Welcome!

Server Monitoring Authors: Liz McMillan, Carmen Gonzalez, Ken Schwaber, JP Morgenthal, Pat Romanski

Related Topics: Server Monitoring, @CloudExpo

Server Monitoring: Article

Data Danger Lurking in Public Cloud Contracts

Providers Protect Themselves - Your Data, Not So Much

Last month, in an article titled, Tiny Company Solves Giant Problem in Cloud-Based Document Management, I wrote about CloudPointe and their unique approach to addressing the perils of cloud-based document management.  I looked at how nearly all cloud services that handle documents, media files, and other forms of data suffer from a common weakness:  they force customers to entrust their data assets to the cloud service provider and in so doing take on several big, largely unacknowledged risks.

If my article were not enough to draw sufficient attention to this issue, there is an exhaustive new study out that should give enormous pause to organizations considering or already using public cloud services, especially for storing data and documents.  The research was conducted by The Centre for Commercial Law Studies at Queen Mary, University of London and it examines the "Ts&Cs" in the service agreements from a who's who of cloud service providers, from Akamai to Zoho.

The survey covers many different aspects of the agreements, including things like jurisdiction, fair use, arbitration, etc., and it finds many troubling details and patterns that lead the authors to conclude:

"The main lesson to be drawn from the Cloud Legal Project's survey is that customers should review the Terms and Conditions of a Cloud service carefully before signing up to it."

Even after signing cloud services agreements, though, the survey shows that, to be as safe as possible, customers should review them again and again.  In the words of one of the researchers,

"Perhaps the most disconcerting discovery of the Cloud Legal Project's survey was that many Cloud providers claimed to be able to amend their contracts unilaterally, simply by posting an updated version on the web.  In effect, customers are put on notice to download lengthy and complex contracts, on a regular basis, and to compare them against their own copies of earlier versions to look for changes."

Yikes!  That makes those slippery packaged software EULAs from pre-cloud days seem like a blood oath by comparison.

Not surprisingly, the survey devotes the most attention to clauses governing data integrity, preservation, disclosure, and location/transfer, and what it finds there is pretty ugly too.

Data Integrity

After acknowledging the natural customer concerns that data placed in a provider's cloud be kept secure against loss, corruption, theft, and unauthorized disclosure, the research report says,

"Our survey found however that most providers not only avoided giving undertakings in respect of data integrity but actually disclaimed liability for it.

"The majority of providers surveyed expressly include terms in their T&C making it clear that ultimate responsibility for preserving the confidentiality and integrity of the data lies with the customer."

Most of the providers' agreements explicitly counsel customers to encrypt their data and to make separate backup arrangements - even in some cases where the service is backup!

To give credit where it is due, though, in this and a number of the research's other dire findings, Salesforce CRM stands out as a paragon of virtue.  As with only a few other vendors, it's contract acknowledges the company's responsibility in safeguarding customers' data.

Data Preservation

When a company or consumer entrusts its data to a cloud service they should consider provision in the agreement governing what happens to it in the event the contract is terminated.  Can they easily retrieve and transfer the data and will it then be fully deleted from the provider's infrastructure?

The survey shows that most providers fall into one of three categories in this regard.

The providers in one group assert that they will preserve customer data for a set period of time, ranging from 30 days to 3, after the customer terminates their contract.  During this grace period, sometimes for an extra charge, the customer can access and off-load the data and at its end the data will be deleted.

The second group of providers asserts that customer data will be deleted immediately when the agreement is terminated.  Apple's MobileMe service is in this category and its service agreement dryly states,

"Upon termination of your account you lose all access to the Service and any portions thereof, including, but not limited to, your Member Account (any Subaccounts thereunder), Subscriber ID, email account, iDisk, domains, iChat account and MobileMe Gallery albums. In addition, Apple shall delete all information and data stored in or as a part of your account(s) including, but not limited to, data files, email, albums and preferences."

The survey authors rightly point out how this begs the question of what happens in the event that a court later finds that they termination of the contract was ineffective.  They conclude that the service providers in this group may be opening themselves up to civil or criminal liability in some jurisdictions.

