It seems like every company is putting business on the cloud. Cloud computing — or shared resources, software and data provided on-demand from a remote location — has become a new standard in the corporate business model.
So it stands to reason that the next incarnation of cloud computing would witness companies migrating to the cloud in an attempt to capture the savings to be had by shifting data from internal server environments to virtual storage environments.
And it’s no wonder — companies are drowning in data. A 2008 IDC Enterprise Disk Storage Consumption Model report showed that data needs are growing exponentially. Transactional data volume is growing at a compound annual rate of 21.8%, and the amount of unstructured data is also skyrocketing at a shocking 61.7% growth rate. Storing all that data is expensive. So companies are flocking to the cloud in order to slash costs.
These savings are tempered by an onslaught of new risks, however. And so far, companies are by and large either ignoring the risks or simply do not understand them. But one calamity could bring all the issues to the forefront-at a time when the company is least-equipped to deal with it.
What Is Cloud Storage?
Simply put, cloud computing is any virtual offering that is capable of handling numerous users simultaneously without requiring any vast changes to its architecture. Likewise, cloud storage is the sharing of storage space that allows users to purchase only the space they need, not a set capacity. What was once stored in your data center is now moved onto the internet and distributed into specified storage areas.
Cloud computing is not new. In fact, any company that deploys software as a service (SaaS) has a history in cloud computing. That’s because the software itself is housed elsewhere and runs remotely on the company’s desktops. Companies pay a licensing fee to access the software and share the infrastructure of each application with thousands of other companies, offering savings for all involved.
It is the same with cloud storage. Companies pay for storage of their data, which is housed along with data from thousands of other companies. Because a company purchases only enough space for its data, the costs are kept to a minimum.
In terms of disaster recovery and business continuity, cloud storage is a near-perfect solution. A company can often get up and running within one day of a catastrophe. This time savings is a large part of cloud’s appeal. In a post-9/11 world, fast recovery is a big deal-and an even bigger security issue. That is where cloud storage can benefit the most. “Because of the storage in multiple nodes, or locations, if something happens to one node, it doesn’t matter,” said Nalneesh Gaur, chief information security architect and principal for Diamond Management and Technology Consultants, Inc., a Chicago-based global management and technology consultancy. “The system is smart enough to reassemble the information and provide it to where it is being consumed.”
Traditionally in a disaster recovery scenario, companies rely on data housed — often far away — on disk, tape, the internet or off-site servers. Backup is the restoration model for all these methods — a process that is incredibly slow because the data is either physically being moved or digitally copied. That’s not all. Once the data has been recovered, it now has to be transferred to the exact location from which it originally failed.
After a disaster, the recovery time in a traditional scenario is often the wild card, according to Andres Rodriguez, CEO of Nasuni, a Natick, Massachusetts-based cloud storage gateway provider. “How much time is it really going to take to get that data back?” said Rodriguez. He estimates that restoration takes about three hours per terabyte of data, which could, depending on the amount of data, significantly hinder recovery.
By contrast, Rodriguez says that cloud storage recovery times can be as quick as seven seconds. “The key is to not have to move a truckload of data…Users simply have to re-establish access to the cloud,” he said.
Even those companies with large storage needs can realize savings through cloud storage. Storing files virtually can eliminate costly upgrades and halt endless additions of servers, space and staff. Adding storage as the company’s data needs grow is as simple as paying for it. “It has tremendous flexibility, efficiencies and economies of scale,” says Kevin Kalinich, national managing director of Aon’s financial services group for professional risk solutions.
One of the other benefits of moving to cloud storage is redundancy. It offers the ability to replicate data and store it in multiple locations. And this duplication of data in two or more locations essentially assures that there will always be a backup available — no matter how widespread a catastrophe is geographically.
Then there is the price of cloud storage options. Cost depends on the vendor, the amount of data stored and a company’s requirements for data mirroring, but it almost certainly beats the alternatives. “It’s done at $0.15 per gigabyte per month for the cloud storage piece,” said Rodriguez. “The cheapest online backup solution you can find today is $2.50. Other storage solutions weigh in at $5 to $6 per month at the high end.”
