Does cloud computing need malpractice safeguards?

Recent failures to protect consumer data stored on the Internet (aka "the cloud") point to an alarming gap between the value of that data and the care with which some vendors treat that data.

Microsoft subsidiary Danger failed to put in even adequate safeguards for its customers' data. Amazon Web Services failed to discover an obvious problem that kept a loyal customer down for 20 hours. Coghead's agreement to sell to SAP without any provisions to continue support for existing customers.

(Credit: DB King/Flickr)

The truth is that cloud computing means that now, more than ever, IT operations is a profession that has a very real economic and quality-of-life effect on its consumers--in very many ways much like health care or the law. I think it's time we hold ourselves as individual and organizations to similar standards that we expect from doctors, lawyers, and law enforcement. Our ethics must reflect an understanding of the responsibility we are being granted by the rest of society.

The instances above are examples of companies failing to follow well-known professional protocols, or putting the needs of the business ahead of the needs of the client. Heck, look at just about any cloud operator's terms of service, and you see paragraph after paragraph of text that basically states, "If something goes wrong, you can't blame us."

I think its time to change this attitude. I see a couple of options, neither of which I love, to achieve this. I'd love to hear from some innovative thinkers on others.

1. Pass "cloud consumer protection" laws. This was something that was briefly explored after I wrote my "Cloud Computing Bill of Rights" post in August of 2008. However, the folks who got involved at that time weren't a) vendors or b) policymakers, so we didn't get far.

   The biggest issue with using the law to enforce professional culpability is that it requires government bureaucracy for enforcement. That bureaucracy doesn't exist today, and would be expensive to create.

2. Allow for "cloud malpractice" suits. Oh, I know, I know. Most of you in the IT profession are squirming in your chairs right now, ready to jump down my throat about how medical malpractice has created as many problems as it has solved. Again, I don't love this option, either.

   However, if Danger had lost arguably hundreds of thousands of dollars worth of data (or more) because it didn't tangibly fear the reprisals that would come if it lost it, it would be nice to see a big ol' sledgehammer of justice ready to rain down. I'm sorry, but failure to follow known professional practices is malpractice, and malpractice suits exist to punish those who forget that.

Let me reemphasize that I don't love either option, but I do know something has to change. The public is placing an extremely high level of trust on "cloud" services, and there has to be more than the simple threat of loss of revenue to reflect this. What do you think? Is it time to wield a big stick with respect to cloud service operations, or will the natural evolution of the market do the job for us?

[lazycat202]

never store my docs on cloud services (google, Microsft, etc...). it's not safe to do so. simple!

[apple-pi]

Sure, why do not you store them on your hard-drive that can go down at any point, it is so much safer!!!

[pentest]

I guess apple never heard of back up, and what the hell do you think the data is stored on in the "cloud".

Yup, hard drives.

[Jack K1]

Laws: the LAST thing we need is for lawyers to figure out what IT people should be doing - and then handing over the final decision to 12 idiots.

What we need are industry standards in the form of "Protection Levels":
For example...

Backup Levels:
LVL 0: no backups, we're basically some kid in the basement with a hard drive
LVL 1: backups made on site once per day.
LVL 2: backup made off-site once per day.
LVL 3: mirrored onsite
LVL 4: mirrored offsite
...
LVL 10: we have a full, mirrored, offsite facility with automatic failover

Power Levels:
LVL 0: we've got a surge protector, and it's plugged into the wall and not itself
LVL 1: we've got a 1 hour UPS
LVL 2: we've got an onsite generator good for 24 hours...

Internet Connection Levels:
LVL 0: my ISP doesn't know I'm using my connection for commercial purposes
etc.

Software Security Levels:
LVL 0: we use antivirus software, the free stuff. I think it's updated daily.
etc.

Hardware Security Levels:
LVL 0: Our hardware is in our house. Find it, and it's yours.
LVL 10: Our hardware is in an underground bunker designed by the federal government to withstand nearby nuclear blasts.

By breaking down data protection into its various components and classifying it into its components, we can more easily compare vendor proposals and make intelligent decisions.

[pentest]

Excellent idea, but there still needs to be consumer protection for software. No one else gets a free ride.

[Lerianis3]

Jack K1, most of the people on juries are NOT idiots. They are just as smart, if not SMARTER than you are, and just hold companies to higher standards than the companies would like or love to be held to.

[SteveChicago]

Forget the law, until the contractual obligations of the "provider" are acceptable to the customer, there is no reason to rely that heavily on anything you do not control.

When you save money by offsiteing/outsourcing things, you take on the added risk of losing direct control.

Even if T-Mobile Sidekick had a great contract with Danger/Microsoft and they do get reimbursed for downtime and data loss. What is the cost to the T-Mobile image?

