08/15/2019 22:20:39
Over the past few years, I've spent a lot of time speaking to the dangers of our current blind obsession with the cloud and all it has to offer. Professionally I've experienced life on both sides of the fence: I've seen this problem from the perspective of the cloud provider and from the perspective of the consumer. In both cases I have arrived at the same conclusion: We've got a rough road ahead of us.
Prior to this moment, I've been wary of the cloud in general and railed against specific players in the space as circumstances demanded. However my stance on this has officially changed over the last few months. Given the way that cloud services are being structured and the way that consumers are approaching them, we are heading into what I predict will be a very scary time in the tech landscape.
What will make it scary? Well as of right now, none of the pertinent parties are codifying the specific expectations and responsibilities of either the provider or the consumer as part of service arrangements outside of EULAs that nobody on the consumer side is bothering to read. The vast majority of the relationship is predicated on a wide and dangerous web of assumptions. And we all know what assume means, don't we?
For example, as a consumer, can you honestly say that you know what the backup and disaster recovery strategy of your cloud providers are? I'm willing to bet that you can't. And even if you have something in writing which obligates the provider to observe a specific SLA, how are you verifying this? The answer of course is that you aren't. While you can verify your own policies and procedures, you really have no insight into or even the ability to verify the providers.
But lets be honest, that is really just the start. Another great example of how much both parties are operating under misguided assumption can be summarized with a simple question: "Who owns the data that the consumer stores in the cloud?"
As a consumer you will likely respond that the consumer should own the data and I agree wholeheartedly with you. But the unsightly truth of the matter is that cloud providers do not see it this way. They treat the data you choose to give them as if it was their own. This can be easily substantiated by simply observing how many of these cloud providers now employ data scientists whose primary responsibility is to feed other people's data into proprietary algorithms which produce output that they now own. You can go even further by asking the providers whether or not the data you give them is encrypted at rest and stored in such a manner that it is wholly and completely segregated from the data of their other clients and rendered inaccessible to their own employees. If they are being honest, the vast majority of providers will not tell you this is the case.
Alas the problems don't end there. This problem gets even more complicated when you consider the fact that the client paying for the cloud provider service may not themselves even have full rights to the data they are opting to store. Let's consider the case of a provider which offers accounting related services and software which live in the cloud. The consumer paying for the service is effectively outsourcing the storage of data and transactions that belong to both them and their clients and/or suppliers. Have their clients and suppliers given them authorization to store private data which is partially owned by them with this provider? The answer is almost certainly no.
When it comes to the cloud, privacy and accountability are being ignored on virtually every single level imaginable. The primary reason for this is that the traditional on premise approach to IT did not require any of us to spend a lot of time thinking about these kinds of things as it presented an implication of privacy by proxy. While it is easy to turn a blind eye to these issues and assume somebody smarter than us will eventually concoct a clever solution for the problems, thus far one has not materialized. If we continue on our present course, one day the complicated issue of data ownership will come to the forefront in a very dramatic manner. When it does, a hell of a lot of cloud providers and consumers are going to find themselves scrambling as the people around them start to ask some very hard questions.
So what can consumers do to hedge their bets here? The most obvious hedge is to simply limit your dependence on third party cloud services. In the event you are forced to depend on the cloud for a particular service, try to pick one that allows you to independently control and encrypt your data in a fashion that leaves the cloud provider unable to decrypt that data regardless of circumstance. In addition work with your existing and future cloud providers to codify expectations around backup and disaster recovery and press them to provide avenues which allow you to independently verify that they are living up to their expectations.
As for the cloud providers, the answer here is clear. Instead of turning a blind eye to the wide ranging ethical issues in front of you, attempt to tackle them head on by working with your current clients to design an approach that works in favor of all involved parties. While this may force you to raise prices, ultimately this will put you ahead of the ball and pay off down the road when the inevitable backlash cripples your competition.