Perspective on Remote Access To Your Documents Today (updated)
Thursday, December 08 2011 @ 09:17 PM PST
Contributed by: Richard Pitt
This article has spawned a request for me to speak at VANLUG (Vancouver Linux Users Group) technical meeting on Monday, January 16, 2012. See the notes at the bottom for links about this.
My lawyer phoned me the other day and asked me my opinion on using one of the "cloud" services to access his files when he is out of the office - using his cell phone or his laptop. "Is this a good idea?" was his question. "A bunch of us are sitting here talking about one such service and it sounds pretty good - what is the catch?"
It's like he enjoys feeding me the straight lines just because he likes to see me bat them out of the park, to mix a few metaphors so to speak.
My first response was "why do you want something that you've already got? You have your files on a server that has an internet facing link. All that is needed is a bit of security setup on your laptop and you're good to go."
Of course that's not the only thing that needs setting up, but it is almost that easy, at least for him. The question is, why isn't it a good idea for his friends if they don't already have such facilities at their own offices? Lots of answer if you read on.
Whose Data Is It?
The first question you need to ask yourself is - is this my information or am I bound by privacy or other rules as to what I can and can't do with it?
As a lawyer, my friend is bound by many different laws as to what he can and can't do with the information that is in his files - in many cases it is his clients' proprietary and confidential information and not even the police with a warrant can have access to it.
In other cases, it is information covered by privacy legislation in one or more jurisdictions. This complicates things even more.
Your own corporate files for your proprietorship or sole-ownership corporation - that's pretty much on your head. Customer files with things like their payment information (credit rating, credit info, credit card/bank info, etc.) not on your life, at least not without major encryption setup and non-typical cloud systems setup.
In the Cloud, Who Controls Your Data?
This is really the kicker. Is the data you're uploading to this remote service company (aka "the cloud" whatever that means) fully under your control, or do they have some say in what gets done with it?
Is there anywhere in the company's policies or procedures where they state that upon removal by you of your data they guarantee that all copies will be removed? Even backup copies?
Is there anywhere in the service company's products/procedures where you can actually get a full dump of all your data delivered to you in a format that is readable by software you already have that did not come from that company (i.e. non-proprietary software)? This means - can you get all your data back so that you might for example move it to some other company's facilities? Google, for example, makes this easy but other companies don't; often either not providing the facility at all, or making it part of a "premium" package only that you have to pay extra for.
Is your data stored in an encrypted fashion where you, and only you, have the keys to decrypt it? Are you sure? If the service provider does the encryption and provides you with the keys but does not provide you with information on the underlying encryption technology, either they may keep a copy of the keys, or the technology may provide for a "back door" for the likes of the government or other "interested" parties.
What happens to broken/obsolete hardware that the service provider takes out of service that might contain your (and others') data? Is it dealt with in a secure and private way to erase or otherwise make the data un-retrievable once the hardware has been sent to recycling?
This is the type of question you need to ask of your service provider - and in fact the answers should be already available in their FAQ or policy statements.
Where Does Your Data Exist? Does This Matter?
In the cloud you never know where your data actually resides if the company has more than one facility. In fact, it may reside in multiple places or be spread across not only multiple locations but multiple countries. Does this matter?
This is a great question - and the answer may not be what you think. If your data is like the BC Medical Service's data, it is by law not allowed outside of Canada. This came somewhat as a surprise to the company that has its data processing contract. The company was about to consolidate its operations and close its Canadian data center when this was brought to its attention. Guess what - the Canadian data center is still open and in fact they're using this as a selling point for their services in Canada.
If your data is of a legal nature or might be subject to subpoena/discovery then it also matters since such subpoena/discovery laws are different in different jurisdictions. It also for that matter may be subject to different privacy and/or reporting laws as well.
In another twist, some of the US states (and likely other jurisdictions will pick this up as governments find themselves more and more strapped for cash) have been using almost any excuse to attribute a "business nexus" to somewhere in their state for taxation purposes, including things like having an otherwise unmanned warehouse or having a web site hosted on a system in the state. One state, Texas, has passed laws that make their state specifically exempt from this so that Texas service providers in fact can attract companies that otherwise don't have any business ties to Texas without the customers fearing a taxation nightmare. The list of states that have gone one way or the other on this policy is changing daily; you need to know.
What Happens If the Service Company Goes Bankrupt or Gets Sold?
