Cloud storage tools and the impact of security breaches, data sovereignty and the Patriot Act

Vendors claim cloud storage offers a range of benefits to organisations, including cost savings and increased flexibility. But with things like security breaches, data sovereignty and the US Patriot Act breeding doubt in customers’ minds, the future of cloud storage is not certain.

“The cloud” has become one of the most used (perhaps overused) terms in IT discussions today. Vendors and service providers love to explain how the various forms of cloud computing can free your workers from the chains of their desktops, free up the time of your IT staff, and allow you to move your IT spending from CAPEX to OPEX.

Public cloud storage tools - remote storage, usually accessed via the internet, paid for in an on-demand fashion - have been available for some years now. Broadly speaking, they all offer remote data storage, are (usually) accessed via the internet and are paid for in an on-demand fashion.

The various tools have naturally fallen into a couple of categories and use cases for the different varieties of cloud storage have become evident.

Use cases

While these tools all have the broad strokes in common, they tend to fall into one of two distinct categories, differentiated by the complexity of the services surrounding the storage itself. Each category lends itself to specific use cases.

Tools in the first category are simple remote storage, with very little in the way of features or services surrounding that, and are often referred to as ‘dumb’ cloud storage. These services really only consists of storage located in some remote data centre, and not much else - it’s just a place to store your files that isn’t your office. Customers typically access the storage they’re renting via an API.

Examples include Amazon S3, Ninefold’s Cloud Storage and Rackspace’s Cloud Files.

Given that it’s essentially just a remote dumping ground for your data, this dumb service lends itself to less cerebral storage tasks, like simple backup.

It’s commonly accepted that good backup practice involves storing your backups in a different location to your primary storage. After all, backing up your business’s data to a NAS inside your own office is no good if a fire rips through your office, destroying both the backup along with the primary copy of your data. Dumb cloud storage offers a relatively easy way to back up your company’s precious data to a remote location, without the need for ferrying tapes around the place.

Clive Gold, Marketing CTO at EMC, which provides hardware to cloud storage providers, says there are “a lot of organisations who want an off-site backup, who’ve recognised the ‘tape and truck’ is dead and gone, but they don’t have a substantially secure and reliable second site” who are using dumb storage in this way.

Dumb cloud storage can also help with recovery after a disaster. If such a calamity does wipe out your primary storage, it’s a relatively simple matter to transfer the backup from the cloud back to your new machines.

This sort of storage has applications for content distribution. “eBay is a big user of that. Whenever anybody uploads a photo, it’s stored on that sort of infrastructure,” says Gold.

But according to Dr Kevin McIsaac, analyst at Australian firm IBRS, this category of dumb cloud isn’t all that exciting for most organisations.

“The whole idea about backing up to the cloud - I hear about it from the vendors but nobody’s asking me about it. Vendors are all very excited about it - I don’t get a strong sense of that from my clients,” he says.

He says that there are “some” small and “some” big customers using the technology, but “it’s a niche”.

“The idea of a cloud storage infrastructure that you generically leverage like you leverage a SAN - I don’t see it [happening now or taking off in the future].”

This is because plain storage itself isn’t all that useful. “For large volumes of data, you want to have your compute next to your data.”

As for using dumb cloud storage for backup purposes, it’s hard to find a cloud service that offers a better value proposition than simple tape backup.

“I don’t know that the [dumb cloud storage] prices are that competitive. Tape libraries these days are pretty darn cheap. And if you have two data centres, backing up from one to a tape library in the other is about the cheapest way you’ll ever do a backup.

“On the other hand, if you’re a small organisation and you don’t have that stuff, well, why do you have your infrastructure anyway? Get somebody else to run it and get them to worry about that.

“There are use cases for it, but it’s not a broad use case,” McIsaac says.

A smarter option

The second category of public cloud storage comes in the form of collaboration tools. While dumb cloud storage is simply some space for your data in a remote data centre, tools in the second category include a bunch of features around that basic storage, to help workers collaborate. The most famous example of this category comes in the form of consumer tool DropBox.

Users typically download and install a local client, which presents the remote storage as a local directory on the user’s machine. Multiple users across the organisation can each treat it much like they would a local folder, creating and editing files within it, without having to know anything about how it all works.

These tools typically allow users to access previous versions of files saved on the shared drive and include functionality to allow sharing of files with people in or outside of the organisation. They also usually offer a web interface, allowing access to the remote data even on machines that do not have the software installed.

In fact, these collaboration tools are so popular among consumers that they’re starting to bring them into the workplace themselves, using them without the knowledge of IT management. Given the potential for these tools to lead to a data leakage, this causes concern for CIOs and IT managers.

So these enterprise-grade collaboration tools add in the extra features that make CIOs and IT managers happy.

“It gives the best of both worlds. It gives the users the freedom they want, but it gives the CTO some measure of control around versioning, security and monitoring,” says Peter James, Chairman and co-founder of Australian cloud service provider Ninefold.

Both Ninefold and Rackspace offer these enterprise-grade Dropbox alternatives, imaginatively named Ninefold Cloud Drive and Rackspace Cloud Drive.

