Skip to main content
Scientific American

May 9, 2012

Cloud Storage

By Alan Woodward

This article was published in Scientific American’s former blog network and reflects the views of the author, not necessarily those of Scientific American

Technology is awash with buzzwords, and one of the most used recently is “cloud computing”. It can be thought of as three layers, each built upon the layer below:

  1. Software as a Service (SaaS) –providers install and operate applications for users to access over the internet, ranging from simple office processing to complex customer relationship management systems;

  2. Platform as a Service (PaaS) – where providers offer use of a server with, for example, a database system already installed, onto which a user installs and runs their own applications;

  3. Infrastructure as a Service (IaaS) – where providers offer access to what appears to be computer hardware, such as disk storage or servers.

Many of us use services, essentially IaaS, to store our files online with services such as Dropbox, Microsoft’s SkyDrive, Amazon’s Simple Storage Service (S3), Apple’s iCloud, and perhaps a relative late comer, launched last week, Google Drive. Each has its own technical merits: some can be accessed from a greater range of devices; some provide support for editing document types using applications that are provided via your browser; and so on.

On supporting science journalism

If you're enjoying this article, consider supporting our award-winning journalism by subscribing. By purchasing a subscription you are helping to ensure the future of impactful stories about the discoveries and ideas shaping our world today.

Whereas 40 years ago 1 Gigabyte of hard disk storage would have cost over £1.8m (assuming you could have produced it), today it costs pennies to produce. Storage has become a commodity and this allows businesses to offer services that promise to take away the routine housekeeping that goes with storing your data, for a price that makes it attractive. With Dropbox reportedly storing some 100 billion files by May 2011, and Amazon claiming that their Simple Storage Service (S3) contained some 905 billion "objects" at end of the first quarter of 2012, the last year appears to show a growing mass market adoption of cloud storage.

Not surprising then that competition in this market is increasing, prices are falling, and more ancillary services are being offered to help differentiate one provider from another. However, concerns continue to surface, and the launch of a new service brings them back into the public consciousness. These concerns are not necessarily only technical in nature, nor, surprisingly, are they about how secure the data is from external hackers, although this is clearly seen as a basic requirement of any such service. The concerns revolve around more subtle issues such as who has what rights in the data you place in the keeping of an online storage provider, and who is liable if data is lost or misused.

When Google Drive launched last week, people’s attention was quickly drawn to the “terms of service”, which a user will be bound by if they upload their data. I’m sure some users were surprised to see that Google retained the right to, for example, “…communicate, publish, publicly perform, publicly display and distribute…” your data. Words such as these caused quite a reaction, with one article describing them as a “toxic brew”. The terms do make clear that these rights were required for the operation and improvement of the Google Drive service but this is a remarkably broad definition I think it is also worth noting that other services have similar legal terms associated with their use, with others, who were earlier into the market, had to issue clarifications that they in no way were seeking to take ownership of the data stored with their services. In the case of Google, there may have been added public concern as it came so soon after Google was obliged to explain the implications of its move to consolidate the privacy policies across all of its services, into a single policy.

What the negative reactions to these types of legal notices do show is that providers need to communicate the roles and responsibilities of everyone involved in the clearest possible terms, including those using the service.

If all you store in the cloud is files that you would openly publish on the web, or don’t mind losing, then you probably won’t care much about such terms and conditions. However, if your data has intrinsic value or, potentially worse, would cause damage if it were revealed in some way, then you really need to conduct some checks before committing to a particular service provider. Yes, read the terms and conditions for the service. Make sure you understand them, and, more importantly, that you’re happy with the roles and responsibilities of both you and the service provider. Likewise, the provider’s website should have answers to the questions you are likely to ask. If the language used is so complex or they give obscure answers that you can’t understand it, then move on: there are providers who do take the time to write terms of service in plain English.

In addition, and as part of informing your review of the terms of service, you need to think about items such as:

  1. Viability of the company and/or service - some cloud storage companies have disappeared or have withdrawn a service at short notice.

  2. Connectivity - does the provider support access from the devices you use?

  3. Service availability – what commitments does the provider make for the availability of your data, and what can you do if your data is unavailable?

  4. Protection – how does the provider protect against contamination, accidental deletion or copying, or hardware failures?

  5. Deletion – does delete really mean delete, including from backups? Or is your data sensitive enough that you would want the storage media physically destroyed to prevent recovery?

  6. Transparency – what else does the provider do with your data? For example, do they “index” your data to allow for searching, and if so, who has access to this?

Opting for a well-known name is not necessarily the best choice if you also need to be careful about the geographical regions in which your data will be stored. Very large providers often have data storage facilities spread around the world, and your data could be spread equally widely. Although more for a business concern, in the UK if you hold certain types of personal data on others you will (or should) be registered with the Information Commissioner, and so should know that there are very particular rules under which you can transfer such data outside of the EU. There are Safe Harbor arrangements for transferring data between the UK and the US, but the rules are not trivial and some providers might not always be happy to oblige. You might like to ask any provider who is located outside of your country if they can tell you where your data (or its backups) will physically reside.

You also have to be able to trust those that have access to the physical data storage on which your data resides. Have a look to see if the provider says anything about how it controls such access or how the personnel are chosen. If neither of these points is addressed, then look to see what responsibility, if any, the provider takes if your data were to be leaked.

The bottom line is that cloud storage providers are businesses and will seek to protect themselves first and foremost. With prices being driven down by increased competition, businesses will attempt to put in place a contract (for that is what it is) that limits their liability to something that they consider proportionate to the value they earn from you as a user. So, if you pay nothing you can largely expect the same level of liability and that might end up costing you rather more later. Take nothing for granted, and conduct a level of due diligence that is appropriate to the value and nature of data you are entrusting to your cloud storage provider.

Image source

Alan Woodward is a Professor at the Department of Computing, University of Surrey, where he specialises in cyber security, computer forensics, cryptography and steganography. Alan began with a degree in physics but did his postgraduate research in signal processing at a time when computing power began to enable some radical changes to what was possible. He began his career working for the UK government, was involved in delivering some of the most challenging IT developments of the past 20 years for a variety of organisations and has for the past 10 years since when he has also been Chief Technology Officer a company called Charteris which he helped to build from a start up and float on the London Stock Exchange. As well as writing extensively in the UK on technology as well as presenting on current affairs issues relating to technology for the likes of BBC TV and radio, Alan remains actively involved in the daily battles that occur in cyberspace.

More by Alan Woodward