October 23, 2009 at 3:16 am
The case for data in the cloud is strongest for global companies that require near constant uptime. You can't say let's do maintenance at 3 AM like you do in the States, because 3 AM is smack in the middle of the day for other parts of the World.
There is also a huge advantage for companies that need to offer access to data to external partners. The whole process of creating VPN tunnels, opening ports, etc. is no longer the sys admins nightmare.
And let's not forget the time and effort it takes to put purchase, install and configure hardware and SQL Server, then take care of the day-to-day patch management, tuning, etc.
I am not saying to put medical records, credit cards, SSNs on SQL Azure but there are MANY use cases where data can be hosted in the cloud with zero risk.
October 23, 2009 at 3:38 am
Robert, as Timothy mentioned yours is a well thought answer that certainly illuminates issues witht he cloud I had never considered ...
My only question concenring the points you raise would be surely the larger players etc would have considered the legal ramifications, especailly the issues concerning the Data Protection Act etc and would have factored that into their plans (one would at least hope)
And yes I do tend to agree... its a new name for an old concept
kind regards
~si
October 23, 2009 at 7:54 am
Thanks for this timely article. I volunteered to invetigate Azure for my organization and this article will definitely aid that.
I doubt that all of our databases will be in the cloud. We have HIPAA requirements and no one is excited about putting the data governed by HIPAA on the web. However, we have several databases where it may make sense to store them in the cloud.
It's something we're looking at but I don't know that we'd be putting anything in the cloud before 2011.
October 23, 2009 at 7:58 am
Sam,
The points you make with respect to the convenience of using the cloud as a mechanism for continuous, 24/7 operation and distribution of data to business partners are compelling from an IT operations point of view, but the assumption that large companies have thought out the legal ramifications of doing so is not necessarily valid. For data-centric companies or companies whose primarly line of business it is to manipulate and/or sell data, yes, it is likely that they have at least considered the possibilities of litigation as a result of cloud computing for more than a brief moment. The kinds of companies that I would expect would have considered such would be companies like Microsoft, DataQuick, MSNBC, Google, and the like. Notice that these are largely companies that produce cyber products or products that are used primarily to manipulate and shape data.
Companies that I would suspect have only given passing attention to these issues would be small to medium size companies that produce tangible products or that deliver services. Why? Their economic position is not as strong as that of global companies and they are far more concerned about making the sale as the first order of business. In such companies, marketing and sales departments carry far greater weight, relatively speaking, than their counterparts in global companies. This is not to say that global companies are slouches when it comes to seeking and closing deals; rather it is to say that the degree of influence that those departments in smaller companies have over fundamental business decisions is greater as a result of economic need.
I see significant hazards in making the assumption that if Microsoft uses and promotes the cloud, it must be okay because they wouldn't use and promote it if it were legally hazardous. For companies with a physical global presence and which have enormous budgets, dotting all the i's and crossing all the t's is feasible because of the capital they can throw in to protect their interests while at the same time engaging in and promoting cloud computing. Large global companies maintain parallel data paths, one for day-to-day operations and the other for legal protection. They categorize e-mail messages as they arrive, sort and archive each version of a document, make referential copies of each published press release and publicly released document, and take many other steps to ensure that in the case of litigation, there is a complete library of everything the company has ever said, published, or done so that an overwhelming presentation can be made in court to defend their interests. They have an army of in house attorneys and outside retained counsel to represent them and to verify periodically that they are continuing to keep up the archival processes that will result in their prevailing in litigation. Doing so consumes an enormous amount of money, far more than the entire annual collective budgets of multiple small nations.
Companies of the scale of IBM and Microsoft, as influential as they are on business and government, however, neither employ most of the world's workers nor produce most of a nation's GDP. The big players in both regards are the aggregate of small companies world wide that employ the vast majority of people and produce most of each nation's GDP. Companies of this smaller scale lack the budgets to sustain the kind of protective efforts that a company like Google would perform. What this simply means is that what is safe for Microsoft is not necessarily safe for a 100 employee company that manufactures fuel pumps for the automobile industry. They don't have the same mindset, economic advantage, legal staff, or budget to do so. If, therefore, they tread out into the cloud in order to reduce business costs and complexity, they do so without the expensive armor that global companies put on before taking the same steps, resulting in a far more hazardous adventure into cyberspace.
Let me give an actual example of the kind of thinking that goes on when entities consider moving to the cloud. Recently, the City of Los Angeles, faced with a budgetary crisis of historic proportions, was approached by Google and offered its cloud computing services. Google had already brought the Washington, D.C. into its cloud computing fold, so the Los Angeles city council wondered out loud if such an arrangement should be considered as well for itself. After all, if Washington did it, why not L.A.? What the city was considering putting into the cloud were tax records and police databases. Its confidential database of gang member affiliations, strategies and scenarios for breaking up gangs and criminal organizations, pending actions, personnel records, and the like would all be out in the cloud. Does that sound like good, legally defensible planning, or does it sound like someone only listening to the ringing of the cash register?
Breaking into a computer system isn't all that difficult. We have all heard of the Nigerian e-mail scam, phishing attempts on the part of Israeli and Russian cyber criminals, identity theft of credit card numbers, and a long list of largely untraceable criminal activities that have occurred over just the past five years, and the impression one has from the reports of these activities is that such invasions of corporate and personal privacy result from spyware, hacking, or breaking unbreakable computer security. In fact, most successful thefts of information result from errors of human judgment. A person calls a data center claiming his is John Jones in sales engineering, that he is out of the office at a customer site and wants to show a customer a spreadsheet on his workstation, but he just changed his password and can't recall it. So he asks, "Could you [the support desk attendant] give me a new password so I can complete the demo?"
