|By Tim Negris||
|November 30, 2010 07:00 AM EST||
Last month, in an article titled, Tiny Company Solves Giant Problem in Cloud-Based Document Management, I wrote about CloudPointe and their unique approach to addressing the perils of cloud-based document management. I looked at how nearly all cloud services that handle documents, media files, and other forms of data suffer from a common weakness: they force customers to entrust their data assets to the cloud service provider and in so doing take on several big, largely unacknowledged risks.
If my article were not enough to draw sufficient attention to this issue, there is an exhaustive new study out that should give enormous pause to organizations considering or already using public cloud services, especially for storing data and documents. The research was conducted by The Centre for Commercial Law Studies at Queen Mary, University of London and it examines the "Ts&Cs" in the service agreements from a who's who of cloud service providers, from Akamai to Zoho.
The survey covers many different aspects of the agreements, including things like jurisdiction, fair use, arbitration, etc., and it finds many troubling details and patterns that lead the authors to conclude:
"The main lesson to be drawn from the Cloud Legal Project's survey is that customers should review the Terms and Conditions of a Cloud service carefully before signing up to it."
Even after signing cloud services agreements, though, the survey shows that, to be as safe as possible, customers should review them again and again. In the words of one of the researchers,
"Perhaps the most disconcerting discovery of the Cloud Legal Project's survey was that many Cloud providers claimed to be able to amend their contracts unilaterally, simply by posting an updated version on the web. In effect, customers are put on notice to download lengthy and complex contracts, on a regular basis, and to compare them against their own copies of earlier versions to look for changes."
Yikes! That makes those slippery packaged software EULAs from pre-cloud days seem like a blood oath by comparison.
Not surprisingly, the survey devotes the most attention to clauses governing data integrity, preservation, disclosure, and location/transfer, and what it finds there is pretty ugly too.
After acknowledging the natural customer concerns that data placed in a provider's cloud be kept secure against loss, corruption, theft, and unauthorized disclosure, the research report says,
"Our survey found however that most providers not only avoided giving undertakings in respect of data integrity but actually disclaimed liability for it.
"The majority of providers surveyed expressly include terms in their T&C making it clear that ultimate responsibility for preserving the confidentiality and integrity of the data lies with the customer."
Most of the providers' agreements explicitly counsel customers to encrypt their data and to make separate backup arrangements - even in some cases where the service is backup!
To give credit where it is due, though, in this and a number of the research's other dire findings, Salesforce CRM stands out as a paragon of virtue. As with only a few other vendors, it's contract acknowledges the company's responsibility in safeguarding customers' data.
When a company or consumer entrusts its data to a cloud service they should consider provision in the agreement governing what happens to it in the event the contract is terminated. Can they easily retrieve and transfer the data and will it then be fully deleted from the provider's infrastructure?
The survey shows that most providers fall into one of three categories in this regard.
The providers in one group assert that they will preserve customer data for a set period of time, ranging from 30 days to 3, after the customer terminates their contract. During this grace period, sometimes for an extra charge, the customer can access and off-load the data and at its end the data will be deleted.
The second group of providers asserts that customer data will be deleted immediately when the agreement is terminated. Apple's MobileMe service is in this category and its service agreement dryly states,
"Upon termination of your account you lose all access to the Service and any portions thereof, including, but not limited to, your Member Account (any Subaccounts thereunder), Subscriber ID, email account, iDisk, domains, iChat account and MobileMe Gallery albums. In addition, Apple shall delete all information and data stored in or as a part of your account(s) including, but not limited to, data files, email, albums and preferences."
The survey authors rightly point out how this begs the question of what happens in the event that a court later finds that they termination of the contract was ineffective. They conclude that the service providers in this group may be opening themselves up to civil or criminal liability in some jurisdictions.
Providers in the third group blend conditions found in the first two, acknowledging no obligation to preserve data after a contract has been terminated but also allowing, at their own discretion, an access grace period and/or taking no steps to delete the data at any particular time.
In many cases, though, while providers may not assure that they will keep the data for a grace period or longer, they also do not assure that the data will in fact be deleted, after the grace period or otherwise.
