RSSDanger signs: Now how secure does the cloud look?
By Carmi Levy | Published October 12, 2009, 5:57 PM
There are service outages, and then there are service outages. T-Mobile customers who carry the Sidekick smartphone are learning the hard way that there's a major difference between having no access to a service for a little while and losing every contact, calendar entry, and related shred of personal data they've got.
In the not too distant past, Google, Twitter, and Facebook have all experienced basic, quaintly simple service outages. Despite the headlines and general chaos associated with each incident, the bottom line impact was never all that onerous: When service returned, so did their users' data. For the most part, users were given an easy excuse to take a few hours off. And with the exception of Google's subscription services, most were free, so folks couldn't argue that they weren't getting their money's worth.
More than a free service
Microsoft's experience isn't turning out as charmed, and it wouldn't surprise me if some of the folks behind its 2008 purchase of Sidekick maker Danger might be rethinking the $500 million deal in the wake of last week's worse-than-usual outage. When service was restored and countless users (Microsoft and T-Mobile still aren't fessing up to actual numbers) realized their devices had been wiped clean, Microsoft was forced to release an unprecedented mea culpa admitting data had been lost and would in all likelihood not be recovered. More embarrassing for the companies involved, Microsoft implored users to keep their batteries in place and avoid resetting their devices or allowing them to lose power.
However you slice it, this is not a happy place for anyone. While it's easy to assume Microsoft's and T-Mobile's customers are the real victims here, the sad truth is these very clients shoulder at least part of the blame for losing their stuff. It may sound harsh, but users who rely so heavily on a vendor that they neglect to implement their own disaster recovery plan shouldn't complain too loudly when said vendor drops the ball. Although in this case Microsoft and T-Mobile were accountable for the service itself, data ownership always resides with the customer. While the peculiarities of the Sidekick dictate that much of the data resides in the cloud, end users remain ultimately accountable for their information.
Sadly, many of them are learning a hard lesson about the value of local syncing. Whatever mobile device or OS you're using, this should be a wakeup call if you're not doing the same.
A cloudy question
This debacle doesn't just force this particular service into question. More ominously, it challenges the very notion of cloud-based services at a time when their takeup rate is accelerating. The fundamental trust that we have in such services -- that a provider that specializes in large-scale deployments like this could absolutely never lose our precious data -- has been thrown into question. Suddenly, keeping things stored on our rickety old hard drives, or at least backing them up there, may not seem like such a bad idea. Any way you slice it, it's a backward step in the march toward the cloud.
To its credit, Microsoft is doing everything it can to make the best of an unfortunate situation. It's apologized for losing customer information, it's scrambling to recover what it can, and it's offering up a free month of data service. While customers who have lost it all may disagree, this is a textbook response to this kind of situation. And as the vendors involved strive to save whatever face they can, it's fair for current and prospective customers to feel burned by a service whose monthly subscription fees implied a certain trust relationship. More than a free service like Twitter, which when it inevitably goes dark users can simply shrug their shoulders in response because they're simply getting what they've paid for (namely, nothing), a service like T-Mobile's that comes with a monthly bill can't simply rely on shoulder-shrugging users when the worst happens.
A case of bad timing
All this must weight heavily on Microsoft as it prepares to release its core cloud-based environment, Windows Azure Platform. While Microsoft was hardly involved in the architecture decisions made years before it acquired the Danger unit, the brand association is anything but positive as Microsoft takes its biggest step yet toward a Web-enabled services model. Convincing customers still comfortable with the notion of physical servers in tangible data centers that they should toss their data into infrastructure owned and managed by some unseen entity just got a lot harder.
Google, Salesforce.com, and other cloud-based vendors -- free or not -- are doubtless also feeling Microsoft's pain, because they all know full well that this kind of thing can happen to them, too. The industry clearly has a long road ahead of it as it seeks to balance the compelling capital and operational advantages of Web services with the never-ending need for customers to take an active role in securing their data.
