Cloud storage a steep climb
- 22 March, 2011 01:15
It's been nearly five years to the day since Amazon introduced its groundbreaking Simple Storage Service -- or S3, as it's more commonly known. But despite that offering's track record, many enterprise IT executives still struggle with the notion of using cloud-based storage services to hold their corporate data.
Whether they're in manufacturing, finance, healthcare or education, IT professionals are as concerned as ever about data security and privacy, with regulatory compliance weighing heavily on their minds, so they fret about sending data offsite. Likewise, they wonder if performance will be adversely affected if there's a long distance between an application and its storage site.
For reasons such as those, "we're really not seeing much willingness to put enterprise data in the cloud yet," says Gartner analyst Adam Couture, who covers storage services.
That isn't to say that enterprises are shying away from cloud storage entirely. Many companies in vertical markets of every ilk have found the cloud to be a perfect fit for their backup, archival and file data. In other words, the cloud makes sense when speed of retrieval isn't an issue.
And Couture says the perception of the cloud's suitability as a storage medium for mission-critical data and applications will change over the years, as enterprises grow to accept public cloud computing in general.
"If you're running Amazon EC2 [the company's cloud computing service] and S3, and the storage is the same physical location as the server, latency becomes a nonissue, and you won't be charged every time you move the data, because it's local," he says.
Storage that's simple
In fact, you can already find notable organizations using cloud storage in a variety of industries. Turning to the cloud is a logical move when you're involved in distributing a lot of data to a Web site, perhaps with the help of a content delivery network. Indeed, prime examples of cloud storage users are companies in media, retail and other verticals that are accustomed to finagling content delivery over the Web.
"When we think about who's using the public cloud for storage, it's really those like media companies that have need for fluctuating storage, and a lot of it. They go to the cloud, plop stuff in extra storage that they need for a certain period of time -- it's a fluid resource for them," says Ruthbea Yesner Clarke, an analyst at IDC.
Streaming media is the perfect use case for public cloud storage, Clarke adds.
"That's extremely storage-heavy. It's constantly being pinged, but it also involves lots of peaks and valleys and back-and-forth flow to a main pile of storage," she says.
For example, PBS Interactive stores 90 per cent of its streaming video content in the Amazon S3 cloud. "S3 is brain-dead simple -- you put stuff in it and take stuff out of it," says Drew Engelson, chief architect and senior director of platform development at PBS in Arlington, Va.
In PBS's case, S3 is the origin server for media assets that get delivered via Amazon's CloudFront content delivery network. "We put the high-bit-rate original files on S3 for permanent storage and for ingestion into transcoding workloads. So we'll drop a high-bit-rate file into a particular S3 bucket that is being monitored by a transcoding service," he says. "The transcoding service will pick up that high-bit-rate file, transcode it into our final output format and drop those into a different S3 bucket. From there we can deliver those files through CloudFront."
It would have been possible, but difficult, to stream video content using a traditional infrastructure, according to Engelson. "We're a media organization, with a goal of delivering as much PBS content to end users as possible. We've simply found that this is one way that makes it easier to do that," he explains.
Success stories like that have helped generate interest in public cloud storage, says Couture. After all, the model does come with considerable positives -- scalability up and down, pay-by-use pricing, vendor-provided management, and software agnosticism. Those qualities, of course, are particularly appealing to lean start-ups and small and midsize companies, he says.
Gartner is projecting 100 per cent year-over-year growth in public cloud storage services for the next five years -- though Couture points out that that's starting from a minuscule base. For 2011, Gartner projects that cloud storage revenue will hit $150 million to $200 million. "That isn't an extensive neighborhood," Couture says.
For example, financial services companies, by nature conservative, generally aren't going to put customer-specific data in the cloud, says Andrew Reichman, an analyst at Forrester Research. But then again, he adds, they tend to be big companies with the wherewithal to build their own data centers cost-effectively and therefore have less of a need to use the public cloud.
When you consider public cloud storage in terms of vertical industries, you have to think about security and risk, says Reichman. "Public cloud storage is certainly getting a lot of attention," he says. "But the questions are about where it can fit down the road. It's not a ready-to-go thing."
Whether public cloud storage providers thrive or wither away may depend on how well they understand two things, Reichman says: how companies in different industries use data, and how important it is for those companies to keep their data secure.
A new crop of cloud providers, including Cirtas Systems, Nasuni, Panzura and StorSimple, have developed gateway storage products designed to be flexible enough to accommodate enterprises' varying storage needs. In essence, these vendors enable users to build hybrid clouds, using local caches for data that is used frequently, must be accessed quickly, requires tight security or is otherwise unsuited for the cloud, while sending the rest out to public storage.