Of greatest concern for risk managers is the security of the data being moved to the cloud. The concern grows as companies relinquish control of data once stored-and protected-internally, with privacy issues quickly rising to the top of the list, says Kalinich. But he is quick to point out that compared with other vendors and storage solutions, cloud storage is far superior in terms of security.
For the most part, vendors do an excellent job of providing adequate privacy and security measures. But the experts warn that entrusting a vendor with the company’s security concerns without making sure the vendor is providing the proper security levels is short-sighted at best. It is not unlikely that a company would put data on the cloud and not think to encrypt it beforehand.
Risk management needs to address how to treat all data throughout the company — not just that data which resides internally. The methods used to treat data within the company must also apply here. “You have to make sure those controls extend into the cloud,” said Gaur.
Still, an even larger risk has emerged. “The biggest risk with cloud computing vendors is that they are providing very little by way of service-level agreements,” said Kalinich. “They’re including exculpation of warranty clauses in those agreements, saying they’re not responsible or liable for any data that is lost, stolen or damaged, and they’re not liable for the accessibility of your data. It’s an allocation-of-liability issue that needs to be addressed.”
Luckily, larger companies are beginning to negotiate away this liability with vendors. The city of Los Angeles approached Microsoft and Google to determine which company would satisfy its cloud computing requirements. And Los Angeles was able to negotiate service that included accessibility, liability, privacy, service level agreements that guarantee the availability of data, and responsibility for damages or losses of the city’s data.
That victory does not mean companies are now covered. Vendors have yet to remove the clause from their contracts. “[The contract with the clause intact] is the starting point the vendors are using,” said Kalinich. “But the large entities are not accepting that. They’re renegotiating the contracts to allocate the liability appropriately between the client and vendor.”
Another very real risk is that of the cloud storage provider closing its doors. If you store all your data with one vendor, are you putting all your eggs in one basket? You could be.
Suppose your vendor has three storage locations in Washington, California and New York. It may sound like your company has protected itself, but what happens to your data if the vendor goes out of business tomorrow? Relying on courts and debt collection agencies to release your data is not a plan. Your company has no guarantee that its business interests will be considered under the circumstances.
Gaur suggests looking at the worst-case scenario. “What if my cloud storage provider disappears tomorrow?” he said. “What will happen to my data? Those are measures companies have to carefully manage. You don’t want your data sitting with one provider. You want to use multiple providers for that data, depending on how critical the data is.”
Building Your Recovery Plan
After all the threats and benefits are weighed, risk managers whose companies opt to use the cloud for storage still need to craft a sound disaster recovery plan. Start with recovery time expectations and estimates. How long will it take your company to recover the necessary data in order to open its doors again? What data is critical for recovery? What data can the company wait until a later date to get back?
Rodriguez suggests the best way to recover data quickly, whether it is from the backup server or the cloud, is to actually refrain from doing it at all. Companies waste valuable time by trying to repopulate their servers with data they don’t need. “There are some problems that are better left unsolved,” he said. “You don’t need all the data back to bring a file server online.”
Users typically only need 3% to 5% of the entire data on file to kick-start critical operations. And for that, companies can pull the data from the cloud and access it in seven seconds or less. “In an organization with say 200 people, you may have 200 gigabytes that need local performance,” said Rodriguez. “You can restore that in a day over a regular internet connection.”
And this logic does not just apply to data restoration. Risk managers need to consider simplicity in all realms of disaster recovery planning. The more complicated the process, the more chances there are that something will go wrong. “Measure complexity by how many systems are involved and how many separate systems and vendors are involved,” said Rodriguez. “If there are a lot of parties, each one with their own systems and procedures, your IT department [will have] to coordinate.”
In the end, like any new technology, cloud computing has both its benefits and its drawbacks. But what do you see when you look into the clouds? It is up to each company to decide where its risk appetite lies.