That road will be difficult indeed if vendors ignore the need for this form of partnership. Despite their passion for making their new generation of Web-based services as worry-free as they possibly can, no amount of technology can ever remove the need for personal and corporate accountability from the equation. Vendors that market themselves as the answer for customers who can't be bothered to pay attention to their own data need a not-so-slight attitude adjustment.
For their part, customers also need to begin challenging cloud-based services vendors with specific questions revolving around how data is secured, backed up, and restored. Before signing on the dotted line, they should ask about what tools and processes the vendor makes available for customers to self-serve their own backups. Even if it's as simple as a basic export to a .CSV file, with the right support from their vendors, customers can set up automated processes that ensure they can keep going even if the service itself does not.
Vendors that don't help customers help themselves will be quickly eclipsed by those that do. And when the worst happens and a vendor-caused meltdown takes data with it, customers that don't step up to the plate will have no one to blame but themselves. Welcome to the new reality of the cloud.
Carmi Levy is a Canadian-based independent technology analyst and journalist still trying to live down his past life leading help desks and managing projects for large financial services organizations. He comments extensively in a wide range of media, and works closely with clients to help them leverage technology and social media tools and processes to drive their business.
Please use the Cloud.. If you do MAKE SURE you have access to Randomly challeng cloud-based services vendors with specific questions revolving around how data is secured, backed up, and restored.
Do complete back ground checks on ALL employee's and vendors they use.
FYI: Corporate Spying is still the #1 form of hacking, worms and spyware.
Score: -1
|Heh...
Please use the cloud. It makes it so much easier for us hackers to make millions off of your financial and personally identifiable information. ;)
Score: -1
|The cloud sucks and is unreliable (by nature), everybody become master of your own data!
Score: -2
|That's quite a general and inacurate statement.
Score: -1
|Congratulations, I will no longer be returning to BetaNews. I'm tired of these posts with shameless plugs. RSS deleted.
Score: -3
|What are you talking about? If anything the article is [rightly so] critical of all the services mentioned.
Score: 3
|wow they still sell sidekicks? I thought they went out of style along with paris hilton :P
Score: -1
|I really hate the term "cloud".
The title of the article alone is one reason. There isn't just 1 cloud. The security of the cloud is dependent upon the vendor providing it. It's as simple as that.
I've got clients that use online backups - they are backing up to the "cloud". And it is very secure because the vendor has multiple sites with data replicated between them and performs backups as well.
Clearly that was not done in this case and this shouldn't cause everyone to get concerned, but it should cause everyone to look at how their data is protected if it is in a cloud.
Score: -1
|"The security of the cloud is dependent upon the vendor providing it."
Not quite. That is a very dangerous assumption! The "security" of the cloud is the customer verifying the security claims of the vendor providing it, and regularly auditing those claims. Ultimately, the customer is responsible for the security of their own data, no matter the location.
"I've got clients that use online backups - they are backing up to the "cloud". And it is very secure because the vendor has multiple sites with data replicated between them and performs backups as well."
And those backups in those multiple locations are all airtight "secure." The more locations, the more risk for your data, including transport, storage, ACL, etc.
Score: 0
|It's not an assumption - it is a fact. You can't control the security of your data in the cloud - that is up to the vendor you choose.
You do make good points and it is important to get information on how they secure your data and how its backed up...etc.
I wouldn't trust any vendor that didn't provide this and have a 3rd party audit at regular intervals. Most of the major corporate providers of cloud related services do.
Score: -1
|Yes, everyone is correct they should keep a back-up and they were PAYING t-mobile/Microsoft/danger to do that.
I will guarantee everyone of you internet tough guy "data security admins" (level 1 help desk goons if your lucky) has a all of your contacts and email "in the cloud" on your AOL account. Give me a break.
Score: -1
|"I will guarantee everyone of you internet tough guy "data security admins" (level 1 help desk goons if your lucky) has a all of your contacts and email "in the cloud" on your AOL account."
AOL still exists?
I usually stop reading when I hit the "guarantee" bit as that is a dead giveaway the rest is going to be pure BS, but in this case I am glad I continued reading so I could get to the part where you insulted everyone on the site.