"If a service provider can say, 'We know your workflow. We know how you deal with your customers. We know that this data is sensitive and that data is not, and we propose to do a better and cheaper job of holding the nonsensitive data for you,' then it's much more viable for that company to say, 'This offering will meet your needs,' " Reichman adds.
Data management service provider Iron Mountain, for example, has added an onsite storage option to supplement its Digital Record Center for Medical Images, a cloud storage service for medical data. The combination gives healthcare organizations greater flexibility in crafting their access and backup processes, says Iron Mountain.
But while many providers claim that their offerings enable compliance with specific regulatory mandates, there are few cloud storage services that are truly oriented to specific vertical industries, according to Reichman. "It would be hard for me to say that there is any major vertical where core applications are moving to the cloud yet," he says.
Cloud pays off for accounting firm
"Like everybody else, our storage needs are very diverse, and there are many different reasons for putting data in the cloud or not," says Peter Henley, CIO at Clark Nuber, a Bellevue, Wash.-based accounting firm.
For example, the company has solved version-control problems since it started using the cloud to store data that Clark Nuber accountants and clients closely collaborate on, he says. The firm keeps its data in Amazon's S3 cloud and has a file-sharing application from ShareFile on the front end. That setup has been a huge hit with users, according to Henley.
"We tried a highly collaborative portal, where we'd have contact lists, calendars, tasks and all that, but nobody used it -- and we still needed to collaborate on file storage, or file manipulation," he explains. "We needed a place where everybody could go, and this is so simple. People see a file, they download the file, they put it back and we pick it up."
When Clark Nuber was deciding on a file-sharing provider, security was a prime consideration. "We needed a provider that was large enough -- certainly larger than us -- with volume on its side so it could afford a much more secure data center than we could," says Henley. "Security was an easy call, actually. Security is going to be much better at a place like Amazon than it is at Clark Nuber -- we don't have armed guards outside our server room, if you get my point."
Clark Nuber clients who want data security assurances can get a SAS 70 audit report from Amazon, as well as statements from ShareFile and Clark Nuber itself on their roles in the security chain. "They're all different. ShareFile and Clark Nuber don't provide physical security for the data; Amazon does that. Clark Nuber doesn't provide any management of how the data gets to browsers; ShareFile does that. Neither Amazon nor ShareFile assigns users or has access to passwords; Clark Nuber does that," Henley explains.
Because Clark Nuber doesn't audit public companies, it doesn't have to take into account U.S. Securities and Exchange Commission mandates. But it does anyway, Henley says. For example, it ensures that data is encrypted while in transport and locked down while at rest, and it can assess audit logs should a breach occur.
Use of cloud-based file-sharing was once a competitive differentiator among accounting firms, but that's not necessarily the case anymore. "Everybody's getting into this now," says Henley.
Education group goes off-campus
For WhippleHill Communications, which provides a hosted Web communications platform for private schools, the need for a better backup strategy led to the cloud, says Doug Smart, IT manager at the Bedford, N.H., company.
Today WhippleHill backs up critical data using a public cloud backup service from Zetta. The company had been backing up those files to disk and storing them in a different building on the corporate campus, Smart says. "We decided that really wasn't offsite enough for data like our source code, documentation and Wikis. We needed to get those out of here, and Zetta made it easy," he adds. He points out that Zetta helped WhippleHill write automated backup scripts and that it offers Windows sync capabilities and support for a wide variety of file system protocols -- including Secure Shell FileSystem, which WhippleHill uses for Linux server backups.
Still, Smart says he's not ready to entrust highly sensitive data, such as human resources information or credit card numbers, to cloud storage. And he wouldn't change his mind on that before thoroughly investigating Zetta's policies and procedures for ensuring that its customers can meet mandates such as the those of the PCI Security Standards Council. "Frankly, I haven't talked to Zetta about encryption on its end, because it hasn't been important for what we've got out there now," says Smart, noting that the data is encrypted across the wire and protected by passwords.
Local government alleviates risk
Brian Moynihan, IT director for Clinton, Mich., a small town 20 miles northeast of Detroit, faced similar data storage decisions.
"Of course, we do the industry-standard backups, with multiple copies on RAID drives and online storage in vaults. But ultimately we realized the township in and of itself is a centralized location. No matter how many copies of data I have in buildings around the township, in the face of a natural disaster, we still have a single point of failure in terms of our stored data," he says.
