April 14, 2009 at 6:19 pm
Comments posted to this topic are about the item Becoming a Google Earth
April 15, 2009 at 5:25 am
This is a really interesting topic. While security is a serious risk, I think the next biggest concern with keeping data in the cloud is that if the company that holds the servers fails, that data could be lost. I am ignorant of the contracts involved in cloud computing, whether there are provisions for this. If the data is in GoogleDocs I don't think there are any contracts other than the agreement when you sign up. I certainly would like to hear more about this from anyone that has been involved in those negotiations with a salesforce.com or other cloud computing vendor.
Another piece I've struggled with, is the ethics of requiring an employee to sign up for, and use something like GoogleDocs. Are their limitations to what an employer can require? If a service requires a valid name and birth date, I think an HR department might have concerns.
I have been in that position of exporting data to load onto vendor servers, and it always gives me some pause.
April 15, 2009 at 7:35 am
I think you aren't taking the security issue seriously enough. Yes, we put payroll into the cloud, ADP is one example. But ADP has had decades of security experience, and the penalties for failure are draconian when it comes to payroll, so I'm not terribly concerned. ADP can do it right because if they fail even once the resulting loss of trust will kill them as a company.
Salesforce.com is a disaster just waiting to happen. I don't trust them (or companies like them) because they are young, growing too fast, and frankly unproven. You want to be the first to wear unproven body armor in combat? 🙂 That was produced under impossible deadline pressure by folks that may not know all the ins and outs of armoring?
That's the equivalent of what you're doing when you put your data in the cloud. My company's data leaks out and somebody could end up dead in a botched robbery attempt. Personally, I don't want that on my conscious, thank you very much. I have enough sleepless nights worrying about insider attacks, I don't need the extra worry of 6 billion more insiders...
Quite aside from security there's also the access issue if somebody cuts a cable, as you pointed out. Distributing data across multiple service companies brings up the spectre of synchronization issues and compromising the Single Point Of Truth. I hadn't even considered the regulatory issues, not to mention data getting migrated across national borders with different privacy/security/government spying rules.
To come back to the security for a moment, what about tape backups of the *service company's* systems. Will they "go missing" so a bad guy has all the leisure he needs to break whatever encryption is in place? Will they even have encryption?
The cloud is way too immature for serious data storage. How many multi-billion dollar companies do we hear about that have data breaches? If TJ Maxx can't do it right what's the possibility Salesforce.com will? Or some competitor that has to beat Salesforce's rates?
The cloud is NOT ready for commodity database use yet. Probably never will be.
April 15, 2009 at 8:54 am
Roger,
I am taking this seriously, and I think there's a lot to work out.
However I think you're thinking specifically, and narrowly here. ADP built trust, sure, but can't that happen with cloud computing? Didn't ADP have to get someone to trust them early on? You might not trust Salesforce.com, and that's fine, but lots do. They're the more-risk tolerant people that gave ADP a start.
Also, you have to consider that the cloud doesn't just mean that it's across the public Internet. Clouds can be private. Or clouds can be co-hosted along with the application somewhere, but the idea of cloud computing makes sense.
I'm not trying to minimize issues, but issues don't mean it's a horrible idea. They mean those issues need to be solved and solutions matured.
April 15, 2009 at 9:37 am
Steve,
Trouble is, I don't think the basic issues *can* be solved on a broad (all companies) basis. I trust ADP because they started back in the day when "network" meant point to point communication, either dedicated line or a modem. They evolved along with advances in networking, and they think like paranoids--which is good. They've had time to grow slowly, and their feature set is pretty stable, meaning a minimum of "get it out the door NOW, I don't care if it's been completely vetted." BS.
Other companies--not so much. 🙂
And that's just one of a host of issues. Can they be solved? Hmm, possibly. The security issue still bothers me, more than say the availablility issue. SPOT is defintely something to watch over as well. The transfer of data across national borders is a humongous (people) issue, so I think that will be solved about the time we have a world government... (laughing)
My industry is by its nature absolutely risk-homicidal (read literally armed personnel, armored vehicles, armored buildings, criminal background checks, you name it). For us data is safe only so long as it stays within our facility. We even put our backup tapes in a two-ton safe in our facility. Should survive a meteor strike... 🙂
I'm just waiting for the day when some math genius discovers an equation that spits out the private key when given a message and the public key. Then we are well and truly screwed.
April 15, 2009 at 9:45 am
Roger, sounds like a fun place to work. I worked in a nuclear plant, same way. Armed guards carrying M-16s, loaded, around. Would train in the plant at times, not much fun to walk around knowing that they could discharge a weapon.
Also not fun when I got to "test" the metal/bomb detector alertness by walking through with wires and playdough in my bag.
I agree with you there are issues, and companies will fail. Some people will lose data. Not sure that's much worse than the way we lose data now.
My view is insurance will evolve to help here. Lots of regulations and rules are insurance required. If we start holding people accountable, making them pay, they'll demand insurance. Then the insurance industry will hedge risk with requirements.
April 15, 2009 at 3:53 pm
All of the reliability concerns are valid; however my main concern is with the way the legal system views data ownership.
It is my understanding that you have to own the hardware the data resides on to be served with a subpoena if a judge or some agency decides they want your data for some reason. The subpoena is served to the owner of the hardware, and not the owner of the data.
