Discussion on Information Assurance topics, sharing approaches, best practices, new ideas, and events.
Another Cloud security article
July 18, 2009 at 10:49 am #76048
Again have cross posted to the cloud group
Cloud storage triggers security worries
IT managers are charmed by the concept but fear giving up control of data. Here’s why.
Robert L. Mitchell
July 13, 2009 (Computerworld) Liz Devereux knows a thing or two about cloud storage. As director of IT storage and digital imaging at Banner Health, Devereux oversaw the construction of an internal 150TB storage grid. The grid delivers storage as a service to the Phoenix-based health care provider’s network of hospitals and health care facilities in seven states, which use it as a repository for radiological images. But she would never entrust that data to an external cloud service provider.
“I’m nervous about someone else controlling my data,” Devereux says.
Cloud storage offers some enticing advantages. It’s pay as you go, with no capital outlay and no need to buy extra equipment in anticipation of future storage demands. You scale storage dynamically and pay only for what you use. But you must trust your data to the cloud — and the vendor behind the service.
Few midsize or large businesses are willing to trust the cloud today, although some are experimenting. “There’s a huge amount of interest,” says Gene Ruth, an analyst at Burton Group. But, he adds, none of his firm’s Fortune 100 clients is using a cloud storage service for live data today.
It’s probably wise to proceed with caution, says James Damoulakis, chief technology officer at Glasshouse Technologies Inc., an independent IT consulting and services firm that focuses on enterprise data centers, storage and other elements of the IT infrastructure. “Cloud storage today is pretty much an early-stage concept,” he says.
Aside from a few heavyweights, like Amazon.com Inc.’s Simple Storage Service (S3) and Verizon Communications Inc.’s Online Backup and Restore service, most offerings come from small start-ups. “It’s best suited for low-priority or low-access, low-touch kinds of applications, primarily file-based as opposed to block-based,” says Damoulakis, who is a Computerworld columnist. But he says he does have clients that use services from Amazon as temporary expansion space for testbeds or marketing programs.
Joe Mildenhall, CIO at Apollo Group Inc., is taking baby steps into cloud storage. “We have a lot to lose. If we’re playing, we’re only going to play with the big guys,” he says. The Phoenix-based for-profit educational institution is using Amazon’s S3 to temporarily store papers that some of its 400,000 college students submit through the Apollo Web site.
But even with Amazon, Mildenhall will entrust only low-risk data to the cloud. For example, students can submit Word documents to the Apollo Web site, which runs the documents through a grammar-checking engine and then parks them in Amazon’s S3 storage. When a student retrieves his document, the data is purged. “The major characteristic is that it’s not very important storage to us,” Mildenhall says.
So far, the integration with S3 has worked well. But Mildenhall is still wary. “If Amazon went down for two days, my opinion would change,” he says.
Feelings of Insecurity
The most common storage-as-a-service offerings are online backup and archiving applications. Things have changed since the days of StorageNetworks, a company that couldn’t make a go of hosted backup and closed its doors in 2003. The original idea behind StorageNetworks was outsourcing — providing a service that used the same storage frames that were in the data center, says Damoulakis. Now, many cloud storage services use low-cost, commodity storage in a distributed architecture. “We’ve advanced very far in virtualization, the Internet, distributed computing and the grid concept,” he says.
Michael Peterson, president of Strategic Research Corp., launched a storage service provider in those early years and was a business and technology adviser to StorageNetworks. He says cloud storage is a very broad term that incorporates a variety of technologies and business models. For example, some service providers use distributed, commodity storage, while others might use traditional midrange or high-end storage frames. That means that it’s important to understand what you’re buying.
But there is a common theme: virtualization. “[Cloud storage] includes everything and is a virtualization model,” Peterson says. Cloud is a catalyst for change, not a technology, and as such, it will bring about broader use of virtualized practices, he predicts.
Cloud storage service offerings range from basic file-based storage infrastructure services, like Amazon’s S3, all the way up to storage-as-a-service applications. With the exception of start-up Zetta Inc., most vendors aren’t pitching the cloud for primary storage.