This means that, unless the customer explicitly deletes it after offloading a copy, it may remain in the provider's storage infrastructure for who knows how long. And, for that matter, given the various kinds of redundancy built into many clouds, even if the customer deletes, it that may not mean that it is really gone.
Regarding the potential disclosure of customer data to third parties as in the event of a court order or request from law enforcement officials, the survey found the providers to be all over the place. They ranged from doing it without notice at their own discretion at one extreme to giving warning or seeking approval at the other.
For example, the now-defunct G.ho.st service stated that it would disclose customer information if it believed that it would protect its own interest by doing so, and the still-in-business ADrive puts it this way:
"You authorize ADrive to disclose any information about You to law enforcement or other government officials as ADrive, in its sole discretion, believes necessary, prudent or appropriate, in connection with an investigation of fraud, intellectual property infringement, or other activity that is illegal or may expose ADrive to legal liability."
At the other extreme is Salesforce CRM, once again taking the high road. They assure that, unless it is legally prohibited, the customer will be given advance notice of any requested disclosure, and that Saleforce will also assist the customer in opposing such orders. Now, that's what I call "customer advocacy"!
Data Location / Transfer
Many cloud service providers employ multiple, sometimes numerous data centers in different geographic locations to serve their customers. This has led to a variety of legal concerns about customers' data being stored or processed in and across potentially unknown or unregulated jurisdictions.
The EU Data Protection regime does provide strong measures to keep cloud-based data within Europe and certain data, like personal information, within specific countries. But, even in the EU, in-flight data is still at some risk. And, in the US, where the "long-arm" statutes are considerably looser, and in other places, where there are few or no laws as all to govern where and how data is kept and protected, all bets are off.
So, all in all, concerns about privacy and security in relation to data location and transfer are manifest and important to customers, leading the researchers to observe,
"Perhaps surprisingly, given the prominence often attached to these issues, few of the providers surveyed actually undertake to store data in a particular location or zone. [...] Indeed, for the 31 sets of T&C reviewed, 15 made no mention of data location or transit protection whatsoever."
The findings of the research concerning data transfer were similar to those for data location. After acknowledging the international nature of cloud computing and how it means that customer data will usually be transferred between different infrastructure segments over the internet, the report observes,
"Furthermore, if (as many larger Cloud providers do) the provider has multiple data centres, then, unless the provider has built or leased its own secure network and facilities, transfers between data centres may well also be over Internet connections. Several providers (for example, 37Signals, UKFast) caution in their T&C that customer data may be transferred unencrypted over inherently insecure networks in such a manner."
Losing My Religion
Cloud computing, especially public cloud computing, has many potential benefits but is not without its weaknesses; and, those weaknesses tend to fall into two categories.
There are issues that vendors and customers both readily acknowledge and are working hard to address. The need for better access security and more management automation fall into this category and will likely be fixed by incremental technical improvements and new products that address them.
Then, there are issues like the subject of this article. They are ones with little consensus, where most providers are either defiant or in denial, most customers are uninformed or un-empowered, and hardly anybody recognizes that the problem may stem from flawed fundamentals.
Most cloud service providers and most of their customers might find it patent heresy to question the soundness of the idea of putting data and documents into the cloud. After all, for many that is the very purpose of the cloud, full stop. If you take back the information assets and put them on a disk array that you own and control, what is left?
There is a lot left, actually. There is a processing and communications fabric to which most cloud benefits still accrue, and to a greater degree than they do for the comparative commodity of data storage.
The reason the data is in the cloud by default is not because that makes the most sense. It is because Fibre Channel, Infiniband, and other schemes for directly connecting disks to processors are way faster than those for connecting the nodes of a wide area network. If that were not true, would everyone still think that the data belongs in the cloud? I doubt it.
Vendor lock-in, regulatory compliance, privacy, and security are the greatest customer concerns about the public cloud and they are all made considerably worse by the requirement that information assets be placed in the cloud.
