Chicken Little to provide cloud storage.

Storage Monkeys Blogs

Rants and Raves from the community

Chicken Little to provide cloud storage.

Posted by: mpyeager on October 22, 2009

Tagged in: Untagged

The sky is falling! Cloud storage and computing are the next Hindenburg! Run for your lives! Or so some analysts, news agencies, and bloggers would have you believe.

Whilst there have certainly been some very high profile cloud computing failures in T-Mobile’s Sidekick, as well as Google Gmail and Google Apps several times throughout 2009, it is important to put some things in perspective.

Now, I’m not going to have a go at any alarmist headlines or related ‘knee jerk’ behaviour from the media, analysts, or fellow bloggers. The fact is, we all have a living to make and let’s be honest ...with the information overload most average users face, it sometimes becomes vital to use eye catching headlines to sell column inches or drive web traffic.

Equally, whilst we will need to wait a while to discover exactly what caused the failures I mentioned above, there is very real reason to believe that they were most likely not caused by technology but, rather, were process failures as Chris Mellor of The Register discusses here.

Chris does raise some very interesting points in his article, but I am not convinced that the establishment of another trade organisation is the right answer to protecting users from future failures in cloud storage. Indeed, during the most recent T-Mobile Sidekick outage SNIA, the Storage Networking Industry Association, said ...nothing. What made this even more profound was the fact that SNIA had announced the launch of their Cloud Storage Initiative on the same week that the T-Mobile Sidekick outage occurred. A very robust debate by storage professionals with Wayne Adams, SNIA Chairman, ensued on Storage Monkeys here.

So if I’m not advocating the establishment of yet another trade organisation to certify and regulate cloud providers, what’s the answer?

Not wishing to oversimplify or be dismissive of Chris’ views, but I think there are two answers here.

First, let’s be pragmatic regarding the amount of data customers are likely to store in the cloud. We know that, in an average customer environment, 80% of the stored data is likely to be unstructured ...email, PowerPoints, MP3s, etc... leaving 20% structured ...databases, billing systems, and so on. I have not met many customers who make their money on unstructured data, so many rightly place emphasis on structured data. Just as I don’t believe that Spotify will be the death of iPods or iTunes, with the average listener choosing to pay for and retain the music which matters most to them, so I feel that most customers will choose to continue to store their structured data in house and consider using cloud storage for elements of their unstructured data.

Secondly, I don’t believe that customers are ready to give up on cloud storage or cloud computing even given the outages. Indeed, a recent study shows that “Ten percent of the more than 500 executives responding were testing or had deployed cloud computing projects, compared with 3 percent when the same survey was conducted nine months earlier. The number of companies with no plans to adopt cloud computing dropped from 54 percent to 37 percent, according to the study, which was conducted in late August and early September by Kelton Research.” They will, however, become more demanding of service level and related guarantees from their service providers.

And therein lies the possible answer. If we consider the credit card transaction processing industry for a moment, VISA is a certifying body which allows independent credit card transaction processors and banks to process VISA transactions ...but only after they are fully vetted and have systems and processes certified by VISA. Don’t comply, you don’t get to process credit card transactions...it is as simple as that. No moolah or you!

In my opinion customers should, in the future, demand that their cloud provider have insurance from a recognised insurance company to underwrite their service. The insurance company would then most surely certify and vet not only cloud provider systems but, perhaps more importantly, the processes employed for backup and continuity of the cloud systems.

Don’t comply? You don’t get insurance. And without insurance, customers will surely be hesitant if not downright refuse to trade with you as a cloud provider. The process and system failure prone providers would die on the vine, leaving only the strongest process driven providers to prevail.

Is this the answer? Only time will tell, but I personally feel it a better way forward than another trade body.