A year and a half ago, Clinton's steering committee began exhaustive discussions about how best to address that problem. It eventually decided to turn to public cloud storage, but at that time the most readily available options were consumer-oriented offerings from Carbonite and Mozy, Moynihan says.
"We began investigating what it would take for us to do honest-to-goodness cloud-based offsite storage but didn't initially find anything that provided a real good fit for what we wanted to do, which was to have an archived, easily accessible offsite copy of our data," he says.
Then officials discovered AT&T Synaptic Storage as a Service, a pay-as-you-go storage option that was particularly attractive to the revenue-strapped municipality, Moynihan says. Although the township hasn't yet begun using the Synaptic service (Moynihan says key municipal decision-makers move at a glacial pace), it intends to rely on it for daily system backups and operational backups of financial management applications and other systems used on a day-to-day basis. Later, it will use Synaptic for long-term archiving of documents such as death records and property deeds that must be accessible, essentially, forever.
With the daily system and operational backups, Moynihan says, compliance isn't an issue. But the steering committee has concerns about the archiving. While the Freedom of Information Act requires that much of the township's historical data must be readily accessible, "that doesn't mean we want to publish everything openly on the Web," he says.
When choosing a public cloud storage provider, Moynihan says, officials had to consider where in the world the data might be kept. "For emotional and political reasons, people here don't want our data across borders," he explains.
For example, he had to rule out Google's cloud storage offering, because the company couldn't guarantee that the township's data would be stored on domestic servers. AT&T, on the other hand, identified the specific data center that would hold Clinton's data -- and it said the information would be encrypted.
Pharmaceutical firm trusts the cloud
At AMAG Pharmaceuticals, storage is part and parcel of a cloud computing strategy aimed at reducing IT costs and optimizing business capabilities. The Lexington, Mass., biopharmaceutical company uses Amazon's EC2 infrastructure and S3 storage services, as well as software-as-a-service options when possible, says Nate McBride, executive director of IT. "We're moving all of our storage to that environment, in two buckets -- for files and e-mail," he says, noting that the company uses Egnyte's Cloud File Server on the front end for files and Google and Postini systems for storage and archiving of e-mail.
McBride dismisses common concerns about cloud storage, saying he trusts the vendors to provide better data security than his small organization, and he notes that AMAG is in compliance with all relevant federal and state mandates, including the Sarbanes-Oxley Act. Simplistically speaking, he says, it's done by not linking AMAG and its personnel with the respective data types.
For public cloud storage users like McBride and PBS's Engelson, the question seems to be, "What's the fuss?"
"Talking about S3 seems so mundane; it really has become something that I don't worry about," Engelson says. "It's really just an extension of what we do -- we have to store our data somewhere, and S3 is our standard for that."
Encrypt data stored in the cloud
Encryption should help relieve any concerns about security and compliance that IT professionals might have when they're contemplating public cloud storage use, experts say.
"If the data is all encrypted and the keys are managed by the enterprise, then the company is pretty much protected from privacy regulations like PCI and HIPAA," says Ted Ritter, an analyst at Nemertes Research. "Physical location of the data might come into play for some companies, but really the key is to encrypt."
Gartner analyst Adam Couture agrees. "I've seen companies say, 'Oh, we're HIPAA-compliant and so our cloud storage provider needs to be HIPAA-compliant, too. But HIPAA says nothing about the architecture of the storage itself," he says. "It's really loosey-goosey."
What that means, according to Couture, is that regulatory concerns might affect a cloud storage decision, but the No. 1 trepidation is really security. "And for that, all I can say is if you're going to put stuff out there, you'd better encrypt it. And then at the end of a retention period, throw away the encryption keys," he says. "Your data might still be sitting out there on Amazon, but it's unusable" if it's encrypted.
Amer Khan, senior vice president of product management and development at eGistics, a Dallas-based provider of hosted document management software, agrees that it's important to encrypt data. A user of AT&T Synaptic Storage as a Service, eGistics encrypts its data locally and as it moves into the storage cloud.
The company also checked out AT&T's data centers prior to committing to using its cloud storage service. "AT&T is SAS 70 Type II- as well as PCI- and HIPAA-compliant. Those are important to us," Khan says. "Historically, all the data was under our control and management. As we give that up, we have to make sure all the same types of controls are in place and that we're not dropping the level of security on that data. That's paramount to our customers."
At eGistics, the decision to use cloud storage was part of a move to cloud computing in general; it also uses AT&T Synaptic Hosting. That's not uncommon, says Ritter: "First you make the decision to do cloud computing, then you figure out how to handle the storage."