In the business market, remote backup has always been the real driver for cloud storage, Peterson says. Nonetheless, most large businesses remain on the sidelines.
One of the biggest concerns IT organizations have with cloud storage is data security. Many cloud storage vendors offer encryption for data in transit and at rest. Some, such as Zetta, make encryption the default setting. That’s important because in a storage cloud, your data might be on the same disks as data from other users, says Ruth. If another customer’s data is raided by the FBI, for example, could yours go with it? “The laws are not sufficient to protect innocent parties whose data is on the same equipment,” says Ruth. To address that, some vendors keep each customer’s data on a separate disk. Zetta encrypts each customer’s data with a different key.
Mildenhall says he feels confident that Amazon will be around for a while, but he still doesn’t trust that the data will be. If he were to entrust business data to Amazon’s storage service, he says he would need a mechanism to ensure that a copy of the data was replicated back to his data center. “I’m not willing to say that the copy of data in the cloud is the only copy I’ve got,” Mildenhall says.
Fear of vendor lock-in is another concern. Every storage service provider has its own proprietary APIs. In some situations, the user might also want to define metadata associated with a data set, such as aging information or security parameters. But storage service providers handle that differently as well, says Ruth. “These services shouldn’t require specially designed interfaces to make them work,” he says. Vendors are just starting to work on standards to eliminate the problem.
The lack of common APIs would create problems if a storage service provider were to suddenly shut its doors — and that’s a possibility when you’re dealing with a start-up. “Once you get in bed with a service provider, you hope to heck they’re not going to go out of business,” Ruth says.
It’s not how to get the data back that worries Manjit Singh, but whether he’d even have access to the data if the provider went belly up. “If it’s bankrupt, the creditors might just come in and take the equipment, and they don’t care what’s on it,” says Singh, vice president and CIO at Chiquita Brands International. He has yet to give cloud storage a try.
Rich Zoch is experimenting with Zetta’s storage service at the University of Texas at Austin — but not for primary storage. “It’s a great platform to offload backup archives that are encrypted,” says Zoch, senior systems administrator. But so far he has trusted the service only with dummy data. He says he plans to use it as a secondary storage pool for backups as an alternative to tape.
Zoch says he likes the fact that Zetta uses public key encryption that’s compliant with Federal Information Processing Standard 140-2, but the university still might decide to encrypt the data itself before transmitting it. And since he’s using Zetta only for secondary copies, he’s not worried about getting it back if something happens on Zetta’s end.
It might also be impractical to move large amounts of data from a cloud storage provider’s site if the communications pipeline is too small. “If you can do only 1MB/sec. or 2MB/sec., it could take months or even years to get your data back,” says Jeff Treuhaft, co-founder and CEO of Zetta. He says putting in a dedicated connection capable of transferring data in a timely fashion adds about 25% to the cost of Zetta’s service.
Even if the stored data is accessible, some storage-as-a-service applications, such as Zmanda Inc.’s backup and recovery systems, store data on a third-party platform such as S3 on the back end. So it’s important to do due diligence on where and how data is hosted and how to get it back, says Singh. But, he says, that’s no different from the checks one should do with any other software-as-a-service provider that stores data.
What’s the best way to get started with external cloud storage services? “You have to trust, but verify,” Ruth says. That means touring the data center to see what’s stored where, creating a service-level agreement with meaningful metrics and performing regular audits to make sure the vendor is living up to them. And if the storage-as-a-service provider is using a third party for the underlying storage infrastructure, you’ll need to perform due diligence on that vendor as well.
Despite the challenges, most users see a bright future for cloud storage. Singh says he could see a role for cloud storage for file services if he had to replace his file servers. Others see the cloud as a potential way to back up remote offices.
Mildenhall says he sees a larger role for cloud storage at Apollo as well. “It would be reasonable to put file sharing and e-mail in the cloud,” he says. And Mildenhall says he envisions a day when core business data might be hosted in the cloud — as long as he has backups of everything.
Ultimately, Ruth says, IT organizations might use cloud storage as an alternative to building additional data centers to hold copies of critical information. But, he adds, “they need to get over the idea of moving the data off-site.”
You must be logged in to reply to this topic.