Data security in cloud computing - Part 4: Cloud data storage

A number of questions about adopting public clouds have to do with what might happen when an external cloud becomes business-critical for the organization. One of these questions involves concern over cloud lock-in.

As George Harrison wrote in the song Stuck Inside a Cloud: "Talking to myself, Crying out loud, Only I can hear me, I'm stuck inside a cloud."^C,4 The concern here is that once you become dependent on the services of a cloud provider, you may find it extremely difficult to switch providers due to any number of technical reasons.

In one lock-in example, a company may subscribe to a specific public CSP service as their customer relationship management tool. This service may consequently end up being used to house all of the company's data relating to their customers. The company may invest significant effort in customizing rules or reporting routines in their use of this service. The service may also become the primary reporting engine that provides management insight to the health of the business.

If the service entails proprietary formats or APIs, then the service subscriber may very well not own anything other than the data. If the company decides to discontinue the service, then the organization may retain no value for any effort they performed in tailoring the service for their needs. If the data formats are proprietary, the company could conceivably face serious challenges when migrating their data to a replacement system or service.

Metadata
Further questions in this lock-in scenario might include what happens to a customer's data when they terminate their service? Who else might be able to access it? This is further complicated by the fact that if the organization used the cloud service over a considerable length of time, then it is almost guaranteed that there is a tremendous amount of data that was developed by simply using the cloud—sometimes referred to as cloud metadata.

Metadata is simply data about data, or more precisely, it is high-level information about such things as to where the data came from, who performed what operations against it, and when changes were made. But cloud metadata that is developed may include other very valuable information that records associative context based on users and their relationship with content. In a SaaS solution, this kind of information may be developed over time by the CSP's software.

Back to the question of what happens to the metadata if the subscriber decides to discontinue use of the service. While planning their use of a cloud based service, customers may overlook such questions as what will happen if they become so reliant on the service that it becomes impossible for them to replace it.

This can have important bearing on the customer's very business—enterprises adopting a cloud might not have any intention of ever leaving it, but there can be extenuating circumstances where their departure from the cloud might be required. For instance, what if the cloud provider goes out of business or if their business model changes? By example, Facebook has undergone a significant change from a private-based business model to a more open model.

^CStuck inside a cloud was the seventh track on George Harrison's posthumous album Brainwashed. Fans will note that seven was Harrison's favorite number, and the seventh track was supposedly his favorite for all his albums. (Oddly enough, Googling seven and information security will return a number of interesting results that have nothing to do with either George Harrison or cloud computing.)