CloudPointe already makes a strong case for taking back the documents and files. WAN connection speeds and the way such information assets are used are both very amenable to sending them through the cloud but not keeping them there. It may just be a matter of time before improved connection speeds and more advanced distributed database technology allow the same possibilities for other kinds of data.
Sematext is a globally distributed organization that builds innovative Cloud and On Premises solutions for performance monitoring, alerting and anomaly detection (SPM), log management and analytics (Logsene), and search analytics (SSA). We also provide Search and Big Data consulting services and offer 24/7 production support for Solr and Elasticsearch.
May. 7, 2015 05:30 AM EDT Reads: 1,928
What exactly is a cognitive application? In her session at 16th Cloud Expo, Ashley Hathaway, Product Manager at IBM Watson, will look at the services being offered by the IBM Watson Developer Cloud and what that means for developers and Big Data. She'll explore how IBM Watson and its partnerships will continue to grow and help define what it means to be a cognitive service, as well as take a look at the offerings on Bluemix. She will also check out how Watson and the Alchemy API team up to off...
May. 7, 2015 05:15 AM EDT Reads: 2,388
Plutora provides enterprise release management and test environment SaaS solutions to clients in North America, Europe and Asia Pacific. Leading companies across a variety of industries, including financial services, telecommunications, retail, pharmaceutical and media, rely on Plutora's SaaS solutions to orchestrate releases and environments faster and with integrity. Products include Plutora Release Manager, Plutora Test Environment Manager and Plutora Deployment Manager.
May. 7, 2015 05:15 AM EDT Reads: 2,031
WSM International has launched a DevOps services division that offers assessment, consulting and implementation to large enterprises and organizations with complex infrastructures. The concept of DevOps is to blend information technology (IT) software development with operations to optimize the computing infrastructure according to the specific needs of the organization. According to a recent press release from Gartner, "By 2016, DevOps will evolve from a niche strategy employed by large cloud ...
May. 7, 2015 05:00 AM EDT Reads: 2,065
SYS-CON Events announced today that Site24x7, the cloud infrastructure monitoring service, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Site24x7 is a cloud infrastructure monitoring service that helps monitor the uptime and performance of websites, online applications, servers, mobile websites and custom APIs. The monitoring is done from 50+ locations across the world and from various wireless carr...
May. 7, 2015 05:00 AM EDT Reads: 2,634
WSM International is launching a DevOps services division that offers assessment, consulting and implementation to large enterprises and organizations with complex infrastructures. This is the first independent services company to create a dedicated practice to help organizations looking to transition to the DevOps model. The concept of DevOps is to blend information technology (IT) software development with operations to optimize the computing infrastructure according to the specific needs of ...
May. 7, 2015 05:00 AM EDT Reads: 1,818
Cloud is not a commodity. And no matter what you call it, computing doesn’t come out of the sky. It comes from physical hardware inside brick and mortar facilities connected by hundreds of miles of networking cable. And no two clouds are built the same way. SoftLayer gives you the highest performing cloud infrastructure available. One platform that takes data centers around the world that are full of the widest range of cloud computing options, and then integrates and automates everything. J...
May. 7, 2015 04:45 AM EDT Reads: 2,145
SYS-CON Events announced today that FierceDevOps will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. FierceDevOps keeps software developers and IT operations personnel updated on the latest news and trends around the rapidly evolving role of the traditional IT worker.
May. 7, 2015 04:30 AM EDT Reads: 2,607
In today's digital world, change is the one constant. Disruptive innovations like cloud, mobility, social media, and the Internet of Things have reshaped the market and set new standards in customer expectations. To remain competitive, businesses must tap the potential of emerging technologies and markets through the rapid release of new products and services. However, the rigid and siloed structures of traditional IT platforms and processes are slowing them down – resulting in lengthy delivery ...
May. 7, 2015 04:30 AM EDT Reads: 2,245
SYS-CON Events announced today that SafeLogic has been named “Bag Sponsor” of SYS-CON's 16th International Cloud Expo® New York, which will take place June 9-11, 2015, at the Javits Center in New York City, NY. SafeLogic provides security products for applications in mobile and server/appliance environments. SafeLogic’s flagship product CryptoComply is a FIPS 140-2 validated cryptographic engine designed to secure data on servers, workstations, appliances, mobile devices, and in the Cloud....
