Adoption of Enterprise Cloud Storage is picking up steam, however many organizations today maintain a fundamental belief that data will not be allowed outside the four walls of their company. Easy to do in an on-premise private cloud only world, more difficult when a company wants to take advantage of off-premise options. I question the value of the majority of the data being so blindly and passionately protected, but there is definitely a core that simply cannot be put at risk. So the fundamental question is what constitutes risk?
I believe people see risk as a combination of cost, access, governance, security and location. It's easy to see that cloud storage gets a big check in the positive column for off-premise, standard sized check for on-premise, when it comes to cost. Cloud storage is simply the cheapest storage available, period. Access I feel is a neutral for on-premise because the same tools we use today to manage authentication and authorization are applicable in the cloud world, and all storage is connected to the network in some way making it accessible to applications. Off-premise providers haven't focused enough on this area, and they really need to get to work on it. A company shouldn't have to replicate their directory to unlock the value of off-premise cloud. However as companies mobilize their workforce the tip of the hat definitely goes to off-premise where enterprise mobile storage clouds are readily available. Governance again is a wash for on-premise and can be for off-premise as long as the data is controlled and owned by the company. Some off-premise providers include more refined storage offerings obviating the need for backups and lifecycle management bringing new value over on-premise solutions.
Security is a key issue. Today's defacto standards of encrypt at rest and encrypt in transit must be applied universally, and once they are there is only one differentiation between on-premise and off-premise. When a subpoena is delivered, what does an off-premise provider do? The answer has to be 'hand over the data', and this is where companies balk, push back from the table, and walk out of the room. However there is a simple solution: build the solution so the consumer owns and has sole access to the encryption keys. The less a provider knows about the details of the data the better off they are because the risk is lower. No accidental leaks. No mischievous downloads. No secrets divulged by a successful hack. The owner of the data will still have the ability to exhaust all of their legal obligations before turning over the data in the form of the decryption keys. If the government can decrypt AES-256, currently estimated to take 4.7 trillion years per key, then they already have enough power to hack into the system and get the data directly in which case the whole argument is moot.
Location is another key issue because it implies control. Part of this control is the ability to pass through several physical or logical security checkpoints before being able to hug the storage cabinet. However this is the appearance of control because putting your arms around something and doing something with it are two different tasks. A more pressing issue of control is the gravity of assets. Companies have storage today, lots of it, and storage lasts longer than servers. Who wouldn't want to take advantage of storage for as long as possible. However again with a little imagination, in the form of buybacks, early retirements, and asset transfers, moving off-premise or building an on-premise storage cloud can make the location issue immaterial.
Of course I had to save the best for last...to entice you to read this far...
There is one tremendous benefit of off-premise cloud that will slowly tip the entirety of storage into its favor. As interactions grow, as more data is gathered, our centralized model of bringing data back to one location will strain and ultimately prove untenable. As I have quoted before, next to the cost of moving data everything else in any data center is free. Although the network equipment providers, telcos, and others are salivating the reality is we didn't lay enough extra fiber in the late 1990's to take up all the traffic. There just isn't enough to go around. The only other option is to adopt a distributed data model with federated data management. I was able to get traction with this model in smart grid and believe it's as inevitable as cloud, death and taxes.