This is a very valid concern for any business, especially one that does business with any government agency.
April 16, 2009 at 8:33 am
John Bradford (4/15/2009)
The subpoena is served to the owner of the hardware, and not the owner of the data.This is a very valid concern for any business, especially one that does business with any government agency.
Critical point. Do you think a cloud computing company can be trusted to challenga a subpoena? Hell, you might not even know it was served. Remember how ATT rolled over and said 'take anything you want' when it came to warrantless wiretaps.
... and what if that company also has a branch in a different country and *that* government issues a subpoena? You don't even know who is looking at your dat
...
-- FORTRAN manual for Xerox Computers --
April 16, 2009 at 8:45 am
John Bradford (4/15/2009)
All of the reliability concerns are valid; however my main concern is with the way the legal system views data ownership.It is my understanding that you have to own the hardware the data resides on to be served with a subpoena if a judge or some agency decides they want your data for some reason. The subpoena is served to the owner of the hardware, and not the owner of the data.
This is a very valid concern for any business, especially one that does business with any government agency.
Won't help them much if the data is encrypted by keys only your company has.
Let's say I'm the hosting company. I have the hardware, so the data is on my system. Someone comes to me with a subpoena, and I give them a copy of your database. I don't bother to inform you that they have it.
If the data in it is encrypted (as it should be if it's at all sensitive), what good does that do them?
Yes, they might have the time and power to decrypt it, but if you're worried about that level of security, you won't be hosting your data outside your facility no matter how secure their salespeople say it is, so it's a moot point.
For most companies, encrypted databases will be good enough security.
On the subject of Salesforce.com, they've already had at least one security breach[/url].
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
April 16, 2009 at 10:29 am
Gus has a great point. You can't expect anyone else to challenge a legal issue for you.
However if you want to challenge it, what's the likelihood that your DBA will stand up to the challenge if he/she is confronted?
April 16, 2009 at 6:46 pm
Some people bake their own cakes and have full control of all the ingredients and steps involved. Others don't have the time or skillset so they go to a bakery and buy a cake. Someone at the bakery could poison the cake. It's a risk. It's small, but it could kill you if you are wrong. Same goes for restaurant meals. But most people buy cakes and eat at restaurants.
Some people rebuild their own car engines. This way they know its done "right" and it can also save them money. Others don't have the time or skillset so they take the car to a mechanic. They may rip you off, or do a lousy job. It's a risk. But most people take their cars to mechanics.
Same goes for all the discussion about the cloud. There are risks. I'm not at all saying the risks are not there or that they couldn't hurt you if they materialize. But I do think there are ways to deal with those risks. But yeah, they are still risks. And there's a different set of risks to trying to keep it all in-house.
Ha... isn't life grand? Seems we just can't seem to get away from risk.
Personally I think the biggest cloud risks have to do with having your company data as part of some now-big-and-juicy target for hackers or terrorists, rather than keeping your company data to yourself in relative anonymity. Can the cloud companies protect your data better than you can? Maybe yes, maybe no. And what are the consequences if they can't? Or if you can't?
Although not entirely cloud-specific, what about the telecom and undersea cables, which the Somali pirates now say they are going to try to attack. The challenge is to figure out your own company's risks, your tolerance for it, and your risk mitigation strategy.
Hey, if this stuff was easy, we all wouldn't be paid the big bucks! 😀
April 16, 2009 at 7:05 pm
Steve Jones - Editor (4/16/2009)
Gus has a great point. You can't expect anyone else to challenge a legal issue for you.However if you want to challenge it, what's the likelihood that your DBA will stand up to the challenge if he/she is confronted?
I don't think the DBA would, nor should, unless they have ownership or exec-level management responsibility. I think the issue is rather having the chance to pass it through your local legal and PR representation before rolling over. If you have no control of the hardware, then you don't have that choice unless the 3rd-party provider chooses and/or is allowed to notify you.
There are times when a legal challenge can and should be countered. Due legal process has as much politics in it as anything else.
April 17, 2009 at 7:20 am
Steve Jones - Editor (4/16/2009)
Gus has a great point. You can't expect anyone else to challenge a legal issue for you.However if you want to challenge it, what's the likelihood that your DBA will stand up to the challenge if he/she is confronted?
Such things don't usually go straight to the DBA. They go to the officers of the company.
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
April 18, 2009 at 9:14 am
They usually do go to the company, I'd agree with that. My point is that if management refuses, someone might show up at the office with papers asking for data. I doubt a DBA there would do anything.
Don't forget that contracts can always be changed. I've had hosting contracts with language that said any legal issues require notification of the company before any action by the hosting company.
April 20, 2009 at 3:43 pm
Steve Jones - Editor (4/18/2009)
They usually do go to the company, I'd agree with that. My point is that if management refuses, someone might show up at the office with papers asking for data. I doubt a DBA there would do anything.Don't forget that contracts can always be changed. I've had hosting contracts with language that said any legal issues require notification of the company before any action by the hosting company.
That would and should be a standard if this idea is to really progress. But even that process can be over-ridden.
Viewing 15 posts - 1 through 15 (of 16 total)
You must be logged in to reply to this topic. Login to reply