Set as favorite

Bookmark

Email this

Comments (6) Add Comment

Subscribe to this comment's feed

Insurance is not the answer
written by josephmartins, October 23, 2009

I'll skip past the first half of the post because I wish to make a few points about the second half.
.
Before I continue let's set a few things straight here on StorageMonkeys. The term "unstructured data" is practically meaningless. If you want to begin to understand why, read my 5 year old post about it here:
.
http://www.datamobilitygroup.c...29#more-29
.
In reality, very little data is purely unstructured. For reasons unclear to me, storage industry pundits began using an arbitrary 80/20 unstructured/structured information split a few years ago to classify information assets when the industry decided to dip its toe in information management.* I've helped develop information management software from the ground up for multiple companies in different industries. Pundits pushing the 80/20 concept do not understand the nature of information or information management. Mark my words, listening to them will only get you in trouble. Assets such as Powerpoints, MP3s and emails are not unstructured - they are simply less structured. The value, importance and proper handling of information assets depends on context and use, not on degrees of structuredness.
.
Frankly, I'd like to intellectually slap the person who came up with that notion. That individual has caused me nothing but headaches and countless hours of deprogramming and reeducating technologists who inadvertently bought into it.
.
For the record, I can think of several industries heavily dependent on less structured information assets - advertising, arts, entertainment (radio. television, Hollywood, etc.), news, publishing and sports come to mind. However, as I pointed out earlier degree of structure is all but irrelevant to a discussion about what to place "in the cloud".
.
Where a company chooses to store and protect information assets depends on context , use and relevance to its mission (i.e. overall value), not on structure. A company's willingness to delegate its custodial responsibilities to an outside firm will depend on assurances and its perception of the firm's ability to deliver.
.
I'm not a fan of insurance for reasons that should now be obvious to anyone who kept up with the news these past two years. I view insurance (of the type we are contemplating here) as an ineffective pacifier that will likely not be there for your company when it needs it most. And cloud provider insurance? Sounds like data protection derivatives to me. Yes, let's start a new bubble.
.
No, companies do not need providers that have [worthless] insurance policies. What they need are providers that architect their systems in a way such that insurance is absolutely unnecessary.

Clarification
written by josephmartins, October 23, 2009

By "systems" in the last paragraph, I mean soup to nuts people, process and technology, not just the tech.

We must remember who our audience is in the first instance.
written by mpyeager, October 23, 2009

Thanks Joseph, a very detailed response and I appreciate you taking the time to engage.

At a technical level, I agree with much of what you have to say regarding unstructured data. Indeed, I often discuss with our customers the need to classify data and align datasets to business value ...given your background, I'm sure you won't be surprised when I tell you that many of our customers have not undertaken such an exercise. However, in fairness many of them have simply been too busy with the complexities of their own business processes to undertake such an exercise and have allocated their finite resources to these endeavours.

That said, I do think we as technologists need to sometimes take a step back and remind ourselves of just who the audience is in this equation. Whilst I would love nothing more than to indulge my inner geek and debate the esoterics of data classification with you, in my experience here in the UK specifically and EU generally I can expect the average customer to entertain such a discussion for about 33 miliseconds. Give or take. I do sometimes get a bit longer if we're waiting for the kettle to boil.

Hence the reason that many of us ...myself included, guilty as charged ...used the Pareto principle and broad brush data labels such as 'unstructured' and 'structured' when discussing this with customers. Put simply ...it's easier and allows us to get to the point a bit more efficiently. Is it perfect? Nope. Equally, Pareto is either Swiss or Italian depending upon your perspectice ...esoterics indeed.

I understand and appreciate your logic re insurance companies, but they've been around a lot longer than the past two years and would hasten to add that for every ill you can point out I'm certain I can find a redeeming point or quality. If I follow your argument to it's natural conclusion, should I seek to get rid of my mortgage tomorrow? I believe that the current crisis was caused by a removal of key regulation and an irrational and exuberant belief in algorithms and technology to remove all risk from systems which will always carry an element of risk. But that's another story.

What I am advocating ...and the point of my original blog post ...is that customers will seek assurances that they understandmoving forward with cloud storage and service providers. Most business people understand the concept of insurance, and I would believe them to be very hesitant to sign up with a service provider who isn't insured against loss.

But if we can't agree on that point, let's not throw the baby out with the proverbial bathwater. I did also postulate that the VISA transaction processor certification system might provide us with an answer.

Might you be an advocate of this system minus insurance requirements?

