You are sending a link to...
Don't Forget Cloud Availability
Most assessments of cloud security risks highlight data integrity and confidentiality issues. But the business bottom line is service availability. With many of today's cloud services being offered without warranty, users need to be cautioned before relying on that service. It is too easy to ignore the digital supply line that is behind the convenient service or API. I am reading more and more about service outages from Verizon, RIM and other vendors like LinkedIn, Twitter and those in the screenshots. A recent email reminded me again of this issue: a reminder that Google's Personal Health Records service was closing by end of 2011. This is a major cloud provider that is discontinuing its service. What will be happening to my healthcare data stored therein? Or what about the class action law suit against Dropbox? Could that affect its viability? Or what about DigiNotar, the now bankrupt Certificate Authority, leveled by a security breach? These days, any cloud vendor storing personally identifiable information is subject to legal action in the event of a breach.
Cloud customers need to exercise extreme caution in selecting vendors and in insuring backup solutions in case the vendor suffers an outage or simply goes out of business. First, we are in the "consumerization of IT" era and without specific guarantees to the contrary we should expect cloud vendors to use the lowest cost approaches to providing their services. Second each cloud vendor is part of a digital supply chain which is at least going to include a network vendor and data center provider.
If the vendor is actually using a chain of N services to supply its service, where each component service has uptime U, then the net availability will be A = 100-N x (100-U). As an example, with five links, if U = 99.9% for each link ("three nines"), the net availability will be only 99.5% ("two nines"). The same type of calculation applies in the case where there are several parallel cloud services being used. These may grow up over time without much planning. Each business process may use more than one cloud service and thereby be vulnerable to failures in any one of them.
CIOs have spent years developing reliable data center operations. Now is the time to move carefully into cloud services, with a watchful eye on both short term availability issues and long term strategic vendor viability issues.