I recently wrote about the FBI raid at DigitalOne, where law enforcement seized far more servers than were under suspicion from a data center. This caused unnecessary outages and business disruption. I argued briefly that a company hosting its compute and data in a cloud (versus the dedicated blades that were seized) would have been better positioned to deal with such a mess. Workloads could have been relocated and traffic rerouted in a matter of hours, if not minutes.
The proper application of a cloud compute and cloud storage solution can safeguard us from a single point of failure quite easily. With my machine image in a public or distributed private cloud the workload can be migrated automatically. With my data on cloud (object) storage I don’t even need to do that much since remote replicas are the starting position with a decent cloud storage model. That only addresses part of the problem, however.
Let’s be realistic about the precedent this event sets: Whether your application and/or data is on a physical box or hosted in a cloud, sooner or later someone else will own that data. I probably overstate the case; this is not the precedent-setting event but just another example of chicanery afoot. Still, whether your opponent is LulzSec, Anonymous or some government agency on the prowl there is no provision for your data security but that which you undertake on your own.
The trusted cloud conversation thus far has been centered on securing multi-tenancy against a rogue who crosses the hypervisor barrier or somehow hacks object tokens to read data that is not his. What do we do when the “criminal” in this case forcibly removes the hardware from the data center with the operator under duress to allow it? What if this were to happen with, say, Carbonite or Mozy, who collectively store data from millions of consumer and small business backups? It is unreasonable to expect your innocent data is physically isolated from suspected criminal data or that criminals or law enforcement would simply ignore your “uninteresting” data while confiscating the assets. Do we trust the vendors’ strong encryption claims enough to stomach another asset grab like this or that the legal process would unfold properly and allow us time to evaluate the potential impact of a breach? If you are a regulated company and have fiduciary responsibility to guaranteed chain of custody for your data, what does an event like this mean to your business? (hint: it’s not good)
What this does is send a chill down the spine of everyone (like me) trying to build the trusted cloud and foster adoption of the model due to its overwhelming benefits. I only hope this does not cause the kneejerk turtling reaction I fear it might.
With Monday morning quarterbacking in full swing, there are valid criticisms to paste against DigitalOne, the FBI and even the poor customers who hosted with them. Marco Arment’s response for InstaPaper is, I think, the proper one. He takes as much responsibility as one can reasonably expect from a service provider and is committed to implementing more direct measures in the future. Nothing has been said by DigitalOne that I can find, which is already having a direct impact on their customer base (they did lose InstaPaper, it would seem).
For now, this event has strengthened my resolve to encrypt everything. If the government wants my data this will not stop them. I only hope to avoid the unlocked door dilemma. In the mean time, I expect nothing to change with the rest of our data stewards, from banks to bookstores. That’s where the conversation needs to start.