In a recent article our friends over at storagenewsletter.com asked an important question, “Is Cloud Storage Risky for Users?”. Our answer is that cloud storage is only as risky as you make it. In other words, an organization that’s planning on storing data in the cloud needs to take specific steps to make sure their data is safe. In this column we will walk through each of the concerns that the storagenewsletter.com article raised and provide you ways to address them.
Confidentiality and Security
Confidentiality and security are always top concerns when an organization considers leveraging the cloud to store their information, and certainly legitimate ones. To address this the organization can make sure that the data it chooses to put into the cloud is ALWAYS encrypted. This means it must be encrypted while in transit to the cloud storage provider but also encrypted while at rest in the cloud.
But encryption is only the first step. Just as important for the organization is managing the encryption keys. Ideally the organization would be the sole owner of the keys and its authorized employees would be the only ones who can unlock the data. If the organization chooses to let the provider hold the keys then the provider has the ability to deliver the organization’s data to outside authorities, if pressured to do so.
Key ownership does complicate things. For example, if the key is lost and there is no way to recover it then access to the data may be lost with it. Also, if all data is encrypted then the provider is limited to what they can do to assist the organization. For example, if the organization is backing up its data to the cloud and the provider has the keys, the provider can assist with restores and backup jobs. Without those keys it can’t. But there are ways around this. Some solutions have the ability to give the provider a temporary key that expires after a certain period of time.
Data Ownership, the third item cited by the storagenewsletter.com article, is also addressed by a complete encryption strategy. If the data is encrypted prior to being sent to the cloud and while it is stored, then the cloud provider really has no access to it, so it doesn’t matter if they claim ownership or not.
Slow Internet Connection, Especially for the First Backup
The speed of an internet connection is typically more of a concern for backup than it is for file sharing. As the storagenewsletter.com article states, a backup solution has to get that first backup job completed, it also has to get a full restore completed in case of a server failure. The in-between jobs are easily handled thanks to compression, changed-block level backups and deduplication. Completing the first job is generally best accomplished by a seeding process where hard drives or tape drives are sent to the provider, followed by a quick-sync once that initial baseline of data is loaded onto the provider’s storage.
Recovery can be handled the same way, as it will often be faster to ship the data than trickle it through an internet connection. Another option is Disaster Recovery as a Service (DRaaS), in which the recovery happens in the cloud and no data needs to be sent back to the organization until the immediate return to operations demand is meet.
Cloud Interruption
For both backup and file sharing situations there is also the concern of the provider’s service being interrupted for one reason or another. This can come from an internet connection issue or a problem with the provider’s infrastructure. The best workaround for this problem is to have a hybrid type of solution that keeps the most active data set local, or in backup terms the most recent data copies local. Assuming interruption of service is short, the local appliance should see the organization through.
Service Suspension
As the storagenewsletter.com article correctly points out very few cloud storage providers have actually closed their doors. But as the market matures it is reasonable to expect that the organizations chosen provider may cease operations. There are two methods to address this challenge. The first is to mirror data between two providers. This not only protects against a failure of either provider it also will protect against a temporary outage as described above. The chosen solution to backup or share data via the cloud would need the ability to support a dual cloud back end. Many of the solutions on the market today do not. There is also the obvious cost disadvantage, since using two providers means that affordable cloud storage just doubled.
The alternative is to be prepared to scramble in the case of an outage. While this does not sound like planning it can be a viable ‘strategy’. In every case of provider shutdown there was time for companies to get their data out of that provider and move it either on-premises or to another provider. While not a strategy to brag about, it so far has proven to work and it is certainly more cost effective than the mirrored cloud option.
StorageSwiss Take
The downside to all of the above steps is that each makes the cloud a little more complicated and expensive. But they do make storing data in the cloud a lot more tenable for organizations. What extent the organization will go to to address these challenges is largely dependent on the organization’s data sensitivities. That said, for almost any organization an appropriate cloud design can be created to securely store the most sensitive of data sets.
One challenge that the storagenewsletter.com did not address is the cost of the cloud. While the monthly cost of capacity may be attractive, the on-going cost may become too much over time, and will most likely increase. We will discuss this challenge in a future column.
Click Here To Sign Up For Our Newsletter
George Crump is the Chief Marketing Officer at VergeIO, the leader in Ultraconverged Infrastructure. Prior to VergeIO he was Chief Product Strategist at StorONE. Before assuming roles with innovative technology vendors, George spent almost 14 years as the founder and lead analyst at Storage Switzerland. In his spare time, he continues to write blogs on Storage Switzerland to educate IT professionals on all aspects of data center storage. He is the primary contributor to Storage Switzerland and is a heavily sought-after public speaker. With over 30 years of experience designing storage solutions for data centers across the US, he has seen the birth of such technologies as RAID, NAS, SAN, Virtualization, Cloud, and Enterprise Flash. Before founding Storage Switzerland, he was CTO at one of the nation's largest storage integrators, where he was in charge of technology testing, integration, and product selection.
StorageSwiss.com - The Home of Storage Switzerland 
Well, there is a tendency to think of cloud storage as something unique to what is offered by public cloud storage providers. The fact of the matter is you can operate your own private cloud storage and avoid some of the issues Mr. Crump addressed with regard to using public cloud storage. When it comes to encryption, not everything needs to be encrypted. For data that is encrypted before it is stored or data that is encrypted when it is stored, there are issues regading key management. In the end, it will be someone’s responsibility to do key management. Warrants or “national security letters” demanding access to data are matters that public cloud storage providers and private cloud storage owners have to address with their legal counsel. That said, it would be worthwhile to work through that scenario before any demands for data are produced. Forklifting data into or out of strorage clouds is nothing new and solutions are available. When public cloud storage provider Nirvanix shuttered their service in September 2013, it prompted many conversations about how to deal with it. Several solutions emerged in the discussions. One solution required that public storage providers escrow sufficient funds to wind down their business so that customers can retrieve their data. Another solution was for customers to pre-arrange access to the public cloud storage providers clusters if the service was going to be shuttered. This could take the form of several having third parties who are authorized or qualified to do this work by the customers and who are known to the public cloud storage provider. Given that nothing is risk free, you can take prudent measures when using public cloud storage. And if public cloud storage isn’t your first choice, then build your own private storage cloud on premises or in a colocation site or use both on premises and a remote location to lower your risk. The cost of doing it might be a lot less than you think and easier to do than you anticipated.