As companies consider adopting cloud computing services, two questions should be raised by every good project...
"Who owns my data in the cloud?" and "What happens when I need to transfer that data?"
In the case of private clouds, the hardware, software and data all remain in-house, so ownership is clear. When moving outside of the private cloud, however, there are complex issues to consider.
Whole volumes have already been dedicated to cloud security, privacy and governance concerns. While data ownership is just one piece of that puzzle, it may very well be the cornerstone of all cloud questions.
Even when a vendor gives 100% assurance that the data is owned by the customer, there are a myriad of challenges to address, including the legal and technical roadblocks involved in data transferability. The following 10 questions are the main ones to ask when contemplating cloud data concerns:
Who holds ownership of the data? This one requires a simple answer. If the vendor's response isn't "you," it is best to walk away and not look back.
Do you do anything with the data for your own purposes? Almost every cloud provider tracks the number of customers, the type of customer, the amount of storage and the amount of processor time for billing and marketing reasons. Be sure to find out if that information ends up anywhere else. Even though you may own the data, some vendors might use it to tailor advertising.
Does the vendor have strict policies on who can access data, including staff or other cloud tenants? It isn’t just your cloud provider that has potential access to your data. Confirm that companies working with the vendor, including IT and facilities contractors or upstream and downstream technology providers (network, storage, etc.), won't be poking around.
What does the provider do with access logs and other statistics? To be clear, the logs and other statistical information collected by cloud providers are their data, nor yours. The provider has every right to collect usage data on their systems…just as you have every right to ask what a provider does with their logs.
Where is the data being stored? Jurisdiction defines your rights. If your data is stored in the small, unruly nation of East Pirateostan, don’t expect much protection. And if your data ends up being stored in a location with different laws or regulations, you may forfeit your rights to it. One example is a Las Vegas casino that stores betting data in the cloud, only to learn later that the data is kept in a state that prohibits gambling.
Is your data kept separate from other client's data? Again, if the answer is anything other than an enthusiastic "yes," walk away from the deal. A good follow-up question here is, "How is it separated?"
Who owns and has access to backups? If the data is yours, the backup data should logically also be yours. Contractually, however, that may not always be the case. Be sure to get it in writing.
What regulations can the cloud provider verify that they adhere to? Compliance regulations like FISMA, HIPAA and SOX, to name three, add complexity to any provider’s data security endeavors. Another follow-up question would be to ask about indemnification policies in the event of a regulatory issue. Make sure the provider is keeping up its end of any regulatory requirements.
If data needs to be transferred back to the business, what form will it be delivered in? Ideally, a full cloud implementation is a three-layered cake of Infrastructure as a Service, Platform as a Service and Software as a Service, in which this question is obviated by complete and total control of the data. What's ideal, unfortunately, is rarely reality. If a company stores CRM data in the cloud but receives it back in paper form, a career-limiting event is on the way. If the data is returned as a database backup file that can be mounted and read in Oracle, SQL, MySQL or another database, however, that’s much better.
And finally, there is this aforementioned major-league query, "What happens when I need to transfer that data?" This is, arguably, the second-most important question, behind only "Who owns the data?"
Sometimes a company will find it necessary to change providers or even bring a cloud project back in-house. Without proper planning, execution of these exit strategies is bound to be mired down in technical difficulties, ranging from incompatible file formats and lack of data access to long delays in simply getting the data back.
Unlike ownership, the question of transferability is as much an issue for private clouds as it is for public ones. In the case of private clouds, any answers are largely dependent on the choice of software to power the cloud. In the public cloud space, however, the answers depend on the vendor and what it can deliver. In both cases, there are three big transferability concerns:
- The format of the data. Almost all cloud uses will involve a database, and the data stored in that database can be exported into any number of formats. It is important to understand exactly what format data be will returned in, so plans can be made to move it to a new system. In the case of virtual machines stored in the cloud, the format could be VMDK, VHD or OVF. It could also be delivered in any number of backup file formats or image formats.
- The turnaround time. It doesn’t bode well for ensuring uptime if a contract is supposed to end in January but the files aren’t received until June. This needs to be spelled out clearly in any contract with a cloud provider.
- The assistance provided. It’s not easy to tell "cloud provider A" that you’re moving to "cloud provider B," and it’s even tougher to ask them for help after the fact. Contracts for cloud services should include a plan (and the associated fees) for exiting, including any assistance needed.
Any questions raised about storing data in the cloud come down to clarity. Having a clear view of the risks, benefits and costs of cloud services will enable you to ask the right questions and understand the answers.
About the author:
Joseph Foran is the IT director for Bridgeport, Con.-based FSW, Inc., and principal at Foran Media, LLC. He has been in IT since 1995, specializing in infrastructure, and involved in virtualization and cloud computing since 2002. Email Joe at email@example.com or follow him on Twitter (@joseph_foran).
Here's why your cloud storage issues are more complicated than you might think