[Hampshire] The perils of SaaS (Was Re: Due Diligence of Service Providers)
Hi Jan, On Fri, Nov 12, 2010 at 04:28:14PM -, Jan Henkins wrote: > I think I'm getting old, since I read this thread with a growing sense of > horror. If you outsource the total gamut of your IT infrastructure in a > SaaS sense (fancy name for cloud-space), are you really saving in the long > run? I'm not sure that anyone is recommending "[outsourcing] the total gamut of your IT infrastructure in a SaaS sense" though. Clouds and SaaS have existed for a lot longer than the names themselves have, and when used appropriately can save a lot of money vs doing it yourself to the same standard. > On Fri, November 12, 2010 15:56, Imran Chaudhry wrote: Careful with the attributions; I wrote the below, not Imran. :) > >> In all honesty if my needs were great enough that just spreading my > >> encrypted data over three or so different storage providers wasn't > >> enough then I would be tempted to build it myself, using the cloud > >> storage services directly. > > This would be at a pure minimum, a "reduntant" setup with three seperate > cloud storage providers. All of it with high levels of encryption. And > redundant UPS's for each UPS! :-) You have decreased visibility into how any of your providers manages their own risk, so you most likely won't know, for example, anything about their UPSes. The point is that with enough redundancy, you are isolated from failure at some small number of your suppliers, and a below-par supplier can be changed a lot easier. You have to decide what parts of the process are too important to trust to another entity and take those in-house, accepting that it's most likely going to cost you a lot more to do it than some other entity which resells the same thing on a vast scale. > Yes, off-site storage is cool, and if you use it in the right way, it's a > great way to safeguard your data. But Saas? How are you going to access > your data if all you have is a single candle burning in the middle of the > room? I hope you have multiple contingency plans ready. I have to admit > that I did not have time keeping up with the technical niceties of the > specific SaaS offerings out there, but I cannot help but viewing it with > intense distrust. > > Brrr, horrible thought, not being able to get to your data. I think I'll > have a sleepless night tonight... :-) Building something around a Software as a Service model doesn't imply locking all your data up in some single remote location. Human beings do tend to blindly trust their data to the remote black box, and then may experience discomfort if the remote black box breaks. But it is hard to see this particular human failure mode as a condemnation of all SaaS concepts. As in everything we do every day, you have to manage risk.. Cheers, Andy -- http://bitfolk.com/ -- No-nonsense VPS hosting Q. How many mathematicians does it take to change a light bulb? A. Only one - who gives it to six Californians, thereby reducing the problem to an earlier joke. signature.asc Description: Digital signature -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
[Hampshire] USB switches
Hi All Like most of you, I have a few computers and need to share a couple of printers and an external HDD. None of the computers is on all the time so I do not want to rely on it to do hosting / sharing - are there any USB switches that people can either highly recommend or avoid at all costs please? Only constraint is I do not want something that runs from the mains all of the time. Driving stuff from the router is not an option either. Thanks Ed -- Ed -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] Due Diligence of Service Providers
>> Note that the US is *not* on the list of countries with an adequate >> level of protection... > > There exists a solution to this called the US Safe Harbor Framework: > http://www.export.gov/safeharbor/eu/eg_main_018365.asp Sort of. "Safe Harbor" is only available to US organisations, so you need to check that you're actually covered. Then it gets interesting[1]... SH is largely based on self-certification, and apparently isn't being audited all that carefully. Exporting data from the EEA to a self-certified but non-conforming organisation is a legal minefield - in essence, you're almost certainly in breach of the DPA. So yes - there is a mechanism there, but I'd want an awful lot of good lawyering before I'd use it. Vic. [1] See, for example, http://www.out-law.com/page-11060 -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] Due Diligence of Service Providers
Hello all, I think I'm getting old, since I read this thread with a growing sense of horror. If you outsource the total gamut of your IT infrastructure in a SaaS sense (fancy name for cloud-space), are you really saving in the long run? On Fri, November 12, 2010 15:56, Imran Chaudhry wrote: >> In all honesty if my needs were great enough that just spreading my >> encrypted data over three or so different storage providers wasn't >> enough then I would be tempted to build it myself, using the cloud >> storage services directly. This would be at a pure minimum, a "reduntant" setup with three seperate cloud storage providers. All of it with high levels of encryption. And redundant UPS's for each UPS! :-) > We're moving more towards SaaS for many things so this idea is out. Sorry to say this (I feel very old fashioned at the moment), but be very very careful. Having all your applications and data off-site is a security risk of almost incalculable proportions. The possibility of somebody cracking your encryption is the smallest risk, the biggest is not having access to your corporate data for whatever reason. I am very glad that I'm not the I.T. manager who has to work on this particular project. I was taught by my (quite conservative) parents that the further you are from your property, the closer you are to your calamity! :-) Yes, off-site storage is cool, and if you use it in the right way, it's a great way to safeguard your data. But Saas? How are you going to access your data if all you have is a single candle burning in the middle of the room? I hope you have multiple contingency plans ready. I have to admit that I did not have time keeping up with the technical niceties of the specific SaaS offerings out there, but I cannot help but viewing it with intense distrust. Brrr, horrible thought, not being able to get to your data. I think I'll have a sleepless night tonight... :-) -- Regards, Jan Henkins -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] Due Diligence of Service Providers
Many thanks for the replies. I get the digest so I'm going to munge several replies into one. >> The backup service providers are often US-based small businesses who >> outsource functions to other service providers such as Amazon Web >> Services. > > Be careful with putting data on US servers. > > The Data Protection Act states :- > > "Personal data shall not be transferred to a country or territory outside > the EEA unless that country or territory ensures an adequate level of > protection for the rights and freedoms of data subjects in relation to the > processing of personal data." > > Note that the US is *not* on the list of countries with an adequate level > of protection... > > If this is simply backup data - and particularly if you store it in an > encrypted filesystem - then the backup process may not qualify as a > "transfer" under the Act. But this is the sort of thing you need to check. There exists a solution to this called the US Safe Harbor Framework: http://www.export.gov/safeharbor/eu/eg_main_018365.asp > > How much data are you talking about? It might be a lot easier to host in > Europe... Because of the nature of the SaaS provider we're limited to specialist providers. Some of them use Amazon Web Services which offer a regional service based in Ireland. AWS specifically mention this as a way of being compliance with regulations: http://aws.amazon.com/s3/faqs/#How_do_I_decide_which_Region_to_store_my_data_in > Ask if you can get a definitive list of the backend services in use > so that you can avoid shared fate (e.g. you lose an important file > at the same time that Amazon Web Services suffers a global outage, > and you find that all three of your offsite backup providers > actually resell AWS). This might be difficult to get them to commit > to, since they probably want the flexibility to change that behind > the scenes. > The service provider is being cagey about specific details. The claim to follow security best practice. AWS appear to have a very good security policy in place regarding their setup http://aws.amazon.com/security/ > In all honesty if my needs were great enough that just spreading my > encrypted data over three or so different storage providers wasn't > enough then I would be tempted to build it myself, using the cloud > storage services directly. We're moving more towards SaaS for many things so this idea is out. Thanks -- GPG Key fingerprint = B323 477E F6AB 4181 9C65 F637 BC5F 7FCC 9CC9 CC7F -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
