Trust is absolutely fundamental in any relationship—if we hadn’t grasped that already, then the PRISM scandal certainly exposed it. Trust in our government, trust in our service providers, and ultimately trust in other humans. But to what extent can we trust other organizations with access to our data, and the people within those organizations, to manage it appropriately and respectfully?
In a post-PRISM landscape, it feels like the rulebook has been ripped up. Those who are sensible may still seek to hold data preciously close, but the revelation of Edward Snowden’s documents—detailing how the NSA broke into technology companies’ datacenters—begs the question: is anything safe online? The discussion has worryingly shifted from ‘how do we keep our data safe?’ to ‘how do we reclaim control of our data?’
Cloud services are precariously placed in this debate, given that data is stored and transferred virtually. Before a user invests time and trust in a service provider, several important questions need to be answered: most notably, whether the service provider acts responsibly with data entrusted to them, delivering the safe and secure service promised.
Ultimately, trust is always relative to control, and how much trust you have in a provider rests on how much control you retain. The first and foremost requirement is therefore choice. If a service is only available from one provider, you are out of luck. Creating choice, and finding and securing control, can be defined by ‘four commandments’ as follows:
- Is the same service available from several providers?
- Are there tools to move from one provider to another?
- Is the service available as software?
- Is the source code of the software published?
Much in the same way we do our homework before choosing a bank, we need to ask if our cloud needs can be met by different providers. Cost may have historically been the deciding factor, but now our trust in the provider to act responsibly with our data is equally, if not more, crucial. It’s a point of differentiation.
The recent bankruptcy and rapid shut down of Nirvanix reaffirms to some that service providers are fallible, and demonstrates the ease with which cloud services can fail. We don’t need to look too far back into the history books to remember that Iron Mountain closed its public cloud offering and Vaultscape shut down its services, due to lack of adoption; and in the case for EMC’s Atmos Online, a provider cannibalized its own market. All of these instances—past or present—serve as a reminder and forewarning that we need to know we can easily move our data, should we need to. This ease of migration also becomes important if our trust in their services were to wane.
Finally, the need for the service to be available as software is essential. If we feel like we cannot trust anybody other than ourselves, we must be able to run the software on our own premises. It gives us flexibility; and flexibility of choice is fundamental to control.
The first three commandments must be met for us to have true control, but the fourth adds extra security, since it asks if we have absolute trust in the provider of the software. If the source code is open—and more importantly, if it is published—we can eliminate any dirty tricks that may exist in its fabric.
If as customers we adhere to these four rules, data security has been fully considered and a shutdown becomes much less of an issue. It also gives users the flexibility to move to another provider at any time, and for any reason, or to bring the service in-house, running it on-premise.
Ultimately, if we’re in control of our data, we’re in control of our destiny.
Rafael Laguna is CEO and co-founder of Open-Xchange.
Image: Mikko Lemola