We all use cloud services in one way, form or shape, and according to IDC, it will only increase moving forward, at least till 2014. Beyond email, we will use cloud services for things as diverse as our health records, our information sources, our family photos and videos and a number of things we haven’t thought about yet. All that sounds great, but is it?
The fundamental question, whether cloud is used for home or business reasons, what do we really know about our cloud service provider. Google scans the content of our mails for advertising purpose and probably for a number of things we have not discovered yet. But Google is a large enterprise that will refrain or be refrained. Unfortunately, when we call upon cloud services, many companies may play a role in delivering what we ask.
Let me take a real live example. You remember the T-Mobile Sidekick Disaster? T-Mobile delivered a cloud back-up services for their mobile users. Now, here comes the twist. The service is represented as a T-Mobile service, but it is actually not delivered by T-Mobile, but by a company called Danger, now a subsidiary of Microsoft. And Danger was apparently not backing up their servers.
Beyond this specific example, what I want to show is that it’s not always the company that advertises the service that delivers it. And the lack of transparency in the cloud space means that, when you decide for a service, you have no way to know who is actually delivering it (you have no knowledge of the supply chain). So, how can you assess the financial viability of the service, its security, its compliance with legislation etc. Cloud service providers will have to address these concerns moving forward.
With that in mind, it’s interesting to read Gartner’s “Cloud Computing Rights and Responsibilities”. Gartner specifies 6 rights and 1 responsibility of service customers that will help providers and consumers establish and maintain successful business relationships. So, lets look at the responsibilities in more details:
The right to retain ownership, use and control one’s own data. Sounds to make a lot of sense, but how do you make sure of that when you do not know who will touch your data and have no access to the contracts between the players.
The right to service-level agreements that address liabilities, remediation and business outcomes. Well, did you ever read the SLA’s from service providers? When there are existing at all, they absolutely do not address the points requested by Gartner.
The rights to notification and choice about changes that affect the service consumer’s business processes. That is probably the requirement that is closest to being fulfilled. Typically planned downtime etc. are communicated ahead of time.
The right to understand the technical limitations or requirements of the service upfront. That is a difficult one, as cloud services operate on very complex environments and may execute a large variety of workloads, making it difficult for anybody to encompass all possible limitations and requirements.
The right to understand the legal requirements or jurisdictions in which the provider operates. Well, although this is a must from a legal standpoint, it goes straight against the “location independence” characteristic of cloud.
The right to know what security processes the provider follows. This brings us back to our supply chain discussion, as there may be multiple providers. Cloud service providers are very careful not to divulge what they do from a security perspective. We also know that one of the top security threats, as highlighted by CSA, the Cloud Security Alliance, is the malicious insider. What background checks are performed prior personnel is hired in some of the service providers in the chain.
Knowing that often services are provided by a supply chain of companies, adhering fully to these 6 responsibilities will be difficult. As in regular supply chains, a sense of common ownership is required for companies to work jointly to address them. And that will probably take quite a while. Gartner points are great, but do not expect they are readily available today.