[Lerianis3]

True, some of the contracts are LUDICROUS in what they say...... basically that this company, even though you are trusting them to back up your data, bears NO responsibility in the case of a data loss AT THEIR COMPANY..... it's stupidity and should not be allowed.

[cvaldes1831]

Technology services run by lawyers are terrible. Just look at DIVX.

Let's face it, until cloud computing service providers are willing to take ownership for their actions, cloud computing is simply not ready for primetime, regardless of the maturity of the technology.

I anticipate that the overall quality of cloud computing services will decline, not that they started from a lofty position. Cost competition will destroy reliability, security, and privacy. Why spend half a million dollars on a backup system when you could get by on some woefully inadequate replacement for $50K? Why pay real Oracle DBAs at six figures apiece when you can get a bunch of script kiddies and hire a part-time Oracle guy for the emergencies (a la Danger LLC). Why pay the best and brightest to design and operate a world-class operation when you can hire a bunch of shoemakers at a fifth of the cost? Why pay for malpractice insurance when you can just write into your Terms and Conditions, "caveat emptor"?

With the recent ongoing failures, the public should have little trust in cloud computing operators. Each incident cumulatively adds to that distrust. Sadly, it is likely that cloud computing will continue its downhill slide.

[Joel M. Benisch]

I am a grizzled old IT guy who also happens to be a practicing Insurance Professional and Risk Manager (yeah, go figure!). Jack K1 is "on the right track".

There are various products available in the Property/Casualty Insurance Marketplace that allow operations like "cloud computing providers" to transfer some or most of their risk to an Insurance Carrier. However, the Insurance Carrier will undertake an underwriting process prior to offering a premium quote for any of these products. That underwriting process will (should?) include the completion of a number of application forms that will ask for detailed information about the very issues Jack K1 lists in his comment.

By use of such products, the Insurance Industry is fulfilling its obligation to society by questioning the members of society who are pushing the edges of our collective envelope(s). Some customer will eventually claim that an "error" or "omission" has been committed, resulting in damages to the customer. That's when the Insurance Policy will be triggered and the Insurance Carrier will be obligated to provide an investigation and legal defense. At that point, the situation is handed over the the legal system and an adjudication process attempts to figure out what is "right" and/or "expected" in light of the facts.

It is through this process that our society determines the nature and extent of the "duty(ies)" that each professional holds to his or her lay public (the consumer). Professions that self governs this question by publishing its own code of ethics and conduct are generally in a better position to defend itself.

[MadLyb]

There seems to be this inherent concept that the cloud is always on and virtually none of the current providers promise this. It is the media behaving like it should be, combined with people assuming that the cloud means no chance of failure, and enhanced by cloud providers who do not speak up to correct these assumptions and instead taking advantage of the resulting assumptions to generate sales, while their T&C quietly denies any responsibility for that eventual failure.

Anyone who adopts the cloud without a solid Business Continuity plan is just a victim waiting to sue someone else for their own failings and encouraging malpractice lawyers is a failure on the author's part to clear the misconceptions about cloud computing and instead inject a little hysteria into the conversation.

[JasonM80]

Interesting article and proposals. Certainly, the growing concern over cloud reliability is real. However, I am not convinced that passing laws around this makes sense. As Jack K1 points out, "the LAST thing we need is for lawyers to figure out what IT people should be doing..."
MadLyb makes some good points, but I disagree with the idea that "Anyone who adopts the cloud without a solid Business Continuity plan is just a victim waiting to sue someone else for their own failings..." Yes, it is a good idea to back up your data, even when you are using a cloud vender to safeguard it for you. However, as we all know, on-premises hardware fails too. Not all cloud computing venders are the same, but the ones that fit Jack K1's LVL 10 ("we have a full, mirrored, offsite facility with automatic failover") are more reliable than the the setup that most IT organizations have. As cloud computing grows, I expect more providers to begin offering this level of service.

(I am collaborating with M80, working with Microsoft to help promote Windows Azure. See http://bit.ly/WindowsAzurePlatform.)

[apple-pi]

James,

I think the questions you pose in your article are missing the point. You say that cloud implementations that exist today are not completely safe, and that's true. But safe in comparison to what? To your hard-drive?

Present solutions from Google and Amazon keep multiple copies of user data, often distributed across multiple geographical locations, or at least multiple data centers. Compare this to your hard-drive (and at most one backup, likely in close geographical proximity to you and the primary copy). And if your hard-drive dies, in most cases, you cannot sue the manufacturer. Why then should you be able to sue a cloud-service provider, if your contract with that provider explicitly states that "if something goes wrong, you can't blame us"?

I understand that you may want more than "our best effort" assurances, but then it is your responsibility to find a counter-party willing to take the extra risk off your shoulders, and it is going to cost you. One of the reasons why few such services currently exist is that most users simply do not care enough about their data. So a small percentage of Danger customers lost their phone numbers. What is the average value of that data per customer? $100? $1000? Purchase a $10-per-month "extra safety" plan, and any insurer would pay you $1000 if there is a proven "system malfunction".