OK - so you're happy with the service policy and facilities and taxation and all that, and you sign up with XYZ company and are getting great service from them. Then all of a sudden you can't get at your data and find out that the company is in bankruptcy (or was sold) and the trustee or purchaser has control of all the facilities.
The first problem is, you don't have your normal access. Hope you have backups of your files somewhere "off site."
The second problem is, the company you signed the contract with no longer owns the hardware your data is stored on, the bank (or some other company) now does - and they are not bound by the terms you signed on to. They re-purpose the hardware and fail to wipe it. Your data ends up being accessible to somebody (anybody) who purchases service from the new owners and you're toast. Worse, they actively go through the data and mine it for "interesting" stuff and sell that off as part of the assets of the bankrupt company.
The loss of access to data has already happened to customers of failed cloud companies and there is no reason to expect it will stop happening.
The loss of security of the data has also happened - including the sale of the supposedly private data.
What are the Alternatives?
OK, now you're as paranoid of cloud service companies as I (and many others) are. What is the alternative?
As little as a year or so ago, the biggest problem with trying to provide remote access to business files directly from the business' own servers was the slow outbound link speeds the typical business internet link provided. Having only a 500 Kbps outbound link meant that the typical ADSL or cable modem link was simply too slow for reasonably timely access to large files. This is in fact the major reason for the rise of the cloud file service providers.
With the latest products from many of the major (and a lot of medium sized) ISPs such as the new DOCSIS 3 cable modems and freed-up cable bandwidth due to dropping analog cable channels providing up to 150 Mbps uploads speeds and the new VDSL modems for telephone facilities that provide 30+Mbps up and download speeds on standard telephone circuits, this limitation no longer holds true.
Yes, the link will be more expensive, but then again you won't have to pay the cloud service provider and you'll have complete control over your data; something that in itself is priceless.
Today's laptops and even smart cell phones have enough power in their CPUs to run Virtual Private Network encryption software without resorting to hardware acceleration devices such as special firewall routers as has been typical in the past.
With a bit of setup on the office server end, possibly including provision of a new, separate server that only holds files authorized for remote access, you should be able to access such files from almost anywhere on the planet pretty much as if you were sitting there in your office. The key is that outbound link speed.
Having an outbound link speed of at least 3-5 Mbps will mean that all but the largest documents should be available to you in less than 1 minute; usually much less than a minute. You'll browse your file store pretty much at the same speed as you would from your desktop. Having an outbound link speed of 10-15+ Mbps will make it almost like being there in the office unless you have a lot of employees remotely accessing things all the time.
I won't get into how this could be handled by a Windows server, suffice it to say that the technology exists in that product line.
If you have a Linux (or other *nix powered server) as most of my customers do, the VPN software is available and the typical server hardware today can easily handle tens, if not hundreds of such secure VPN links directly from the server. There are some setup issues that mean you should get a professional to set you up and ensure that all your bases are covered, but such setup is getting easier and easier all the time.
Today's computer systems have so much spare computer power over what is really needed to provide back-end server facilities that offloading the encryption details to such processors hardly impacts their overall speed at all for the most part.
This is what my lawyer is going to be doing - using his Linux sever that provides SAMBA file services to his desktop Windows work stations to also provide secure VPN access for him to access his several gigabytes of client files anytime, from anywhere. He already has a dedicated hardware-provided (via his firewall router hardware at each end) link to his home. This will just extend the facility to wherever he takes his laptop.
That was easy.
Notes and Links:
- VANLUG technical meeting - appears to be limited to a small (24 or so) attendees - sign up at the meetup.com site and then show you'll attend at the meeting page (must be signed in to meetup to see the venue, etc.)
- Great article summing up some of the potential problems with cloud computing
- Asia Cloud Forum has a pair of articles on this as well - the first on data recovery and e-discovery and the second that deals with vendor bankruptcy
- In amongst some interesting counter points to Bruce Schneier's article on problems with cloud computing, this blog entry at Rational Survivability includes some points that hinge on the definition(s) of the cloud environment and is worthy of a read too.
- Texas Fixes Tax Problem for Hosted Services - out of state business no long in fear of being taxed just because their web site or data is hosted in Texas. This goes to show that while some states are working hard to find ways to tax any/everything that comes their way, some of them actually understand the problem. Texas is now a great place to host business computing systems.
- Wikipedia's Internet Taxes page - pay particular attention to the Location sections