(Oh, and no, I am not defending anyone or anything here, just being amused by your need to make yourself feel better by imagining we're all "level 1 help desk goons" who use AOL.)
But hey, whatever helps you sleep at night, man. :)
Score: -1
|Yes, you should invest all your money in a company called Enron. It's a sure win!
As with investments your important data can't be stored in just one place or relied to just one company/person. It's a rule of thumb, you know.
Score: -1
|Yes AOL has a market cap of 23B. Strange you would think it no longer exists, being so large.
Score: -2
|Engage your sarcasm filter, mj...
Score: -1
|I believe there are many of us who have sat back as this whole 'cloud computing' garbage has been bandied about and giggle a little bit inside. Let me just go ahead and say it: "if you are trusting your data to this cloud, YOU WILL LOSE"...in more ways than you know. Do yourself a favor and back away from the cloud.
Score: -1
|Bingo.
Loss of data, compromised data, you name it. Keep it out of the cloud.
...and get the hell off my lawn.
Score: -2
|I'm not so against the cloud but not having a local backup isn't wise at all.
Score: -1
|Yes, the end user always bears the ultimate responsibility, but that in NO WAY excuses what happened with the Sidekicks.
I'm sorry, but there is simply no excuse for an enterprise-level service provider not keeping multiple redundant backups of data their customers are PAYING them to keep safe. None whatsoever. No attempts to share/s*** blame onto the end user changes that.
They are going to get sued for this, and they deserve to lose.
Good point about these services needing to be more pro-active in training their users to make personal backups, though. But this probably opens up headaches the marketing departments don't want to deal with. Basically, the company would be trying to convince customers to trust them LESS. To most of us, that sounds like a good thing. To marketing executives and company lawyers, that sounds like an invitation for trouble.
Edit: why is the comment system editing out the word "sh1ft"? As in "to sh1ft gears". Guess it's close enough to that other word... Weird.
Score: 1
|They will be sued, but they will prevail. I bet there is enough legalese in the customer agreement to get them out of it.
But your right there is no excuse for this. But there is nothing that can be done now. Those that have a backup are safe. Those that don't aren't like parts_girl.
Score: -1
|I am a sidekick customer that lost all my data - what you're saying is its my fault because I didn't back up? I thought I was paying T-mobile for the service so that I could log into t-mobile.com and get my data as it was stored on a server? I used to sync data - like in 2003 when I had a ipaq - aren't we over that now?
Score: 1
|No we aren't over that now. You trusted Danger (now Microsoft) with your data and what did they do with it. They lost it. What do you get. A free month and an apology. It's your data ultimately your responsible for it. I bet if you read the terms of your agreement with t-mobile it excludes them from being responsible for losing your data.
Score: -1
|I am not blaming you, but, everyone knows to always keep a backup. It's just common sense. T-Mobile/Ms dropped the ball here, yes, but it was your data. I want to liken it to if I drop my treo and it breaks, who is at fault for the data loss? I am! If I didn't have it backed up, it is 100% my fault. Chalk it up to experience.
Score: -1
|I'm sorry to eco everything that was said, but I see you had an ipaq, and you use this site so I can assume you know a thing or 2 about technology. That being said it is almost common knowledge to always backup to at least 2 locations. In this case your primary backup would have been with t-mobile/MS, and the second backup should have been your pc. There is a reason why there is still a usb port on your phone, on the blackberry, and every phone I can think of. So you can plug it in, so you can back it up. Looks like you learned your lesson the hard way. Personally, I learned mine from profs saying that if you don't have 2 backups of your projects, then don't complain to them when your hard drive(s) fail.
Score: -1
|I totally agree. If it's your stuff it's your responsibility to have a backup.
Score: -1
|The problem with life today is: we have insurances to cover insurances,admendments to cover prevous admendments, warranties to cover warranties, and nobody wants to admit they were wrong for mis-leading you to believe that you as the consumer... you are safe. What ever you buy today, there is a loop-hole.. somebody needs to get a grip on these loop-holes and make the people responsible and pay instead of reapin the rewards of defective products and services, and only havin the "Laws" backing them up! Please???
Score: -2
|