Feeds

How can the storage industry prevent cloud bursts?

Out of sight, out of mind - but not out of harm's way

Combat fraud and increase customer satisfaction

Comment If you send your data to the cloud today you might be sure of a big surprise: it could vanish. SwissDisk users know this and T-Mobile Sidekick users know that Microsoft is quite capable of losing their data, too.

Stephen Foskett is Director of Consulting at cloud storage provider Nirvanix. He writes:

Subpar offerings from flaky vendors hurt the whole industry... The truth is... not all managed storage services are created equal. In fact, lots of them are, to put it bluntly, not worth much. Many cloud backup and archiving services use bare un-protected disk drives to store data, have no redundancy built into the system, and try to scrape up every cent by using home-brewed hardware. This is especially true in the consumer space, where bargain-basement (or even free) pricing has driven a race to the bottom in terms of quality. No business should use junky consumer solutions.

That's clear enough, but his brickbats are not restricted to the consumer space:

Even service providers that presume to sell in the enterprise market often miss the mark. Forgetting the inappropriate per-month credit card billing method and laughably poor support services, many providers adamantly refuse to comply with basic corporate governance principles.

How can this be done? How can we ensure that cloud data protection isn't cloud data destruction?

Dealing with potentially poor suppliers

One approach is to expect poor quality service and deal with it. Cloud storage supplier LiveDrive’s general manager, Dominic Cross said:

I think businesses just need to be intelligent in how they use cloud storage services – as they do with any third party they deal with. A business that uses a single courier, or has no backup payment processor, or relies on just one web server, is likely to have problems along the way. Redundancy and diversification at every stage is a key business concept – and cloud storage actually helps businesses achieve that simply and cheaply by reducing the reliance on internal architecture only.

But if the cloud isn't a valid replacement for local data backup then a large part of its value goes away. So you need a safeguard.

Verification

EMC RSA's approach to the issue is to verify by inspecting the service provider. Here is a section of its documentation (pdf) on the issue:

Trust cannot be granted on the cloud provider’s reputation alone; it should be validated through thorough assessments to determine if the cloud provider needs to take additional steps to comply with the organization’s information security requirements and policies. Furthermore, performance conditions and standards must be written into SLAs and managed services agreements.

RSA goes on to talk about seeing a supplier's activity logs, understanding its audit rights and physically inspecting their data centres.

Nirvanix's Foskett is a big believer in openly available verification:

Managed services must allow auditors to verify their claims. I am a car nut, so I definitely wouldn't trust a garage who whisked my car off to an undisclosed location so unseen mechanics could work on it. I wouldn't eat at a restaurant that didn't allow the health department to inspect it. So why would I put blind faith in a managed service provider who held my critical data? Cloud vendors must perform their own security and operations audits and allow their customers to do the same. You can't pass the buck on governance: If you require SAS70 or PCI or a third-party audit, then your service providers must step up and allow it, too.

Clearly only large customers would have the clout to insist on verification of an unwilling supplier, and the internal ability to undertake and assess candidate cloud storage service providers in this way. It's not reasonable to suggest that SMEs and consumers should all do the same thing, but verification facilities should be made available to them, so that they can if they wish.

3 Big data security analytics techniques

Next page: SLA protection

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Kingston DataTraveler MicroDuo: Turn your phone into a 72GB beast
USB-usiness in the front, micro-USB party in the back
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
BOFH: Oh DO tell us what you think. *CLICK*
$%%&amp Oh dear, we've been cut *CLICK* Well hello *CLICK* You're breaking up...
AMD's 'Seattle' 64-bit ARM server chips now sampling, set to launch in late 2014
But they won't appear in SeaMicro Fabric Compute Systems anytime soon
Cisco reps flog Whiptail's Invicta arrays against EMC and Pure
Storage reseller report reveals who's selling what
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.