Providers in the third group blend conditions found in the first two, acknowledging no obligation to preserve data after a contract has been terminated but also allowing, at their own discretion, an access grace period and/or taking no steps to delete the data at any particular time.

In many cases, though, while providers may not assure that they will keep the data for a grace period or longer, they also do not assure that the data will in fact be deleted, after the grace period or otherwise.

This means that, unless the customer explicitly deletes it after offloading a copy, it may remain in the provider's storage infrastructure for who knows how long.  And, for that matter, given the various kinds of redundancy built into many clouds, even if the customer deletes, it that may not mean that it is really gone.

Data Disclosure

Regarding the potential disclosure of customer data to third parties as in the event of a court order or request from law enforcement officials, the survey found the providers to be all over the place.  They ranged from doing it without notice at their own discretion at one extreme to giving warning or seeking approval at the other.

For example, the now-defunct G.ho.st service stated that it would disclose customer information if it believed that it would protect its own interest by doing so, and the still-in-business ADrive puts it this way:

"You authorize ADrive to disclose any information about You to law enforcement or other government officials as ADrive, in its sole discretion, believes necessary, prudent or appropriate, in connection with an investigation of fraud, intellectual property infringement, or other activity that is illegal or may expose ADrive to legal liability."

At the other extreme is Salesforce CRM, once again taking the high road.  They assure that, unless it is legally prohibited, the customer will be given advance notice of any requested disclosure, and that Saleforce will also assist the customer in opposing such orders.  Now, that's what I call "customer advocacy"!

Data Location / Transfer

Many cloud service providers employ multiple, sometimes numerous data centers in different geographic locations to serve their customers.  This has led to a variety of legal concerns about customers' data being stored or processed in and across potentially unknown or unregulated jurisdictions.

The EU Data Protection regime does provide strong measures to keep cloud-based data within Europe and certain data, like personal information, within specific countries.  But, even in the EU, in-flight data is still at some risk.  And, in the US, where the "long-arm" statutes are considerably looser, and in other places, where there are few or no laws as all to govern where and how data is kept and protected, all bets are off.

So, all in all, concerns about privacy and security in relation to data location and transfer are manifest and important to customers, leading the researchers to observe,

"Perhaps surprisingly, given the prominence often attached to these issues, few of the providers surveyed actually undertake to store data in a particular location or zone. [...]  Indeed, for the 31 sets of T&C reviewed, 15 made no mention of data location or transit protection whatsoever."

The findings of the research concerning data transfer were similar to those for data location.  After acknowledging the international nature of cloud computing and how it means that customer data will usually be transferred between different infrastructure segments over the internet, the report observes,

"Furthermore, if (as many larger Cloud providers do) the provider has multiple data centres, then, unless the provider has built or leased its own secure network and facilities, transfers between data centres may well also be over Internet connections.  Several providers (for example, 37Signals, UKFast) caution in their T&C that customer data may be transferred unencrypted over inherently insecure networks in such a manner."

Losing My Religion

Cloud computing, especially public cloud computing, has many potential benefits but is not without its weaknesses; and, those weaknesses tend to fall into two categories.

There are issues that vendors and customers both readily acknowledge and are working hard to address.  The need for better access security and more management automation fall into this category and will likely be fixed by incremental technical improvements and new products that address them.

Then, there are issues like the subject of this article.  They are ones with little consensus, where most providers are either defiant or in denial, most customers are uninformed or un-empowered, and hardly anybody recognizes that the problem may stem from flawed fundamentals.

Most cloud service providers and most of their customers might find it patent heresy to question the soundness of the idea of putting data and documents into the cloud.  After all, for many that is the very purpose of the cloud, full stop.  If you take back the information assets and put them on a disk array that you own and control, what is left?

There is a lot left, actually.  There is a processing and communications fabric to which most cloud benefits still accrue, and to a greater degree than they do for the comparative commodity of data storage.

