Latest cloud storage hiccups prompts data security questions

Carbonite charges defective hardware caused loss of customer data

The pitch from providers of hosted storage services sounds enticing. Instead of what these providers call the inherent risks in using hard drives or DVDs to store data, users are better off paying a small fee and backing up data in the cloud. Cloud storage providers pledge that putting valuable data into their hands is like keeping money in a bank.

However, cloud computing vendors continue to be plagued with periodic shutdowns and losses of customer data. Just last week, cloud-based storage service provider Carbonite Inc. filed a lawsuit charging that faulty equipment from two hardware providers caused backup failures that resulted in the company losing data for 7,500 customers two years ago.

The problems have prompted some users and analysts to wonder whether cloud computing storage poses an unacceptable data security risk, particularly because users are depending on unseen infrastructures holding enormous data vaults that could easily attract the interest of hackers and electronic terrorists.

Michael Peterson, president of Strategic Research Corp., a market research firm in Santa Barbara, Calif., said he avoids using hosted storage systems because he doesn't trust them and because of the long-term costs. He noted that he used's S3 hosted storage service to help his son set up a business venture. But once the venture could afford to purchase its own on-site storage, it stopped using S3.

"Amazon is successful with small businesses, entrepreneurial start-ups -- people who don't want to invest in their own storage," he said.

But he said, "you're a fool if you put personally identifiable information out there. Vendors in this space have to be putting their trust message out there and try to prove it. But as a consumer, I'm not ready to trust again. And I'm a suffocated user. I've been using this stuff for years."

Peterson also noted that some customers can become confused because vendors describe cloud computing in different ways. "Everybody wants to call what they're doing cloud," Peterson said.

Nonetheless, several major vendors offer hosted storage products, including Symantec Corp. and EMC Corp., which offer the Norton Online Backup and Mozy products, respectively. A large group of small service providers offer similar products while industry giants Google Inc. and Microsoft Corp. are pursuing their own hosted storage models.

Despite the promise of using the compute cloud to store data, incidents of hosted sites going down or losing data are beginning to pile up.

For example Amazon's S3 service was offline for several hours in February, which wasn't the first time the service failed. Also, XCalibre Communications' FlexiScale service suffered an 18-hour outage last year, and The LinkUp storage service shut down in August after losing access to unspecified amounts of customer data.

"You can't trust backup and storage in general," said David Friend, CEO of Boston-based Carbonite, in an interview with Computerworld today. "It's not just the cloud. Look at all the tapes that have been lost by people like Iron Mountain where they've got the stuff on a truck and the [driver] goes in to get his Dunkin' Donuts and comes out and the truck is gone."

"There's no such thing as 100%, foolproof backup. You really need to look at the law of averages and figure out what's the appropriate level of security," he added.

Carbonite is suing Promise Technology Inc. and reseller Interactive Digital. The company contends in the lawsuit that $3 million worth of equipment supplied by the vendors was defective. Specifically, an array from Promise allegedly lost its RAID capability because of a software glitch, causing all the data stored on the boxes to turn into "gibberish," Friend said.

Friend said the incident occurred nearly two years ago. In a response to the news stories that followed a Boston Globe item about the lawsuit late last week, Carbonite issued a statement that read, in part: "It is possible that readers will walk away from this with the impression that 7,500 customers were unable to restore their files from Carbonite. This is not the case."

Friend said Carbonite's systems restarted all the backups immediately and automatically, restoring the data and saving more than 99% of all the lost data.

Only "a small number of these customers had their PCs crash before their re-started backups were complete," the company said. "These customers were unable to restore all off their files from Carbonite. We took full responsibility for what happened, and I did my best to apologize personally to each of these customers."

Since the incident two years ago, Carbonite claims they have not encountered any further problems. The lawsuit is seeking a refund on the "defective products."

Peterson said little has changed from today's storage service providers and those of the late 1990s and early 2000s, such as Storage Networks, that failed because businesses were not willing take the risk of co-locating their information assets offsite along with competitors because the risk of co-mingling it or exposing it.

Siamak Farah, CEO of InfoStreet Inc., whose hosted service targets small to midsize businesses, said most companies don't have the financial ability to hire full-time security experts who are paid $200 an hour to ensure data is secure. "If I sign a contract with a cloud computing company, I'm putting my data on their premises, and they're responsible for the security of that data," Farah said. "Depending on the nature of the data, agreements can be different, but in general, hackers who try to come into those systems face double fire walls, security experts and double security audits."

Jeff Kyle, group manager for Symantec's consumer products, the division that launched Norton Online Backup, said a recent survey of Symantec consumer customers showed that 28% use external hard drives, 25% use CDs or DVDs, 15% use USB flash drives, 2% use online backup services and 26% said they never back up.

"CDs and DVDs have got to be hard to catalog -- just managing all those backups to CD or DVD. Not to mention it's hard to get incremental backups done that way," Kyle said. "USB flash drives have a similar issue. The storage is relatively small and you can lose it, misplace or have it stolen."

After Carbonite's equipment failure, users wrote in asking why the company did not do backups of backups, Friend said. "There are services out there that do backups of backups and you'll pay in one month more than Carbonite charges in a year. Our customer wants to pay 50 bucks."

Friend said 99.9% of Carbonite's customer data loss is related to human error. "It's somebody who doesn't back up a particular folder because they don't understand where it is, and then when they go to restore it, it's not there."

While any big data center is bound to have hardware and software glitches, "statistically, if you look at the likelihood of losing three out of 15 drives in a RAID array, and a user losing the hard drive on their PC, it's probably going to happen every 15,000 years," Friend added.

Copyright © 2009 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon