EULAs from pre-cloud days seem like a blood oath by comparison.

Not surprisingly, the survey devotes the most attention to clauses governing data integrity, preservation, disclosure, and location/transfer, and what it finds there is pretty ugly too.

Data Integrity

After acknowledging the natural customer concerns that data placed in a provider's cloud be kept secure against loss, corruption, theft, and unauthorized disclosure, the research report says,

"Our survey found however that most providers not only avoided giving undertakings in respect of data integrity but actually disclaimed liability for it.

"The majority of providers surveyed expressly include terms in their T&C making it clear that ultimate responsibility for preserving the confidentiality and integrity of the data lies with the customer."

Most of the providers' agreements explicitly counsel customers to encrypt their data and to make separate backup arrangements - even in some cases where the service is backup!

To give credit where it is due, though, in this and a number of the research's other dire findings, Salesforce CRM stands out as a paragon of virtue.  As with only a few other vendors, it's contract acknowledges the company's responsibility in safeguarding customers' data.

Data Preservation

When a company or consumer entrusts its data to a cloud service they should consider provision in the agreement governing what happens to it in the event the contract is terminated.  Can they easily retrieve and transfer the data and will it then be fully deleted from the provider's infrastructure?

The survey shows that most providers fall into one of three categories in this regard.

The providers in one group assert that they will preserve customer data for a set period of time, ranging from 30 days to 3, after the customer terminates their contract.  During this grace period, sometimes for an extra charge, the customer can access and off-load the data and at its end the data will be deleted.

The second group of providers asserts that customer data will be deleted immediately when the agreement is terminated.  Apple's MobileMe service is in this category and its service agreement dryly states,

"Upon termination of your account you lose all access to the Service and any portions thereof, including, but not limited to, your Member Account (any Subaccounts thereunder), Subscriber ID, email account, iDisk, domains, iChat account and MobileMe Gallery albums. In addition, Apple shall delete all information and data stored in or as a part of your account(s) including, but not limited to, data files, email, albums and preferences."

The survey authors rightly point out how this begs the question of what happens in the event that a court later finds that they termination of the contract was ineffective.  They conclude that the service providers in this group may be opening themselves up to civil or criminal liability in some jurisdictions.

Providers in the third group blend conditions found in the first two, acknowledging no obligation to preserve data after a contract has been terminated but also allowing, at their own discretion, an access grace period and/or taking no steps to delete the data at any particular time.

In many cases, though, while providers may not assure that they will keep the data for a grace period or longer, they also do not assure that the data will in fact be deleted, after the grace period or otherwise.

This means that, unless the customer explicitly deletes it after offloading a copy, it may remain in the provider's storage infrastructure for who knows how long.  And, for that matter, given the various kinds of redundancy built into many clouds, even if the customer deletes, it that may not mean that it is really gone.

Data Disclosure

Regarding the potential disclosure of customer data to third parties as in the event of a court order or request from law enforcement officials, the survey found the providers to be all over the place.  They ranged from doing it without notice at their own discretion at one extreme to giving warning or seeking approval at the other.

For example, the now-defunct G.ho.st service stated that it would disclose customer information if it believed that it would protect its own interest by doing so, and the still-in-business ADrive puts it this way:

"You authorize ADrive to disclose any information about You to law enforcement or other government officials as ADrive, in its sole discretion, believes necessary, prudent or appropriate, in connection with an investigation of fraud, intellectual property infringement, or other activity that is illegal or may expose ADrive to legal liability."

At the other extreme is Salesforce CRM, once again taking the high road.  They assure that, unless it is legally prohibited, the customer will be given advance notice of any requested disclosure, and that Saleforce will also assist the customer in opposing such orders.  Now, that's what I call "customer advocacy"!

Data Location / Transfer

Many cloud service providers employ multiple, sometimes numerous data centers in different geographic locations to serve their customers.  This has led to a variety of legal concerns about customers' data being stored or processed in and across potentially unknown or unregulated jurisdictions.

The EU Data Protection regime does provide strong measures to keep cloud-based data within Europe and certain data, like personal information, within specific countries.  But, even in the EU, in-flight data is still at some risk.  And, in the US, where the "long-arm" statutes are considerably looser, and in other places, where there are few or no laws as all to govern where and how data is kept and protected, all bets are off.

So, all in all, concerns about privacy and security in relation to data location and transfer are manifest and important to customers, leading the researchers to observe,

"Perhaps surprisingly, given the prominence often attached to these issues, few of the providers surveyed actually undertake to store data in a particular location or zone. [...]  Indeed, for the 31 sets of T&C reviewed, 15 made no mention of data location or transit protection whatsoever."

The findings of the research concerning data transfer were similar to those for data location.  After acknowledging the international nature of cloud computing and how it means that customer data will usually be transferred between different infrastructure segments over the internet, the report observes,

"Furthermore, if (as many larger Cloud providers do) the provider has multiple data centres, then, unless the provider has built or leased its own secure network and facilities, transfers between data centres may well also be over Internet connections.  Several providers (for example, 37Signals, UKFast) caution in their T&C that customer data may be transferred unencrypted over inherently insecure networks in such a manner."

Losing My Religion

Cloud computing, especially public cloud computing, has many potential benefits but is not without its weaknesses; and, those weaknesses tend to fall into two categories.

There are issues that vendors and customers both readily acknowledge and are working hard to address.  The need for better access security and more management automation fall into this category and will likely be fixed by incremental technical improvements and new products that address them.

Then, there are issues like the subject of this article.  They are ones with little consensus, where most providers are either defiant or in denial, most customers are uninformed or un-empowered, and hardly anybody recognizes that the problem may stem from flawed fundamentals.

Most cloud service providers and most of their customers might find it patent heresy to question the soundness of the idea of putting data and documents into the cloud.  After all, for many that is the very purpose of the cloud, full stop.  If you take back the information assets and put them on a disk array that you own and control, what is left?

There is a lot left, actually.  There is a processing and communications fabric to which most cloud benefits still accrue, and to a greater degree than they do for the comparative commodity of data storage.

The reason the data is in the cloud by default is not because that makes the most sense.  It is because Fibre Channel, Infiniband, and other schemes for directly connecting disks to processors are way faster than those for connecting the nodes of a wide area network.  If that were not true, would everyone still think that the data belongs in the cloud?  I doubt it.

Vendor lock-in, regulatory compliance, privacy, and security are the greatest customer concerns about the public cloud and they are all made considerably worse by the requirement that information assets be placed in the cloud.

CloudPointe already makes a strong case for taking back the documents and files.  WAN connection speeds and the way such information assets are used are both very amenable to sending them through the cloud but not keeping them there.  It may just be a matter of time before improved connection speeds and more advanced distributed database technology allow the same possibilities for other kinds of data.

More Stories By Tim Negris

Tim Negris is SVP, Marketing & Sales at Yottamine Analytics, a pioneering Big Data machine learning software company. He occasionally authors software industry news analysis and insights on Ulitzer.com, is a 25-year technology industry veteran with expertise in software development, database, networking, social media, cloud computing, mobile apps, analytics, and other enabling technologies.

He is recognized for ability to rapidly translate complex technical information and concepts into compelling, actionable knowledge. He is also widely credited with coining the term and co-developing the concept of the “Thin Client” computing model while working for Larry Ellison in the early days of Oracle.

