Breaking The Cloud Storage Security Taboo

Get over your fears of cloud storage, says Peter Judge. You are using it already.

Cloud storage is obvious and inevitable, but it is a big taboo for businesses. That taboo is about to be broken big time, by the simple admission of the fact that we all use it.

Hordes of individual users casually place files and share them in Dropbox or similar services, and they choose cloud mail providers such as Gmail and Hotmail, based on how much storage they offer in the form of a big email archive. Organisations are happy to adopt cloud services such as Salesforce, which clearly – like any application – use storage.

So cloud storage is already in use. And if they start to use it more consciously, organisations can get real benefits. At least, that was the conclusion of the panel I chaired a week or two back – Cloud Storage: Determining Its Worth – which is available for you to listen to.

Cloud storage for beginners

First of all, what is cloud storage? According to Ben Woo of the Neuralytix consultancy, cloud storage is “any capacity, hosted somewhere outside your organisation”.

The big advantage is it can be elastic, said Alex McDonald of NetApp’s CTO office, and an SNIA member. Instead of assigning a fixed storage device for a service (or maintaining an internal data pool with enough overhead), cloud customers can simply pay for what they use and change it quickly.

Underneath the service, there is block storage, said Hillel Kolodner of IBM’s research lab in Haifa. All the advanced capabilities of file systems – both on single systems and on the cloud – are abstractions on top of that. What service providers and their customers have to do, is ensure that these abstractions provide the technical and business functions that are needed.

The security myth

Security gets to the heart of the taboo on cloud storage. Half the audience of the webcast felt that security was the biggest barrier to using cloud storage, but the panellists completely and utterly disagreed. They felt most problems were either solved, were variations of problems you already face in your internal systems, or never existed in the first place.

Fears about cloud storage date back to older shared services, and they are over-stated, McDonald said: “Multi-tenancy is the goal of most people’s security dreams. They want to share a resource, but give no one else any access to their data. I have yet to come across a case of insecure multi-tenancy.”

There have been worries that “dirty disks” used by cloud providers might be a security risk – incompletely deleted data might be available to read by subsequent users of that storage space, but this can be guarded against, the panellists agreed.

The paranoid might encrypt their data, but there is a risk if that data is used in the cloud, because data has to be decrypted before it can be accessed. However, encryption can provide a good means of secure destruction of data. If you can be sure you have deleted the only copies of the key, you know your data is gone for good.

In fact, so-called security fears may just be an excuse to avoid having to make the changes that cloud services might require. “Security has been used by a lot of IT managers and CIOs as a quick way to finish the conversation,” he said, but warned that this tactic will not work much longer, as perceptions of cloud security are changing – and anyone playing this card who uses cloud email could be seen as a hypocrite : “That train has absolutely left the station.”

Get it in writing

In the end, the benefits of flexibility and efficiency will drive organisations to the cloud, along with the fact that we are all doing it anyway. However, procedures will have to catch up with the practice. As with all IT issues, the move to cloud changes technical decisions into questions that involve contracts and service level agreements.

Storage, above all, needs some contractual care, so that you know you can get your data back, and your provider does nothing with it that you do not sanction. And the contract has to cover eventualities that you might not foresee, and which might never happen with internal data.

What happens if your data is on a disk which is impounded by the authorities under a subpoena that applies to a different tenant in the shared service? You may need to have words with your provider about how that situation would be handled.

International rules apply – and the European Union rules will limit where you can store your data. However, providers such as Google and Amazon are well up on this, and claim to offer geographically-specific services. In the US, the Patriot Act places limits on what you can do with your data, and requires you to have external auditability.

All this means that cloud storage has real value – and that value will ensure that the problems get solved, even if they are only problems in user perception.

“There are problems which haven’t been solved generally, but if you are a big enough customer they can be solved for you,” said Kolodner.

How well do you know the cloud? Take our quiz!

Read also : LastPass Owner GoTo Confirms Hackers Stole Customers’ Backups