According to IBRS’s McIsaac, these cloud-based collaboration tools offer a much more interesting proposition for businesses than dumb cloud storage.

“It is storage, but what it really does is serve a really specific purpose, about how to make sure the files I need are available where I need them. It’s not really about ‘storage in the cloud’, it’s about synchronising data across multiple platforms,” he says.

IBRS, itself a small businesses comprising several analysts that work in their own environs, makes use of several such cloud-based collaboration tools, including Sugarsync and Google Drive.

Causes for concern

While these tools may offer increased utility or productivity, many businesses still baulk at trusting an outside organisation with sensitive business data. Given that security breaches at large organisations are making headlines more and more frequently, and given that small hosting companies have had wide-scale breaches recently, concerns about such data breaches seem fair enough.

But according to IBRS’s McIsaac, large cloud organisations typically have environments that are more secure than those small companies that experienced breaches.

“If you go to a larger-scale, more professional organisation - like Google, or Microsoft, or Fujitsu, or Telstra - would they have a better environment? Yes, I believe they would. Would it be bulletproof? No, probably not. But they’d have more robust processes and such,” he says.

“What’s required is for the vendors to have standards, or you actually have an audibility clause in your contract. So a third party will actually audit the processes [of the cloud provider] up front, and then ongoing, and give you an opinion about whether or not the processes are sufficient to meet the security or availability guarantees that they make.”

Of all the concerns customers have about cloud storage, data sovereignty is far and away the one most talked about and the one that receives the most press. But opinion is mixed on how relevant it really is.

In simple terms, ‘data sovereignty’ refers to the idea that any data is subject to the laws of the country in which it is stored. So, the idea goes, if you upload a bunch of documents to a data centre located in China, that data is now in the jurisdiction of Chinese law and could potentially be seized by Chinese authorities, should they be allowed to under Chinese law, and should they have reason to look at it.

This would not be the case, the theory says, if you’d kept that data on a hard drive in your organisation’s Australian head office.

Beyond that, the theory says that if the company that stores your data for you is based in another country, your data is again subject to that country’s laws - even if it’s stored in a data centre in your own country.

Much of the noise regarding data sovereignty surrounds the US Patriot Act, an Act of the US Congress that was signed into law less than two months after the September 11 terrorist attacks, ostensibly to give US authorities greater power to fight terrorism.

These extra powers make it easier for US law enforcement agencies to extract information from American companies. The bottom line is, if American federal agencies want access to your data for some reason, the Patriot Act makes it even easier for them to get it.

Ninefold’s James stresses the importance of data sovereignty.

“We are Australian owned, as a business, and we are subject only to Australian law. We have all of our data, all of our equipment, based here in Australia. So the data is subject to Australian jurisdiction in terms of the data sovereignty,” says James.

This is important “particularly if you have data that is sensitive, and that could be government data, it could be educational, it could be financial or personal data”.

“If a business has any concerns about where its data could finish up, then it should have its data stored in a data centre that is in Australia, managed and owned by a company that is Australian. That’s the purest and safest way of ensuring that you know where your data is, and who has access to it, both physically and by law,” he says.

However, EMC’s Gold suggests that even if a service provider were ordered to hand over a customer’s data to any third party, this data would be meaningless without the keys to unlock it, which, if the cloud provider is set up in the most secure fashion, they would not have. Only the customer would have that ability, as only the customer should have the relevant encryption keys.

“With encryption, the digital rights management and the information controls that we have as part of our security suite, we can have a cloud provider who cannot get access to your data, no matter what,” Gold says. “Practically, it’s impossible.”

Rackspace, a US-based cloud provider whose data centres are located in the US, UK and Hong Kong, says the Patriot Act itself is nothing particularly special.

“It is something that’s standard in every country. It’s law enforcement. If you’re breaking the law, or suspected of breaking the law, any government has the ability to serve a court order, or to request another government that they have a legal enforcement treaty with to serve a court order, to get a hold of that [data],” says Mark Randall, Country Manager for Australia and New Zealand, Rackspace.

“If you are suspected of breaking the law, and the government had a reasonable case against you, then, if they wanted to get hold of your data, it really wouldn’t matter who you were hosting with or which country you were hosting [in],” he says.

IBRS’s McIsaac says: “Quite frankly, if an American company wants your data, they go to the Australian courts, and the Australian courts end up coming and taking the data. Or, if it’s an Australian company, ASIC will.”

In any case, he says, the data sovereignty debate is the wrong argument to have. Instead, consider the difference between security (the chance that your data is leaked to a law enforcement organisation) and risk (the damage to your company should such a leak occur).

In other words, assess the potential damage of having foreign governments combing through your data and weigh that against the benefits of offshore hosting (which may include price).

“Do a risk/cost benefit trade-off. So there’s a very small risk that that data will be made publicly available. What if I could [use cloud storage] in a much better service, at a much lower cost, would the business be willing to have that trade-off? In most instances, the business would say yes, depending on the data,” he says.

Remember: Voice+Data is not a lawyer! If you’re concerned about foreign entities (including governments) pawing through your data, you should obtain legal advice from an actual legal expert.