The reason the data is in the cloud by default is not because that makes the most sense.  It is because Fibre Channel, Infiniband, and other schemes for directly connecting disks to processors are way faster than those for connecting the nodes of a wide area network.  If that were not true, would everyone still think that the data belongs in the cloud?  I doubt it.

Vendor lock-in, regulatory compliance, privacy, and security are the greatest customer concerns about the public cloud and they are all made considerably worse by the requirement that information assets be placed in the cloud.

CloudPointe already makes a strong case for taking back the documents and files.  WAN connection speeds and the way such information assets are used are both very amenable to sending them through the cloud but not keeping them there.  It may just be a matter of time before improved connection speeds and more advanced distributed database technology allow the same possibilities for other kinds of data.

More Stories By Tim Negris

Tim Negris is SVP, Marketing & Sales at Yottamine Analytics, a pioneering Big Data machine learning software company. He occasionally authors software industry news analysis and insights on Ulitzer.com, is a 25-year technology industry veteran with expertise in software development, database, networking, social media, cloud computing, mobile apps, analytics, and other enabling technologies.

He is recognized for ability to rapidly translate complex technical information and concepts into compelling, actionable knowledge. He is also widely credited with coining the term and co-developing the concept of the “Thin Client” computing model while working for Larry Ellison in the early days of Oracle.

