Lack of Transparency in Public Cloud

Discussing with industry colleagues the other day, I got challenged when I pointed out cloud services were lacking transparency. I actually realized that my statement was probably too broad as private clouds remain under the responsibility of their owners. So let me restate this a little more clearly, focusing on public cloud services, and let me describe what I mean.

 

Beyond IaaS, cloud services often require a “supply chain” to deliver the service. Indeed, the company advertising a service may rely on other companies to provide the infrastructure, some service functionality included in the service etc. To quote a well published example, Apple ‘s I-Cloud seems to use Amazon and Microsoft Azure services. How do we know that, because some curious journalist investigated the web addresses used when accessing the I-Cloud service.

 

When, last April, Amazon EC2 went down, people tracked the companies that got problems. The list can be found here. I did not check them all, but none of the ones I checked have any mention they run on Amazon EC2.

 

This is the tip of the iceberg, the facts we can trace. But this means in practice there is NO way at the moment to know who is actually participating in the delivery of a public cloud service. There is no obligation of transparency in the delivery.

 

You remember, a couple years ago, the T-Mobile/Microsoft/Danger data loss? It may not have been a cloud computing issue, but rather a failure to follow standard IT processes. But frankly, this does not matter. It demonstrates that the service is as well managed and secured as its weakest link. The issue? We have no way to assess that weakest link as we have no visibility in who is participating in the delivery of the service.

 

And I could continue this way. Now, you will tell me these are services developed for consumers, not for enterprises. And as 90+% of services are developed for consumers and SMB’s you are probably right. However, the boundaries are blurring between consumers and enterprises for two reasons. The first is that business people, not receiving appropriate service from their IT department, increasingly use external services (including facebook, dropbox, yousendit etc.) We call this “shadow IT”.

 

The second is that a new generation, known as the millennial generation, enters the workforce. They are very familiar with IT and use it all the time to stay connected with friends and family. They expect the same in their work environment and do not understand why they need to use other tools for work than for private life.

 

On top of that an increasing amount of “free” services, originally developed for consumers, are moving up the stack, delivering “premium” services to businesses. Both often run on the same platform and use the same environments.

 

But what are the dangers of this lack of transparency. In my mind they are twofold. On the one hand, we have no visibility of the processes and procedures used by the players in the service supply chain. So, for example, what are the levels of security guaranteed by each of the partners? But also what are the guarantees at the integration points between the partners. How are duties distributed, and are all aspects addressed?

 

The second element has to do with the location of data and its association with the now well-known Patriot Act.  Where does my data resides? Let me take a simple example. YouSendIt runs two datacenters in the US and now has a brand new location in the UK. But where will my data actually be located? There is no way to point out you want your data in a particular geography.

 

I understand from talking to some lawyers of American IT companies the Patriot Act may in essence not be that different from criminal legislation in other parts of the world, but as pointed out by ZDNet in their series on the subject, it is, in my knowledge, the only legislation that applies outside the boundaries of the initiating country without interaction with country jurisdiction. At the moment no Patriot Act related case has been brought in front of justice, so no case law has been established yet.

So, how could we address these issues and provide the user of services with the appropriate information to allow him/her to decide what service to use with a full understanding of the implications.

 

I would make following suggestions:

  • At the minimum, obligation to include in the description of the service, the name of all players in the service supply chain
  • Ideally, provide the user with an objective assessment of the quality of the processes and procedures established for delivering the service. This should include security, redundancy, disaster recovery and data location at least. This could be done through formal certification, through a categorization of levels (eg. Star system) or any other appropriate mean. The objective is to allow the user to quickly and easily understand what he/she is actually getting.

As far as the Patriot Act is concerned, I would also urge the European Union to make a clear statement as how enterprises can be compliant with both the EU Privacy Laws and the Patriot Act. There is a feeling of uncertainty in the market at the moment and that does not help the business.

Comments
RyanKo | ‎11-21-2011 07:03 PM

Hi CV,

 

I am glad to see your discussion on this topic.

With regards to this, the TrustCloud team in HP Labs have done some groundwork in achieving accountability and transparency of cloud computing service providers/ infrastructure:

 

Blog post:

- My previous blog: First Steps to Tracing Files and Information in the Cloud:

http://h30499.www3.hp.com/t5/Grounded-in-the-Cloud/Flogger-First-Steps-to-Tracing-Files-and-Informat...

- Judy Redman's article on TrustCloud:  http://www.enterprisecioforum.com/en/blogs/judy-redman/accountability-and-trust-cloud-computing

 

 

Technical Reports:

- TrustCloud overview and position: http://www.hpl.hp.com/techreports/2011/HPL-2011-38.html

- Flogger paper: http://www.hpl.hp.com/techreports/2011/HPL-2011-119.html Would like to hear your comments about these reports.

 

 

Regards,

Ryan Ko

HP Labs Singapore

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.