Discussing with industry colleagues the other day, I got challenged when I pointed out cloud services were lacking transparency. I actually realized that my statement was probably too broad as private clouds remain under the responsibility of their owners. So let me restate this a little more clearly, focusing on public cloud services, and let me describe what I mean.
Beyond IaaS, cloud services often require a “supply chain” to deliver the service. Indeed, the company advertising a service may rely on other companies to provide the infrastructure, some service functionality included in the service etc. To quote a well published example, Apple ‘s I-Cloud seems to use Amazon and Microsoft Azure services. How do we know that, because some curious journalist investigated the web addresses used when accessing the I-Cloud service.
When, last April, Amazon EC2 went down, people tracked the companies that got problems. The list can be found here. I did not check them all, but none of the ones I checked have any mention they run on Amazon EC2.
This is the tip of the iceberg, the facts we can trace. But this means in practice there is NO way at the moment to know who is actually participating in the delivery of a public cloud service. There is no obligation of transparency in the delivery.
You remember, a couple years ago, the T-Mobile/Microsoft/Danger data loss? It may not have been a cloud computing issue, but rather a failure to follow standard IT processes. But frankly, this does not matter. It demonstrates that the service is as well managed and secured as its weakest link. The issue? We have no way to assess that weakest link as we have no visibility in who is participating in the delivery of the service.
And I could continue this way. Now, you will tell me these are services developed for consumers, not for enterprises. And as 90+% of services are developed for consumers and SMB’s you are probably right. However, the boundaries are blurring between consumers and enterprises for two reasons. The first is that business people, not receiving appropriate service from their IT department, increasingly use external services (including facebook, dropbox, yousendit etc.) We call this “shadow IT”.
The second is that a new generation, known as the millennial generation, enters the workforce. They are very familiar with IT and use it all the time to stay connected with friends and family. They expect the same in their work environment and do not understand why they need to use other tools for work than for private life.
On top of that an increasing amount of “free” services, originally developed for consumers, are moving up the stack, delivering “premium” services to businesses. Both often run on the same platform and use the same environments.
But what are the dangers of this lack of transparency. In my mind they are twofold. On the one hand, we have no visibility of the processes and procedures used by the players in the service supply chain. So, for example, what are the levels of security guaranteed by each of the partners? But also what are the guarantees at the integration points between the partners. How are duties distributed, and are all aspects addressed?
The second element has to do with the location of data and its association with the now well-known Patriot Act. Where does my data resides? Let me take a simple example. YouSendIt runs two datacenters in the US and now has a brand new location in the UK. But where will my data actually be located? There is no way to point out you want your data in a particular geography.
I understand from talking to some lawyers of American IT companies the Patriot Act may in essence not be that different from criminal legislation in other parts of the world, but as pointed out by ZDNet in their series on the subject, it is, in my knowledge, the only legislation that applies outside the boundaries of the initiating country without interaction with country jurisdiction. At the moment no Patriot Act related case has been brought in front of justice, so no case law has been established yet.
So, how could we address these issues and provide the user of services with the appropriate information to allow him/her to decide what service to use with a full understanding of the implications.
I would make following suggestions:
- At the minimum, obligation to include in the description of the service, the name of all players in the service supply chain
- Ideally, provide the user with an objective assessment of the quality of the processes and procedures established for delivering the service. This should include security, redundancy, disaster recovery and data location at least. This could be done through formal certification, through a categorization of levels (eg. Star system) or any other appropriate mean. The objective is to allow the user to quickly and easily understand what he/she is actually getting.
As far as the Patriot Act is concerned, I would also urge the European Union to make a clear statement as how enterprises can be compliant with both the EU Privacy Laws and the Patriot Act. There is a feeling of uncertainty in the market at the moment and that does not help the business.