This blog was originally published on the CloudSource blog in April 2013
Over time I’ve seen a number of contradictory blog entries on the future or lack of future of private clouds.
Joe McKendrick enumerates 12 reasons why public clouds are better than private clouds, and Jonathan Gershater responds with 12 reasons why private clouds are better than public. Further research got me digging a couple other statements. In a 2010 blog entry James Hamilton points out that “Private Clouds are not the future”. Is it then public cloud?
In an article about the future of cloud, my friend John Manley is quoted stating “Cloud Computing is the final means by which computing becomes invisible”. Many read this as an endorsement of public cloud. In my mind it is definitely not public cloud as it exists today.
To make computing pervasive as Joel Birnbaum, once heading up HPLabs, called it, public cloud has to address key points not taken into account today. And those mainly turn around the management of data. Indeed, in cloud, services are transient, but data is permanent. How this data is handled will be critical for the future of cloud. Two forces have to come together. Public cloud providers have to become much more transparent so users understand where their data is located, how it is protected, who actually owns it and what happens with it.
At the same time, the political and legislative bodies need to understand what cloud means and how it makes the current legislation look archaic. The question is really how to regulate cloud computing? Here are four data aspects that need to be taken into account:
The European data protection law for example stipulates tight controls on the processing of personal data and its transfer outside the European Economic Area (EEA). As a result, public cloud providers need to become transparent as to where the data is stored and processed. The legislative bodies should review under which conditions data can be exported for processing or backed-up outside the EEA. Today data can only be exported outside the EEA if it is handled in a country that is on the European Commission’s list of countries or territories that provide adequate personal data protection. The US is not on that list; however, companies having self-certified to the Safe Harbor replacement, the Privacy Shield, are allowed to process such data. The Patriot Act and other equivalent legislation leave questions on whether your data is actually protected under safe harbor, and as a result whether you are compliant. The situation is currently unclear and leaves many questions unanswered. And don’t believe governments do not request data from service providers. Apple, Google and Microsoft regularly release information about the requests they get from law enforcement. Here is a recent update. Read for yourself and make your conclusions.
European law requires “appropriate technical and organizational measures” to be taken against unauthorized or unlawful processing of personal data (i.e. any information relating to an identified or identifiable natural person) and against accidental loss destruction of, or damage to, such data. This implies that users of public cloud should have a written agreement in place with the supplier defining how the service provider processes personal data, and in which the CSP (cloud service provider) ensures he has the appropriate technical and organizational measures in place. Public cloud providers resolve this by including in their T&Cs provisions specifically excluding liability for security of any data. But in doing so, they make their users actually breaching compliance when relying on their services to process personal data. This is a chicken and an egg problem. Now, I use the EU legislation as an example, it’s the one I know best. But other governments have similar, albeit different, legislative requirements. Ideally I’d like to see the governments to agree on a common framework of privacy data protection and have an independent body certify the public cloud providers so users know whether they adhere to the framework or not, in other words whether they can use the services from the CSP and remain compliant.
When I proposed such certification in an EU working group, I can tell you I got heavy pushback from the public cloud providers. But if they want to provide core enterprise functionality, they will need to address these aspects.
Data Protection & Security
Data remains permanently on the cloud platform. How well is it protected? Most CSPs will tell you they are secure. Some even point out public cloud data security is stronger than traditional IT. And I do not dispute that. However, I cannot verify it as no detailed documentation is available on how that security is implemented. In a recent study, researchers found Amazon S3 storage buckets unsecured. In this case Amazon did not do a mistake, but users did not flag their buckets appropriately. But did they understand the options and the implications of each option?
Data encryption provides a higher level of data security. Most CSPs secure the data using SSL connections during the transfer of the data, but most often the data is not secured when stored in the cloud. This should become the norm. It would provide users with a higher level of security.
The EU proposes a data breach notification law forcing a collection of firms across Europe would have to alert regulators when they’ve been hacked, suffered a data breach or been attacked online. This includes the cloud service providers.
Did you ever ask yourself the question who owns your data while in the cloud. Actually, data ownership becomes fuzzy in the cloud. It’s actually a mind field, so make sure you know what you are getting into. As the CNIL (French Commission Nationale de l’Informatique et des Libertés) points out in its recommendations for companies using cloud computing, data processors (in this case the CSP) act on behalf of data controllers (the client) and as such are not subject to data protection legislation. But if the data controller is not able to give instructions to the data processor joint liability is assumed. This is typically the case for public clouds. So, make sure you understand how the CSP is handling your data and review whether this is in compliance with your local laws.
The legal issues surrounding public cloud are complex and vary by country/region. I use the EU legislations as an example, but similar laws exist in other countries. When choosing a public cloud provider, make sure you ask yourself the right questions. Here is my little cloud cheat sheet. It may be helpful in your research of an appropriate CSP. A number of the public cloud service providers dance around the issue at the moment and we start seeing the first legal actions taken for breach of privacy data.
I believe there might be another way to approach this. If we base ourselves on the “service oriented world” described in my previous blog entry, we might be capable of keeping data under our own control, avoiding many of the pitfalls. I’ll talk more about this in my next blog entry.