Black holes of cloudy technologies in Russia.
Author: Vad Zaborski
These days we often face the term «cloudy technologies», especially when information systems, for example, CRM or ERP.
Visiting a presentation, it is possible to hear «Well! Our program is the front line, “we use cloudy technologies! “ or “the new version of our program became even more reliable and easier, now we use cloudy technologies!”.
The term «cloudy technologies» became popular in the Russian everyday life as «nanotechnology».
But what is hiding behind this fashionable? Are the cloudy technologies reliable and simple? Can they be used in a modern Russian reality?
Analyzing numerous presentations on cloudy technologies and related programs , and connecting this to my IT experience, I have arrived to the following understanding.
So, the cloudy technology is a group of computers with specially established software, linked together in a uniform network using Internet. These computers can be located across different cities, the countries or even continents. A special program allows the user to work with these computers as if you would work with a standard personal computer. If any computer from the group is disconnected for any reason, it will be automatically replaced by another computer from this group. The user of cloudy technology, working with the program, does not see and does not feel that the program is maintained by the whole group of computers. For the user, the cloudy technology is like an invisible computer standing somewhere "round the corner".
So far all is simple and clear.
Let's look in the past briefly.
The author of cloud technology or cloud computing is John McCarthy (the renown American scientist, the expert in computers, and the author of concept "artificial intelligence"); see Wikipedia http://en.wikipedia.org/wiki/John_McCarthy_%28computer_scientist%29). John McCarthy was the first who introduced the term «cloudy calculations» in the late sixties of last century. The idea is to use computers connected in a network for difficult mathematical calculations. Then cloudy calculations allow to use many standard computers instead of one expensive super powerful computer, with the help of a special program distributing loading between the computers.
This sounds attractive and economically efficient when instead of "project" you have an information system with a significant amount of data about clients, which is maintained by some third party company. Also, this information system can be accessed from your old laptop or modern iPhone.
Is this "cloud" safe from the point of view of safety of the commercial data placed in the “cloud”?
Here the most interesting starts because I was not able to get a definite answer from any Russian software manufacturer.
The matter is that the computers serving "cloud" where the information system is established are physically located in Data-processing centers, so-called Data-centers. In fact, the safety of your data depends on reliability of the Data-processing center and your contractual conditions with the center. However, subscribing to the information system working in "cloud" you are not provided with possibility to arrange a contract with the Data-processing center.
If you do not have contract with the data Center – there are no official guarantees of safety of your data in a cloud. In other words, in the case of sudden termination of access to client base due to technical failure nobody will be responsible. The problem becomes more complicated, if a Data-processing center chosen by the manufacturer of information system is outside of Russia.
In other countries there is classification of Data-processing centers. Any Data-processing center can pass voluntary certification to get a specific level according to the conventional classification. It considerably facilitates the choice the Data-processing center.
Data-processing centers can have four levels depending on fault tolerance in case of failures such as switching-off of an electricity or the Internet, failure of servers, etc.:
Tier 1. Without reserve lines, servers and computer components.
Tier 2. Tier 1 + Spare servers and components.
Tier 3. Tier 1 + Tier 2 + spare power supplies, reserve communication lines
Tier 4. Tier 1 + Tier 2 + Tier 3 + full system of support of the fault tolerance, cooled premises for work of servers, spare systems of data storage, heating and ventilation system etc.
Tariffs for Data-processing center services are established depending on the classification level of their equipment. Choosing cheaper Data-processing center, you as the client realize a risk level for your data.
Unfortunately, in Russia similar classification does not exist. Every Data-processing center decides how to work. Tariffs for services also are not criterion of the Data-processing center reliability. Under these circumstances, the choice of the Data-processing center should be done personally.
Under the standard approach you buy information system and establish it in a local network of the company. Problems with safety, access restriction in this case are solved in our country in a very simple way and, the main thing, it is transparent for the customer: its system administrators disconnect users compact disc drives and restrict (or completely disconnect) access to the Internet. Despite primitiveness of these steps, as a result there are only two points of penetration into information system of the company: bribing the employee to get administrative rights and penetration from the Internet through system of sluices and other restrictions. Last way is expensive and ineffective in case of a small company.
Under the use of cloudy technologies, access to information system is provided by at least three different organizations:
1. Internet connection provider (organization providing access to the Internet).
2. Manufacturer of information system.
3. Host provider (organization that supports the work of "cloud" for functioning of information system).
Independently you can choose only first two organizations. The choice of the hosting-provider, as a rule, remains for the manufacturer of the information system. It is almost impossible to change this procedure, as each manufacturer of "cloudy" information system during certain time specially adjusts the system to work with a particular hosting-provider (with the account of the chosen tariff, an operating system, and allocated hardware resources).
Answers to a question about reliability of the hosting-provider, characteristics of its equipment and its popularity are typically reduced to words «Well, these are cloudy technologies! Here everything is reliable, and you do not need to know all the details».
It turns out that in a case with cloudy technologies possibility of penetration into information system increases by 2.5 times, i.e. three new penetration points in addition to two existing ones. Actually, this is the same as if your house computer with games, personal photos and correspondence with friends would be accessed by three more strangers.
In case of technical failure or delay of work the manufacturer of "cloudy" information system can refer to malfunctions in the equipment of the hosting-provider or on the slow Internet from the customer, and expectation of a solution of a problem can take a very long time. Don’t forget that it is a matter of access to information system where the data about clients is stored. The impossibility to get access to base inevitably involves loss of clients and profit of the customer.
The customer can influence this process only in one case – if possible kinds of failures and corresponding responsibilities are accurately listed in the contract with the manufacturer of "cloudy" information system. In a reality, in our country the customer, as a rule, does not think about such problems, and the manufacturer of system does not raise these matters. As a result, in case of failure the customer and its clients suffer, and it is almost impossible to make a claim.
Not so long ago the Federal law (#152-FZ) passed in our country «About the personal data» guarantees to each citizen of the Russian Federation safety of personal information and imposes certain duties on maintenance of such safety for the organizations operating with this information,
According to this law any company that received, for example, at an exhibition the business card from a person, is obliged to obtain from this person a written permission to the processing of date from the card. This grants the right to add the given person information to the database of the company and use it for calls, mailings and other actions. Thus the company becomes, in understanding of the law, the operator of the personal data who is obliged to provide all conditions on maintenance of their safety.
In other words, according to the law, if someone from several tens or even hundreds of employees of the hosting-provider or the manufacturer of "cloudy" information system gets into database of clients of the customer, copies the personal information and use it for own interests or in the interest of the third parties, then the customer of information system will be legally responsible.
No doubt that cloudy technologies is a new step in development of information systems such as CRM and ERP. However, without a proper legislative and technical support of the state and experts in information technology in our country work in "cloud" bears for business, in my opinion, more risks than advantages.
So what should be chosen? As usual, it is a problem that you have to solve yourself