US based Nirvanix - reputable, credible, and established in 2007 - gave its users two weeks’ notice to move data to new providers before it shut on 30 September. Having to find other cloud providers that could host the virtualised computing environments and software, and then transfer terabytes of data on virtually no notice, was an enormous task for users.
Fortunately, it offered a similar environment to IBM SoftLayer, Amazon S3, Google Storage, and Microsoft Azure and its stern advice was to stay with these providers or risk another meltdown.
In this case, data could be moved to other providers. It created a lot of inconvenience and unexpected costs - data transfer, many person-hours in supervision, testing and reconfiguring, and a certain chaos as data was locked during copying - but it was doable.
The Nirvanix closure raises issues of governance, risk, and data security for enterprise cloud users. It also raises issues for consumers who may place similar value on their precious and irreplaceable photos, music and video collections, or small business that often takes the bargain route opting for the cheapest cloud environment over the most stable.
First is the question of pedigree. Who is the provider? Is it well funded? How is its existence ensured? What will happen if it closes unexpectedly? What is the Plan B?
Companies of the ilk of Microsoft, Amazon, IBM, et al should be a sure bet. There are no official figures for the number of cloud hosting companies but it is in the order of millions ranging from ‘The best exotic Marigold storage’ to the aforementioned. Disturbingly there is also the new breed of ‘cloud brokers’ that simply sell surplus space on any cloud, anywhere, for the lowest cost.
Analyst firm Neurtalix strongly advises enterprise cloud users to think carefully about the balance between outsourced and in-sourced storage. Cloud storage is an unregulated environment with relatively low or no barriers to entry and providers will face financial and/or operational challenges resulting in more consolidation and bankruptcies.
It strongly counsels that legal advice be sought on cloud storage contracts especially about the responsibility of ensuring the governance and compliance of digital assets.
Second is the issue of enforceable guarantees in the event of failure.
Once data is moved to a new provider deleting it from Nirvanix servers is no guarantee that it cannot be accessed in the future. The servers are leased - hardware will go back to the leasing company for resale. Will there be enough funds to properly scrub the data? Are precautions in place to ensure total data destruction (mechanical destruction of hard disks)?
What happens if a third party targets the disposal with the specific aim of data recovery to sell on a secondary or black market? What will happen in the event of illegal use of this data? Who is responsible when a company is bankrupt and ceases to exist as a legal entity?
What about the shadow data, off-site backups, snapshots and more that Nirvanix needed to make in order to offer a reliable service? Or the virtual machines set up for the customers use? How will the customer know whether this data and infrastructure will be destroyed or that it is simply not languishing somewhere else, effectively under another party’s control.
The move to the cloud makes sense. NIrvanix has handled a difficult situation as best it can by helping its users migrate to what it considers stable providers. But the cloud storage industry is largely unregulated and servers can be invisible. You may be dealing with an Australian company but the servers could be in Russia or India. The purpose of this article is to bring attention to the issues.
A global enterprise that I am associated with has looked longingly at the cloud as a means of doing business everywhere but in the end has set up its own cloud with its own resources saying “No one ever cares more about your data than you do”. Sobering advice.