Cloud Storage Hiccups Prompt Data Security Questions

Instead of "inherent risks" in using hard drives or DVDs to store data, users are better off paying pay a small fee and backing up data in the cloud.

The pitch from providers of hosted storage services sounds enticing. Instead of what these provider call the inherent risks in using hard drives or DVDs to store data, users are better off paying pay a small fee and backing up data in the cloud. Cloud storage providers pledge that putting valuable data into their hands is like keeping money in a bank.

However, cloud computing vendors continue to be plagued with periodic shutdowns and losses of customer data. Just last week, cloud-based storage service provider Carbonite Inc. filed a lawsuit charging that faulty equipment supplied by two hardware providers caused backup failures that caused it to lose data stored for 7,500 of its customers two years ago.

The problems have prompted some users and analysts to wonder whether "cloud computing" storage poses an unacceptable data security risk, particularly because users are depending on unseen infrastructures holding enormous data vaults that could easily attract the interest of hackers and electronic terrorists.

Michael Peterson, president of Strategic Research Corp., a market research firm in Santa Barbara, Calif., said he avoids using hosted storage systems because he doesn't trust them and because of the long-term costs. He noted that he once used Amazon.com's S3 hosted storage service to help his son set up a business venture. But once the venture turned to on-site storage systems once it could afford it, Peterson noted.

"Amazon is successful with small businesses, entrepreneurial startups -- people who don't want to invest in their own storage," he said.

Unless it's absolutely necessary, "You're a fool if you put personally identifiable information out there," Peterson added. "Vendors in this space have to be putting their trust message out there and try to prove it. But as a consumer, I'm not ready to trust again. And, I'm a suffocated user. I've been using this stuff for years."

Peterson also noted that some customers can become confused because vendors describe "cloud computing" in different ways. "Everybody wants to call what they're doing cloud," Peterson said.

Nonetheless, several major vendors offer hosted storage products, including storage vendors Symantec Corp. and EMC Corp., which offer the Norton Online Backup and Mozy products respectively. Several small service providers offer similar products while industry giants Google Inc. and Microsoft Corp. pursue their own hosted storage models.

Despite the promise of using the compute cloud to store data, incidents of hosted sites going down or losing data are beginning to pile up.

For example Amazon's S3 service was offline for several hours in February, which wasn't first time the service failed. Also, Xcalibre Communications' FlexiScale service suffered an 18-hour outage last year, and The LinkUp storage service shut down in August after losing access to unspecified amounts of customer data.

"You can't trust backup and storage in general," said David Friend, CEO of Boston-based Carbonite, in an interview with Computerworld today. "It's not just the cloud. Look at all the tapes that have been lost by people like Iron Mountain where they've got the stuff on a truck and the [driver] goes in to get his Dunkin' Donuts and comes out and the truck is gone."

"There's no such thing as 100%, fool-proof backup. You really need to look at the law of averages and figure out what's the appropriate level of security," he added.

Carbonite is suing Promise Technology and reseller Interactive Digital. The company contends in the lawsuit that US$3 million worth of equipment supplied by the vendors was defective. Specifically, an array from Promise allegedly lost its RAID capability due to a software glitch, causing all the data stored on the boxes to turn into "gibberish," Friend said.

Friend said the incident occurred nearly two years ago. In a response to the news stories that followed a Boston Globe item about the lawsuit late last week, Carbonite issued a statement that read, in part: "It is possible that readers will walk away from this with the impression that 7,500 customers were unable to restore their files from Carbonite. This is not the case."

Friend said Carbonite's systems restarted all the backups immediately and automatically, restoring the data and saving more than 99% of all the lost data.

Only "a small number of these customers had their PCs crash before their re-started backups were complete," the company said. "These customers were unable to restore all off their files from Carbonite. We took full responsibility for what happened, and I did my best to apologize personally to each of these customers."

Since the incident two years ago, Carbonite claims they have not encountered any further problems. The lawsuit is seeking a refund on the "defective products."

Siamak Farah, CEO of InfoStreet, whose hosted service targets small to medium businesses, said most companies don't have financial ability to hire full-time security experts who are paid $200 an hour to ensure data is secure. "If I sign a contract with a cloud computing company, I'm putting my data on their premises, and they're responsible for the security of that data," Farah said. "Depending on the nature of the data, agreements can be different, but in general hackers who try to come into those systems face double fire walls, security experts and double security audits."

Jeff Kyle group manager for Symantec's consumer products, the division that launched Norton Online Backup said a recent survey of Symantec consumer customers showed that 28% use external hard drives, 25% use CDs or DVDs, 15% use USB flash drives, 2% use online backup services, and 26% said they never back up.

"CDs and DVDs have got to be hard to catalogue -- just managing all those backups to CD or DVD. Not to mention it's hard to get incremental backups done that way," Kyle said. "USB flash drives have a similar issue. The storage is relatively small and you can lose it, misplace or have it stolen."

After Carbonite's equipment failure, users wrote in asking why the company did not do backups of backups, Friend said. "There are services out there that do backups of backups and you'll pay in one month more than Carbonite charges in a year. Our customer want to pay 50 bucks."

Friend said 99.9% of Carbonite's customer data loss is related to human error. "It's somebody who doesn't backup a particular folder because they don't understand where it is, and then when they go to restore it, it's not there."

While any big data center is bound to have hardware and software glitches, "statistically, if you look at the likelihood of losing three out of 15 drives in a RAID array, and a user losing the hard drive on their PC, it's probably going to happen every 15,000 years."

This story, "Cloud Storage Hiccups Prompt Data Security Questions" was originally published by Computerworld.

Copyright © 2009 IDG Communications, Inc.

7 secrets of successful remote IT teams