Tim has also held a variety of executive and consulting roles in a numerous start-ups, and several established companies, including Sybase, Oracle, HP, Dell, and IBM. He is a frequent contributor to a number of publications and sites, focusing on technologies and their applications, and has written a number of advanced software applications for social media, video streaming, and music education.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@CloudExpo Stories
Move from reactive to proactive cloud management in a heterogeneous cloud infrastructure. In his session at 16th Cloud Expo, Manoj Khabe, Innovative Solution-Focused Transformation Leader at Vicom Computer Services, Inc., will show how to replace a help desk-centric approach with an ITIL-based service model and service-centric CMDB that’s tightly integrated with an event and incident management platform. Learn how to expand the scope of operations management to service management. He will al...
There's no doubt that the Internet of Things is driving the next wave of innovation. Google has spent billions over the past few months vacuuming up companies that specialize in smart appliances and machine learning. Already, Philips light bulbs, Audi automobiles, and Samsung washers and dryers can communicate with and be controlled from mobile devices. To take advantage of the opportunities the Internet of Things brings to your business, you'll want to start preparing now.
In a world of ever-accelerating business cycles and fast-changing client expectations, the cloud increasingly serves as a growth engine and a path to new business models. Dynamic clouds enable businesses to continuously reinvent themselves, adapting their business processes, their service and software delivery and their operations to achieve speed-to-market and quick response to customer feedback. As the cloud evolves, the industry has multiple competing cloud technologies, offering on-premises ...
SYS-CON Events announced today that SUSE, a pioneer in open source software, will exhibit at SYS-CON's DevOps Summit 2015 New York, which will take place June 9-11, 2015, at the Javits Center in New York City, NY. SUSE provides reliable, interoperable Linux, cloud infrastructure and storage solutions that give enterprises greater control and flexibility. More than 20 years of engineering excellence, exceptional service and an unrivaled partner ecosystem power the products and support that help ...
As the world moves from DevOps to NoOps, application deployment to the cloud ought to become a lot simpler. However, applications have been architected with a much tighter coupling than it needs to be which makes deployment in different environments and migration between them harder. The microservices architecture, which is the basis of many new age distributed systems such as OpenStack, Netflix and so on is at the heart of CloudFoundry – a complete developer-oriented Platform as a Service (PaaS...
T-Mobile has been transforming the wireless industry with its “Uncarrier” initiatives. Today as T-Mobile’s IT organization works to transform itself in a like manner, technical foundations built over the last couple of years are now key to their drive for more Agile delivery practices. In his session at DevOps Summit, Martin Krienke, Sr Development Manager at T-Mobile, will discuss where they started their Continuous Delivery journey, where they are today, and where they are going in an effort ...
SAP is delivering break-through innovation combined with fantastic user experience powered by the market-leading in-memory technology, SAP HANA. In his General Session at 15th Cloud Expo, Thorsten Leiduck, VP ISVs & Digital Commerce, SAP, discussed how SAP and partners provide cloud and hybrid cloud solutions as well as real-time Big Data offerings that help companies of all sizes and industries run better. SAP launched an application challenge to award the most innovative SAP HANA and SAP HANA...
There is no question that the cloud is where businesses want to host data. Until recently hypervisor virtualization was the most widely used method in cloud computing. Recently virtual containers have been gaining in popularity, and for good reason. In the debate between virtual machines and containers, the latter have been seen as the new kid on the block – and like other emerging technology have had some initial shortcomings. However, the container space has evolved drastically since coming on...
The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long development cycles that produce software that is obsolete at launch. DevOps may be disruptive, but it is essential. The DevOps Summit at Cloud Expo – to be held June 3-5, 2015, at the Javits Center in New York City – will expand the DevOps community, enable a wide...
P2P RTC will impact the landscape of communications, shifting from traditional telephony style communications models to OTT (Over-The-Top) cloud assisted & PaaS (Platform as a Service) communication services. The P2P shift will impact many areas of our lives, from mobile communication, human interactive web services, RTC and telephony infrastructure, user federation, security and privacy implications, business costs, and scalability. In his session at @ThingsExpo, Robin Raymond, Chief Architect...
The web app is Agile. The REST API is Agile. The testing and planning are Agile. But alas, Data infrastructures certainly are not. Once an application matures, changing the shape or indexing scheme of data often forces at best a top down planning exercise and at worst includes schema changes which force downtime. The time has come for a new approach that fundamentally advances the agility of distributed data infrastructures. Come learn about a new solution to the problems faced by software orga...
Explosive growth in connected devices. Enormous amounts of data for collection and analysis. Critical use of data for split-second decision making and actionable information. All three are factors in making the Internet of Things a reality. Yet, any one factor would have an IT organization pondering its infrastructure strategy. How should your organization enhance its IT framework to enable an Internet of Things implementation? In his session at Internet of @ThingsExpo, James Kirkland, Chief Ar...
Cloud Expo, Inc. has announced today that Andi Mann returns to DevOps Summit 2015 as Conference Chair. The 4th International DevOps Summit will take place on June 9-11, 2015, at the Javits Center in New York City. "DevOps is set to be one of the most profound disruptions to hit IT in decades," said Andi Mann. "It is a natural extension of cloud computing, and I have seen both firsthand and in independent research the fantastic results DevOps delivers. So I am excited to help the great team at ...
Container technology is sending shock waves through the world of cloud computing. Heralded as the 'next big thing,' containers provide software owners a consistent way to package their software and dependencies while infrastructure operators benefit from a standard way to deploy and run them. Containers present new challenges for tracking usage due to their dynamic nature. They can also be deployed to bare metal, virtual machines and various cloud platforms. How do software owners track the usag...
CA Technologies has announced it has signed a definitive agreement to acquire Rally Software Development Corp. for $19.50 per share, which equates to approximately $480 million, net of cash acquired. The transaction has been unanimously approved by both Boards of Directors, and is expected to close in the second quarter of CA’s fiscal 2016. Based in Boulder, CO, Rally has approximately 500 employees across four continents and FY 2015 sales of $88 million. “Software applications are changing the...
The security devil is always in the details of the attack: the ones you've endured, the ones you prepare yourself to fend off, and the ones that, you fear, will catch you completely unaware and defenseless. The Internet of Things (IoT) is nothing if not an endless proliferation of details. It's the vision of a world in which continuous Internet connectivity and addressability is embedded into a growing range of human artifacts, into the natural world, and even into our smartphones, appliances, a...
Enterprises are fast realizing the importance of integrating SaaS/Cloud applications, API and on-premises data and processes, to unleash hidden value. This webinar explores how managers can use a Microservice-centric approach to aggressively tackle the unexpected new integration challenges posed by proliferation of cloud, mobile, social and big data projects. Industry analyst and SOA expert Jason Bloomberg will strip away the hype from microservices, and clearly identify their advantages and d...
The OpenStack cloud operating system includes Trove, a database abstraction layer. Rather than applications connecting directly to a specific type of database, they connect to Trove, which in turn connects to one or more specific databases. One target database is Postgres Plus Cloud Database, which includes its own RESTful API. Trove was originally developed around MySQL, whose interfaces are significantly less complicated than those of the Postgres cloud database. In his session at 16th Cloud...
All major researchers estimate there will be tens of billions devices - computers, smartphones, tablets, and sensors - connected to the Internet by 2020. This number will continue to grow at a rapid pace for the next several decades. With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo, June 9-11, 2015, at the Javits Center in New York City. Learn what is going on, contribute to the discussions, and ensure that your enter...
Software Development Solution category in The 2015 American Business Awards, and will ultimately be a Gold, Silver, or Bronze Stevie® Award winner in the program. More than 3,300 nominations from organizations of all sizes and in virtually every industry were submitted this year for consideration. "We are honored to be recognized as a leader in the software development industry by the Stevie Awards judges," said Steve Brodie, CEO of Electric Cloud. "We introduced ElectricFlow and our Deploy app...