Even simpler, is to physically call on a company claiming to represent a firm that has the world's best widget that will make the company lots of money and costs virtually nothing. You get a tour of the facilities, and as you stroll through the operations area, you notice that someone has posted his password on a sticky note attached to his monitor (there is always someone in every company that does this). You pause and make pleasant conversation with that person and learn his name from the business cards sitting on his desk. Later, when you try to enter the system remotely, you try various user names based on the name of the person you spoke with and just add the password. Eventually, you gain access to everything that person can see, and it is often surprising just how large the corpus of information is that each person in a company can see as a result of the company being "customer-driven." The information includes customer names, addresses, account numbers, methods of payment, last purchases, lines of credit, tax ID numbers, notes about the dealings with the customer including personal information about family members (birthdays and anniversaries).
Now, imagine that the data is located in a part of the world where the prevailing regional attitudes toward data privacy are not those that we embrace. Google has more than 23 world wide data centers spread across the globe operating under the laws of at least a half dozen or more countries and employing foreign nationals. In some cases, the data centers are simply computers set up in leased space in existing facilities owned and operated by non-Google entities. To the extent that the people who actually put their hands to the keyboards in those facilities do not share our understanding of the words "confidential" and "private," we are exposing our business, government, and personal data to theft.
The unfortunate truth is that because of the way that we as people choose to do business in order to appear to be approachable and friendly, we greatly enhance our likelihood of leaking information that can come back to bite us very hard. When we choose to conduct business in the same way within the environment of cloud computing where the data stored, from a legal point of view, has diminished privacy privileges to begin with and when we as business enterprises are not prepared either from a psychological or economic perspective to undertake the considerable additional measures to protect our legal and financial interests from the hazards of cloud computing, it creates a scenario that increasingly resembles playing Russion roulette.
From he perspective of a small business, using cloud computing tools seems like such a no-brainer. It's cheap, easy to use, doesn't require us to do updates or maintenance, and it's accessible from every branch office we could ever want to open. In a perfect world, all that is true,and it looks like a gift wrapped in pretty paper and tied up in a ribbon. In the real world, however, where people get sued, where people steal, where business ethics are constantly challenged, and where budgets tend to define what companies think they "ought" to do, all that is still true, but it is wrapped in caveats that are a mile thick and tied up with barbed wire.
October 25, 2009 at 9:31 am
Robert, I think that it would be wise to treat all but the most generic of customer information, and certainly anything personally identifiable, as at least somewhat sensitive.
However, there is a lot of work with large datasets that are not about individual people or money at all. For instance, some scientific research can deal with large datasets where the need to protect the dataset itself may be at least relatively low. For instance, I suspect much work on the genome of the drosiphila fruit fly or other fields in bioinformatics would fall into this category. In such an instance, it may make a lot of sense to use Cloud services, especially if collaboration with colleagues that were geographically separated were required.
---
Timothy A Wiseman
SQL Blog: http://timothyawiseman.wordpress.com/
October 25, 2009 at 10:52 am
Timothy,
I agree with you in this regard. Data lacking any personal character, any possibility for compromising the physical or intellectual property of a business or other human institution, or any implications for national security would be best distributed via the cloud. It is bigger and more available. I think the sticking point is simply where humans would take umbrage at the disclosure of any particular piece of information. Admittedly, this is a more general philosophical question than it is technical.
In certain nations, the disclosure of some of the finer details of life is regarded as perfectly acceptable. In a recent article it was disclosed that the salaries of all employees in Norway are a matter of public record and freely available on the Internet. Here in the United States one's previous record as a child predator or sexual criminal would be accessible on the web.
In ancient Judaism the Pharisees, roundly criticized by Jesus and the early Christians, did what they called "building a fence around the Law." Their belief was that if one constructed a set of rules that were more restrictive than the Law of divine origin, then the Law would never be violated if everyone would observe the more stringent manmade law, hence the reference to the "fence" around the Law.
In many ways ISO standards, HIPPA requirements, best practices of the IT world, and much of the corpus of Federal and state law and regulation follow the same Pharisaic logic. It is commonly thought that if the fence is high enough, and everyone follows the rules, no harm will occur. As we all know, however, there are those in the world that love nothing better than scaling manmade walls and fences to see what is on the other side, which brings to the fore the insight that laws and regulations are designed for those who will respect them. For the criminally inclined they are utterly irrelevant since laws and regulations are just words on paper, and they have no inner drive to participate in the social contract that says everyone has to play by the same rules.
That is where the technologists of the world find their socially significant niche. By making it supremely difficult to for cyber sociopaths to break through the barriers to access to information and physical assets, they become the cyber guardians of the planet. It is in that role of being a digital champion that IT professionals gain a dignity not often afforded to them by those who have found it ever so convenient to label them as "geeks." Living up to that calling is something that a surprisingly large number of IT professional strive to do, and it speaks volumes about the quality of the people that the profession attracts. Having worked at one point in time as an officer of a stock brokerage company, I can say that the level of professionalism and personal and business ethics of the IT world stands head and shoulders above that of the financial services world. Wouldn't it be wonderful if the financial rewards were accordingly rearranged to reflect that reality?
March 27, 2020 at 3:06 pm
Why do all the resource links in this article take me to https://beyondrelational.com/?
Viewing 7 posts - 16 through 21 (of 21 total)
You must be logged in to reply to this topic. Login to reply