Tim has also held a variety of executive and consulting roles in a numerous start-ups, and several established companies, including Sybase, Oracle, HP, Dell, and IBM. He is a frequent contributor to a number of publications and sites, focusing on technologies and their applications, and has written a number of advanced software applications for social media, video streaming, and music education.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
DX World EXPO, LLC, a Lighthouse Point, Florida-based startup trade show producer and the creator of "DXWorldEXPO® - Digital Transformation Conference & Expo" has announced its executive management team. The team is headed by Levent Selamoglu, who has been named CEO. "Now is the time for a truly global DX event, to bring together the leading minds from the technology world in a conversation about Digital Transformation," he said in making the announcement.
"Space Monkey by Vivent Smart Home is a product that is a distributed cloud-based edge storage network. Vivent Smart Home, our parent company, is a smart home provider that places a lot of hard drives across homes in North America," explained JT Olds, Director of Engineering, and Brandon Crowfeather, Product Manager, at Vivint Smart Home, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
SYS-CON Events announced today that Conference Guru has been named “Media Sponsor” of the 22nd International Cloud Expo, which will take place on June 5-7, 2018, at the Javits Center in New York, NY. A valuable conference experience generates new contacts, sales leads, potential strategic partners and potential investors; helps gather competitive intelligence and even provides inspiration for new products and services. Conference Guru works with conference organizers to pass great deals to gre...
The Internet of Things will challenge the status quo of how IT and development organizations operate. Or will it? Certainly the fog layer of IoT requires special insights about data ontology, security and transactional integrity. But the developmental challenges are the same: People, Process and Platform. In his session at @ThingsExpo, Craig Sproule, CEO of Metavine, demonstrated how to move beyond today's coding paradigm and shared the must-have mindsets for removing complexity from the develop...
In his Opening Keynote at 21st Cloud Expo, John Considine, General Manager of IBM Cloud Infrastructure, led attendees through the exciting evolution of the cloud. He looked at this major disruption from the perspective of technology, business models, and what this means for enterprises of all sizes. John Considine is General Manager of Cloud Infrastructure Services at IBM. In that role he is responsible for leading IBM’s public cloud infrastructure including strategy, development, and offering m...
"Evatronix provides design services to companies that need to integrate the IoT technology in their products but they don't necessarily have the expertise, knowledge and design team to do so," explained Adam Morawiec, VP of Business Development at Evatronix, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
To get the most out of their data, successful companies are not focusing on queries and data lakes, they are actively integrating analytics into their operations with a data-first application development approach. Real-time adjustments to improve revenues, reduce costs, or mitigate risk rely on applications that minimize latency on a variety of data sources. In his session at @BigDataExpo, Jack Norris, Senior Vice President, Data and Applications at MapR Technologies, reviewed best practices to ...
Widespread fragmentation is stalling the growth of the IIoT and making it difficult for partners to work together. The number of software platforms, apps, hardware and connectivity standards is creating paralysis among businesses that are afraid of being locked into a solution. EdgeX Foundry is unifying the community around a common IoT edge framework and an ecosystem of interoperable components.
Large industrial manufacturing organizations are adopting the agile principles of cloud software companies. The industrial manufacturing development process has not scaled over time. Now that design CAD teams are geographically distributed, centralizing their work is key. With large multi-gigabyte projects, outdated tools have stifled industrial team agility, time-to-market milestones, and impacted P&L stakeholders.
"Akvelon is a software development company and we also provide consultancy services to folks who are looking to scale or accelerate their engineering roadmaps," explained Jeremiah Mothersell, Marketing Manager at Akvelon, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"IBM is really all in on blockchain. We take a look at sort of the history of blockchain ledger technologies. It started out with bitcoin, Ethereum, and IBM evaluated these particular blockchain technologies and found they were anonymous and permissionless and that many companies were looking for permissioned blockchain," stated René Bostic, Technical VP of the IBM Cloud Unit in North America, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Conventi...
In his session at 21st Cloud Expo, Carl J. Levine, Senior Technical Evangelist for NS1, will objectively discuss how DNS is used to solve Digital Transformation challenges in large SaaS applications, CDNs, AdTech platforms, and other demanding use cases. Carl J. Levine is the Senior Technical Evangelist for NS1. A veteran of the Internet Infrastructure space, he has over a decade of experience with startups, networking protocols and Internet infrastructure, combined with the unique ability to it...
22nd International Cloud Expo, taking place June 5-7, 2018, at the Javits Center in New York City, NY, and co-located with the 1st DXWorld Expo will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud ...
"Cloud Academy is an enterprise training platform for the cloud, specifically public clouds. We offer guided learning experiences on AWS, Azure, Google Cloud and all the surrounding methodologies and technologies that you need to know and your teams need to know in order to leverage the full benefits of the cloud," explained Alex Brower, VP of Marketing at Cloud Academy, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clar...
Gemini is Yahoo’s native and search advertising platform. To ensure the quality of a complex distributed system that spans multiple products and components and across various desktop websites and mobile app and web experiences – both Yahoo owned and operated and third-party syndication (supply), with complex interaction with more than a billion users and numerous advertisers globally (demand) – it becomes imperative to automate a set of end-to-end tests 24x7 to detect bugs and regression. In th...
"MobiDev is a software development company and we do complex, custom software development for everybody from entrepreneurs to large enterprises," explained Alan Winters, U.S. Head of Business Development at MobiDev, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Coca-Cola’s Google powered digital signage system lays the groundwork for a more valuable connection between Coke and its customers. Digital signs pair software with high-resolution displays so that a message can be changed instantly based on what the operator wants to communicate or sell. In their Day 3 Keynote at 21st Cloud Expo, Greg Chambers, Global Group Director, Digital Innovation, Coca-Cola, and Vidya Nagarajan, a Senior Product Manager at Google, discussed how from store operations and ...
"There's plenty of bandwidth out there but it's never in the right place. So what Cedexis does is uses data to work out the best pathways to get data from the origin to the person who wants to get it," explained Simon Jones, Evangelist and Head of Marketing at Cedexis, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
SYS-CON Events announced today that CrowdReviews.com has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5–7, 2018, at the Javits Center in New York City, NY. CrowdReviews.com is a transparent online platform for determining which products and services are the best based on the opinion of the crowd. The crowd consists of Internet users that have experienced products and services first-hand and have an interest in letting other potential buye...
SYS-CON Events announced today that Telecom Reseller has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5-7, 2018, at the Javits Center in New York, NY. Telecom Reseller reports on Unified Communications, UCaaS, BPaaS for enterprise and SMBs. They report extensively on both customer premises based solutions such as IP-PBX as well as cloud based and hosted platforms.