Jeffrey I. Schiller
Networking, Security and Cavies

The Cloud: Cool and not Cool

Cloud Computing is becoming all the rage recently, and well it should. Frankly I'm a bit smitten by the possibilities offered by “cloud” services but we should still keep our eyes open. In fact this very website and blog is hosted “in the cloud,” specifically on Google's “App Engine.”

As you can fathom from reading this website, you will know that I work at MIT, building and running networks for almost 30 years. As such I am quite familiar with what is takes to run a significant infrastructure. Yet I am also a member of the Essex County Rabbit and Cavy Breeder's Association (ECRCBA). This is the epitome of a “small business.” We run three Rabbit Shows and run the Rabbit Barn during the Topsfield Fair. A few years ago I decided it would be cool if the club could have a website where people showing their rabbits could register on-line and pay their registration fee (aka $3.00 per rabbit, not a lot of money).

The ECRCBA doesn't have the resources to own a server class computer, nor take care of one. Enter “cloud” services. For less then $20/month the club can “rent” a virtual linux server and operate an Apache website. Payments can be processed via PayPal. The “cloud” provides a core service that would otherwise be beyond the resources of the ECRCBA.

So one of the key beneficiaries of cloud services is small to medium size businesses (and other organizations, ECRCBA is hardly what I would call a “business!”). So choosing to use cloud services for an organization such as the ECRCBA is a no-brainer. The alternative doesn't really exist.

However larger organizations do have alternatives and should be careful about diving into the cloud... you might just fall through and land on your head (sorry, couldn't resist!).

So what should you worry about:

1. Reliability and Durability: With a locally hosted application you have control over how carefully and redundantly you backup your data. You can adjust the amount of effort you take to protect information from loss commensurate with the value of the information. You also have control over when to upgrade capabilities and when to retire applications.

Hosted solutions do not offer this level of control. The host can decide to stop offering a service with little or no notice. If information is lost a simple "sorry" letter may be sent. This is all particularly true when the service is "free." In the end, you get what you pay for... and I doubt that IT infrastructure is any different.

2.Security and Privacy: all cloud based solutions have this as an issue, particularly against the government of wherever your data winds up being stored! Overly broad subpoenas will just not be challenged and you may never even know that your information has been perused. If a security issue results in the compromise of your information will the host even tell you? Are they obligated to?

Challenging a subpoena's costs money, will you reimburse the hosting provider for their costs? How can you if the subpoena contains a “gag” clause that prohibits them from even telling you about it? So it is just easier and cheaper to provide whatever information is requested and go on.

My favorite (non) privacy clause is at Microsoft's Health Vault site. The site goes through a lot of verbiage telling you how protected and private your information is. However there is a section of their privacy policy where they talk about under what circumstances they will peruse/reveal your information without your permission. Here is the kicker:

Microsoft may disclose personal information if required to do so by law or in the good faith belief that such action is necessary to:

1. conform to the edicts of the law or comply with legal process served on Microsoft or the Site;
2. protect and defend the rights or property of Microsoft and our family of web sites;
3. act in urgent circumstances to protect the personal safety of users of Microsoft products or members of the public.

Point (2) is the one that stands out to me. Protecting the rights and property of Microsoft trumps your privacy! Now I don't particularly want to pick on Microsoft. I suspect the same is true for other hosting providers, whether or not they disclose it in the privacy policies...

So I add a third issue to my list above:

3. Trust: Before an organization (or individual) can trust a hosting provider with critical (or even important!) business processes or personal information, the hosting provider has to demonstrate that it can be trusted with this responsibility.

Exactly how trust can be had is complicated, it involves clearly putting customer concerns front and center. Engaging with customers to ensure their issues are heard and addressed and finally demonstrating over time that they operate in a way that can be trusted. Whether any public company can do this is not clear given that a hostile takeover can completely replace management and its philosophy.

Some food for thought...