May. 7, 2015 04:15 AM EDT Reads: 2,672
SYS-CON Media announced today that 9 out of 10 " most read" DevOps articles are published by @DevOpsSummit Blog. Launched in October 2014, @DevOpsSummit Blog offers top articles, news stories, and blog posts from the world's well-known experts and guarantees better exposure for its authors than any other publication. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dy...
May. 7, 2015 04:15 AM EDT Reads: 3,174
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo in Silicon Valley. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place Nov 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 17th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading in...
May. 7, 2015 04:15 AM EDT Reads: 1,067
15th Cloud Expo, which took place Nov. 4-6, 2014, at the Santa Clara Convention Center in Santa Clara, CA, expanded the conference content of @ThingsExpo, Big Data Expo, and DevOps Summit to include two developer events. IBM held a Bluemix Developer Playground on November 5 and ElasticBox held a Hackathon on November 6. Both events took place on the expo floor. The Bluemix Developer Playground, for developers of all levels, highlighted the ease of use of Bluemix, its services and functionalit...
May. 7, 2015 04:00 AM EDT Reads: 5,069
SYS-CON Events announced today that Akana, formerly SOA Software, has been named “Bronze Sponsor” of SYS-CON's 16th International Cloud Expo® New York, which will take place June 9-11, 2015, at the Javits Center in New York City, NY. Akana’s comprehensive suite of API Management, API Security, Integrated SOA Governance, and Cloud Integration solutions helps businesses accelerate digital transformation by securely extending their reach across multiple channels – mobile, cloud and Internet of Thi...
May. 7, 2015 04:00 AM EDT Reads: 2,642
Since 2008 and for the first time in history, more than half of humans live in urban areas, urging cities to become “smart.” Today, cities can leverage the wide availability of smartphones combined with new technologies such as Beacons or NFC to connect their urban furniture and environment to create citizen-first services that improve transportation, way-finding and information delivery. In her session at @ThingsExpo, Laetitia Gazel-Anthoine, CEO of Connecthings, will focus on successful use c...
May. 7, 2015 04:00 AM EDT Reads: 3,964
SYS-CON Events announced today that Vicom Computer Services, Inc., a provider of technology and service solutions, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. They are located at booth #427. Vicom Computer Services, Inc. is a progressive leader in the technology industry for over 30 years. Headquartered in the NY Metropolitan area. Vicom provides products and services based on today’s requirements...
May. 7, 2015 04:00 AM EDT Reads: 2,621
"Our premise is Docker is not enough. That's not a bad thing - we actually love Docker. At ActiveState all our products are based on open source technology and Docker is an up-and-coming piece of open source technology," explained Bart Copeland, President & CEO of ActiveState Software, in this SYS-CON.tv interview at DevOps Summit at Cloud Expo®, held Nov 4-6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
May. 7, 2015 03:45 AM EDT Reads: 5,150
The 5th International DevOps Summit, co-located with 17th International Cloud Expo – being held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the...
May. 7, 2015 03:45 AM EDT Reads: 2,942
SYS-CON Events announced today that Plutora, Inc., the leading global provider of enterprise release management and test environment management SaaS solutions, will exhibit at SYS-CON's DevOps Summit 2015 New York, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Headquartered in Mountain View, California, Plutora provides enterprise release management and test environment SaaS solutions to clients in North America, Europe and Asia Pacific. Leading companies ...
May. 7, 2015 03:45 AM EDT Reads: 2,494
SYS-CON Events announced today that Open Data Centers (ODC), a carrier-neutral colocation provider, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place June 9-11, 2015, at the Javits Center in New York City, NY. Open Data Centers is a carrier-neutral data center operator in New Jersey and New York City offering alternative connectivity options for carriers, service providers and enterprise customers.
May. 7, 2015 03:30 AM EDT Reads: 3,441