Cloud Views Conference Presentations

The recent Cloud Views conference presentations can be viewed below:

Could you lose your data on the Cloud if your virtual instance is seized because of another users nefarious activity

Imagine the scene. You have set up your Cloud related service / business or you finally decided to make the move to the Cloud to save costs and get better flexibility. You are happily poodling along when wham ! You get notice that your service is down and the data has been taken by a law enforcement agency who have taken the actual physical servers where your virtual instance resides. You have lost your service and more importantly you have lost your data. You can’t go to a backup as the provider has had to hand all those across to. In the meantime you can do nothing. Your customers go elsewhere, your reputation takes a hit so new customers don’t want to use your service, that is assuming you can get it back online again.

Sound far fetched ? Well have a look at the case of Liquid Motors whose servers and backup tapes were seized when the servers at Core IP Networks were taken by the FBI  due to an investigation into VoIP fraud. Matthew Simpson, the owner of Core IP networks, who provide server and co-location facilities in their data centres, had this to say in a letter posted online:

” Dear Customers,

Today at 6:00am, the FBI conducted an unwarranted early morning raid of our 2323 Bryan Street Datacenters, on the 7th and 24th floors.     

I received a phone call at 6:05am from our NOC that the entire network was powered off. I called Capstar Commercial and TELX, our landlord, and was told that the FBI was in the datacenter with a search and seizure warrant. I asked that the agent in charge call me immediately.

I received a call 15 minutes later from FBI Agent Allyn Lynd. Mr. Lynd would not tell me why he raided our datacenter or what he was looking for. He also accused me of hiding inside my house in Ovilla, Texas. I was actually in Phoenix, Arizona when this happened. I told him that, and he told me that he was “getting the dogs” after me, and hung up on me. I found out from an employee that there were 15 police cars and a SWAT team at my home in Ovilla.

The FBI has seized all equipment belonging to our customers. Many customers went to the data center to try and retrieve their equipment, but were threatened with arrest.  

Neither I, nor Core IP are involved in any illegal activities of any kind. The only data that I have received thus far is that the FBI is investigating a company that has purchased services from Core IP in the past. This company does not even colocate with us anywhere, much less 2323 Bryan Street Datacenter. 

Currently nearly 50 businesses are completely without access to their email and data.  Citizen access to Emergency 911 services are being affected, as Core IP’s primary client base consists of telephone companies. 

If you run a datacenter, please be aware that in our great country, the FBI can come into your place of business at any time and take whatever they want, with no reason.”

Wow! Now this allegedly affected 50 customers who could not get access to their email, services or data. According to the blog post Liquid Motors were put out of business because of this seizure as it ” is in breach of its contracts with automobile dealers throughout the country.” Liquid Motors tried to get their servers through the courts but were refused by a U.S. district court. You can find a PDF copy of their application here.

So what does this tell us ? Well, it highlights some of the complexities that you have to take into account when moving to the cloud. In the example above this was a basic hosting service, a first generation cloud if you like. The same rules apply to public cloud though. If you are on a virtual instance on a physical server where other virtual instances reside and the owners are doing some sort of illegal activity you could lose your data, services and ultimately your business.

Ultimately there are many patterns of use for the Cloud. All data could be hosted internally and application services externally. If you have a backup of the application services getting back up an running again will mean the impact is trivial. Ultimately the same rules apply to other forms of disaster recovery. Make sure you have a DR plan in place before you commit your business to any external host, be it a hosting service or public cloud.

Will the Cloud survive regulation ?

cloudprivacyA complaint made by The Electronic Privacy Information Centre to the US Federal Trade Commission could lead to Google online services being closed down. They want Google shut off until Google adopts procedure and standards for safeguarding confidential information. The Financial Times reported:

In a 15-page complaint to the FTC, the Electronic Privacy Information Center (Epic) said recent reports suggested Google did not adequately protect the data it obtained. It cited vulnerabilities that revealed users’ data in its Gmail webmail service, Google Docs online word processing and spreadsheets and in Google Desktop, which can index users’ information held on their hard drives.

European privacy laws are much more stringent than UK privacy laws:

“In the European Union, a user basically has the right to be informed about how data are used (notice requirement), and to prevent any use he does not agree to (consent requirement). In short, and a bit simplified: Without consent use is forbidden. In essence, this mechanism resembles to any other Intellectual Property rights (such as Copyright, Patent and Trademark rights).

The U.S. do not have a framework similar to the European one. As a general rule, whoever has unrestricted access to data “owns” it and may use the data to the extent as such use is not forbidden.”

It remains to be seen whether this will result in providers of cloud services having to  to restrict or change their service based on the country in which the service is being used.. To a certain extent we have already seen a form of this with the restrictions Google have had to impose on UK YouTube viewers because of an inability to agree terms with the Performing Rights Society (PRS). The end result of such restrictions across all clouds could well result in Cloud that are accessible in some countries but not others. 

For more stringent regulations such as  SOX and HIPAA , the way Cloud can move and backup information means that  there may be instances where information can have more than one legal location at the same time. This could be potentially disastrous and they way this may be analysed may not be just from the cloud information store but form the Router up. One can imagine a court scenario in which routing tables and IP headers are produced as artifacts to prove the legal status or jurisdiction of where data has or does reside. This could lead to new laws which could force cloud providers to check user data or impose restrictions based on country of origin. This is likely to become more and more of a reality and in fact we can start to see some of this happening right now. Examples are the UK government forcing ISP’s to keep all email data and specialised hardware such as the CopyRouter with deep packet inspection of data.

Once could argue that without such stringent measures, the  legal uncertainties to the the status of information in the cloud may actually end up preventing businesses and companies actually deploy applications and services to the Cloud which would not be good for anyone involved in Cloud Computing.