Always happy to contribute
written by josephmartins, October 23, 2009

This is another topic near and dear to my heart. even if it is only tangentially related to the original post.
.
I definitely understand your challenges and frustrations. I have walked many miles in shoes similar to your own. But this isn't about debating nuance to satisfy our inner geeks. This is about doing what is best for your customers' businesses whether they like it or not. I find that it's a bit like convincing kids to eat their vegetables, save money or clean their rooms. Some don't want to, and they'll put up a fuss, but in the end we're doing it for their own good. While Joe CIO or Suzy VP Mktg may approve your POs never forget that their best interests and their company's may not be one in the same.
.
Customers (that is to say the decision makers) always claim to be too busy to do things right the first time, yet they complain later when shortcuts come back to bite them. I am convinced that many short-sighted decision makers simply hope that they will have collected their paychecks and bonuses, vested their stock, and skipped town before it hits the fan.
.
I don't have anyone breathing down my neck pressuring me to hit quarterly numbers so I have the luxury of walking away from prospects who aren't prepared to take the process seriously and invest the time to do it right. There's a reason why my presentations end with "pay me now or pay me later". You can find one of them - about storage and information management - up on my LinkedIn account.
.
Regarding insurance, I don't believe your mortgage example fits. We're not talking about buying another house or car with an insurance payout in the event that you lose one in a disaster. As heartbreaking as it might be to watch a 57 Ferrari 250 TR go up in smoke, it's not the end of the world. For many people, insured homes and vehicles can be replaced.
.
No, we're talking about replacing the irreplaceable. You could, for example, carry insurance on your family's memoirs and other valuables handed down generation after generation for the past 500 years. But no amount of money will cover your loss if they burn up in a house fire.
.
Now imagine irreplaceable data - the loss of which could cost you your business and irreparably harm your shareholders, partners and (most importantly) your customers. The premium to cover such a catastrophic loss would probably be unaffordable. But even if you had the funds to cover premiums, a catastrophic loss might spell the end of your business. So you can see why I question the value of insurance in this context.
.
Certification/credentialing is an interesting concept in this context and we're no stranger to it. Our education system is certification based from high school diplomas to college degrees and professional certifications. If we are willing to entrust our information assets to credentialed employees, then it is not unreasonable to suggest that we could entrust those assets to credentialed service providers. I would definitely support credentialing, though I admit we'd have quite the challenge ahead of us laying the groundwork and finding consensus.

Going back to something you wrote earlier...
written by josephmartins, October 23, 2009

Hypothetically speaking, the probability of a catastrophic data loss at the hands of a properly credentialed provider should be quite low. In terms of irreplaceable data loss, credentialing isn't going to solve the problem, but it should make it less likely to occur in the first place. However, if something did happen, I concede that some financial compensation would be better than none at all.
.
Why not use a combination of credentialing and insurance such that insurance costs are substantially lower for certified providers? This is not all that different from the suggestion at the bottom of your original post. You suggested certification as a pre-requisite for insurance and I'm suggesting certification as the foundation for a risk-based premium structure.

Insurance requires owners to establish a value
written by RIMMAN, October 23, 2009

...and that's not an easy thing to do when it comes to information. First question is WHO does the information belong to? The organization storing it, or the individual/organization contracting with them to store it? And are they directly responsible for it, or are they a simple 'gatekeeper' passing it through to someone else? If you're unsure of the answers to ANY of these questions, then more legwork is definitely required.
In the US, the FRCP (Federal Rules of Civil Procedure) changes of a 2007 make this a critical issue, especially when it comes to Rule 26 and the need to provide a data map of your ESI (electronically stored information) during the discovery phase of a legal action. In the EU, my understanding is the requirement for certain records to be stored on WORM (write once, read many) media would prohibit some organizations from even considering a cloud scenario for storage.
Electronic format information and clouds aside, this has been an issue for decades when it comes to assigning a hard value to stored information... there have been numerous commercial storage facility fires where paper format and media containing records have been destroyed, and in only one case in 1997 were the owners of the information able to clearly outline the 'value of the information lost', and that was by detailing what it would cost to recreate it. http://bit.ly/2WpRf And the loss resulted in twin $20MM judgments, among other smaller ones. Oh and the service proividers contracts stated they were liable for "$1 per box in the event of a loss".
So, what is the value of information stored, what level of protection is offered, and how would one go about collecting on a loss? Is the value what it would cost to recreate it (if that's even possible) PLUS the cost of notifying all of the clients impacted by the loss (and potentially providing free credit checks for them for three years) PLUS the loss of your reputation as a service provider (try assigning a value to that one)?
And if this **IS** the value, what service provider has a model allowing them to establish charges for storage of information that would protect them in the event they'd have to pay out for a loss? The paper storage provider never expected a judgment of this size to be levied against them, and NOW they're in the electronic data storage business arena as well.
Last week at the ARMA Conference (after getting my cup cozy and flash drive) I asked them "What is your policy for assuring clients against loss of data while in storage or against any commingling of data with that of others to prevent against exposure of PII, PHI or PFI?" The representative looked at me and his eyes glazed over and then he said "What??"
As I've said to others in the past, caveat emptor