Now, any better than "best effort" solution would also require a clear separation between the server and the client side of any solution (otherwise the user may delete the data and then claim that it was deleted without their knowledge). For such a separation to exists, all queries should go through an independent 3-rd party arbitration service, which would also add up to costs, latency and, ironically, reliability.

[apple-pi]

"I think it's time we hold ourselves as individual and organizations to similar standards that we expect from doctors, lawyers, and law enforcement."

I am afraid that in this country that's a pretty low bar ;)

[pentest]

1. Cloud computing is a term that has no real meaning, stop using it.

2. The entire software industry needs to be held accountable for their shoddy code and crappy practices.

[MadLyb]

http://en.wikipedia.org/wiki/Cloud_Computing

[pentest]

Wikipedia is allowed to define marketing terms. Cloud is a marketing term to make something extremely old seem new.

[HamLoring]

For those who fear the loss of data (on the cloud or in the cozy confines of your computin' room)-- yes, fear it. There are a few truths to this messy world of computin' that bear repeating:

1. There are things in this world that computers ought not be allowed to do. Absolute bullet-proof data storage is one of those things.
2. There is no such thing as error-free software (nor will there ever be).
3. Hardware fails. So does backup hardware. So does doubly redundant backup hardware. And so on and so on.
4. People who design and write software screw up because they are, well, just people.
5. People who design and build hardware screw up for the same reason.
6. As do the folks in charge of data centers, servers, etc.

The trick, O Best Beloved, is to reasonably assess the risk and then decide if you wish to continue, otherwise, go back to styluses and clay tablets. Some of these have survived over 5000 years, I doubt seriously if anything you commit to available storage today will survive one-tenth as long.

If I needed a document that absolutely had to survive for, say 50 years, and the failure of that document to survive would result in my death, I sure wouldn't trust any form of digital storage currently available. Best bet--multiple copies laser-printed on acid-proof paper stored in multiple safety deposit boxes in different geographical locations.

[Lerianis3]

Actually, absolutely bullet-proof data storage (but only what the customer WANTS TO SAVE) is something that computers should have. Now, if you are REALLY worried about people seeing what you are doing or storing on your computer...... run something like HeidiIE's Eraser software..... I would LOVE to see even the FEDS try to find anything on a drive after that has been used on it.

Oh, and 'multiple copies on acid-proof paper' can be lost as well, and if you forget where those safe deposit boxes are..... your SoL big time!

Computers are basically our BEST FORM OF DATA STORAGE, if they are repeatedly backed up and information is transferred to new data formats about every..... 10 years, as I am thinking of doing with my collection of scanned mangas on DVD's..... thinking of getting a Blu-Ray burner to put them on those discs now, since the prices have come down quite a bit.

[Joe_Kizonu]

newsflash folks, the economics of cloud computing (free email, any sort of on line storage) stop working when backups are required. All of this "free" storage depends on $0.10 per GB hard drive costs, and sub $0.50 per GB storage presentation costs. Think about it!
Those back up tapes that some advocate, not the most reliable medium out there either.
The way you make this stuff work is to make multiple copies of data to multiple places.

LA just adopted the google "clound." I'd worry if I were a police officer or DA with this. With LA's police, DA, parole, children in schools, etc., all there for the getting

[briwolff]

We already have safeguards - called free speech and free choice. T-Mobile, Sidekick and Microsoft are already paying for their failures - that will show up on the bottom line in much more significant ways (recurring revenue that will never come back) than a one time lawsuit or fine. As an IaaS provider, I'm well aware that client satisfaction and uptime are the two most important things that make or break me on a daily basis. It's also worth reinforcing that "there is no such thing as a free lunch" - the decision made by Danger/Microsoft/T-Mobile was very likely made by managers looking to hit a price-point to compete or to improve profitability.

[pentest]

If no one is taking data retention seriously, then where can you go?

The idea that there is any real choice in corporate America is a myth, pure fantasy.

They all take shortcuts and they need to be held responsible.

[michellegreer]

I am not sure that regulation is the only answer. Considering the pace that cloud computing is moving out, it may slow things down more than anything and prevent others from advancing in the space.

Cloud computing still manages to be a fraction of the over all hosting industry. As demand increases, certain customers will ask for more security. Others will need more uptime. Some may need more latency. Some may need all three. Cloud computing is just storage and people use storage in countless amounts of ways.

As demand continues to increase, we will see cloud providers decide that they need to pick attributes to excel at. If they can't deliver, customers will simply go elsewhere. We are just in an early market that has yet to mature to this stage. At the rate cloud computing is advancing, it might happen sooner than you think.