Blogger: Eric Maiwald
When you attempt to put your head into the clouds, make sure you know what you are getting into!
Perhaps that is the updated caveat emptor – let the cloud user beware. Think of this scenario:
You own a business in Australia and you have chosen to use a software-as-a-service (SaaS) product to handle your accounting instead of buying your own accounting package. The SaaS provider is based in New Zealand. As part of your due diligence before making the decision to use the product, you check out vendor. All seems fine so you sign the contract. Then a problem occurs…in Dallas, TX…in the United States…and your vendor’s systems (and the product you are trying to use) go down. Welcome to the cloud!
If you think I’m just being paranoid (trying to come up with the worst case scenario for everything like a good security person should), just read this article. A vendor in New Zealand (Xero) provides accounting software via a SaaS model. They host their servers at a company called Rackspace. Apparently, Rackspace had some type of power issue at its data center in Dallas, TX and this made Xero’s service unavailable. This happened even though Rackspace had other data centers around the world.
I don’t mean to pick on Xero or Rackspace. Accidents and failures happen and while we can implement controls to reduce the risk, the risk never really goes away.
The event does highlight an interesting aspect of the cloud. The customer may never really know where his data resides or what portions of the Internet infrastructure he relies on. In this case, customers were working with a company in New Zealand. The company in New Zealand contracted with an American company to provide data center space and network connectivity. The American company has data centers in the US, the UK, and Hong Kong. Where is the customer’s data? Which parts of the infrastructure are necessary to make use of the service being purchased?
As we layer more stuff in the cloud, these questions become more important. As a customer it is your responsibility to ask these questions.
There will be several cloud and SaaS security presentations at Burton Group’s Catalyst Conference. Join the conversation with us in San Diego the last week of July.
Eric,
The beauty of the Cloud Computing paradigm is that the customer doesn't have to worry about the exact location of the data, as long as the provider can guarantee the Confidentiality, Integrity and the Availability. In fact I prefer if the contract between the customer and the cloud computing provider doesn't include the clause about the exact location of the data. This gives the provider the agility and nimbleness during disaster recovery.
Of course, there will be cases like the one you mentioned, but as cloud computing mutures, the providers that can demonstrate resiliency in face of disasters will comes out as winners.
Posted by: Saqib Ali | July 06, 2009 at 02:17 PM