Talking about Clouds

Talking about Cloud Services

The past few days I was thinking pretty much about the upcoming trend of “Clouds”. By that, I of course do not me the weather occurrence – I am talking about “Cloud”-Services.
 
So, what is a Cloud-Service in general? To summarize it up, a Cloud-Service is a Service provided by a third-party which allows me to use features I could probably not or just with a  huge effort use without it. Furthermore, a Cloud provides me features which are often described as “seamless”, “immediately”, “push” or “over the air”. A very popular topic in which Clouds are being used nowadays is synchronization. “I want my data, and I want it everywhere, every time”, that is actually the main mission Clouds often try to realize. Two examples for very popular Clouds are RIM’s BlackBerry service and the newcomer called MobileMe, carried by Apple.

So, I informed myself a bit about these two Clouds, because I actually wanted to know, if it’s worth spending money on such a service. I’ve seen a demonstration of MobileMe at one of Apple’s Keynotes some time ago and it got me interested. The BlackBerry service I can see everyday at work, though I’ve never really informed myself about the technique it’s using in the background, until now. The only technical information I had about this gadgets was, that they’re pretty good in keeping a companies infrastructure team occupied for days/weeks while solving curious, irreproducible problems. Because of that, BlackBerry goes back a long way with me, so that I would not be able to carry out a comparison between these two services and say what’s better and what’s not. Luckily, this is not what I’m trying to do here. I would like to talk about such Cloud services in general (with the mentioned services in mind) and show up the problematics I see with those.

The first issue I would like to begin with concerns the administration. Let’s say, we’re using our RIM Cloud and we would like to activate a new gadget, to be able to make use of it in our network. It doesn’t seem to be pretty untypical for this activation to just fail for an unknown reason, from what I’ve seen. So, what can the administration do? Well… actually, not what their name (“administration”) is meant for, instead they have to act more like “operators”: Check the manual to see if they did everything right, check the troubleshooting FAQ and try everyone of the proposed solutions and last but not least call the support and do what they say. It’s impossible for the administration to do any kind of debugging by their self. And this fact is not only true for the activation: As soon as it gets into deeper problems with the Cloud service itself, an administrator becomes an operator or even just “remote hands” for the Cloud provider.

“And why is that bad?”, you might ask now. Well, by that, a company’s infrastructure is depending on a third-party service provider’s reaction times and ways, for services that could be probably used in other kinds with more efficiency and what is more important, without a third-party. This argument seems to be pretty thin on the first look, because now you could say that in general everything that has to do with communications is managed by third-parties (e.g. cell-carriers, ISPs), but still there’s one difference: The probability of failures or breakdowns of the respective “Cloud”. The chance of my mobile-phone to not deliver SMS or connect to the UMTS network because of provider-side failures are much lower, than the chance of a BlackBerry to deny its service partially, due to problems on the provider’s side, between the communication components on the provider’s an the client’s side or between the data exchange from the client’s groupware to his communication component. And like I just said, in most cases the administration is powerless and can’t debug what goes wrong.

Another aspect of Clouds regard the data security. When there’s a third-party involved in that whole “I want to synchronize my life”-thing, you can never know who’s actually reading along. Of course, the cool graphics on the provider’s sites show you that the whole traffic between the endpoints (communication component on the client’s side and mobile gadget) is end-to-end encrypted with strong algorithms. But do you really know?

Let’s be paranoid: What if RIM for example, builds up an end-to-end encryption between the client’s communication component (e.g. BES) and the “left side” of a proxy running within their infrastructure. On the “right side”, this proxy sets up an end-to-end encryption between itself and the mobile gadget. For the customer it could look like he just “paired” his device with his communication component and everything is strongly secure, but the provider could still log everything passing through his proxy.

Or let’s take Apple. They don’t even seem to really try to implement security. Maybe regular Apple user’s are that naive and/or unaware of the risks of missing security, that they just do not care. The MobileMe “Web Apps” (the web-interface for accessing your data) does only provide SSL encryption on login and when account-information are changed – at least this is my last level of information. Please correct me, if I might be wrong on this. Besides of this, I know that IMAP and SMTP seems to be encrypted, but I’m not sure what’s with the synchronization of your iCal, your contacts or your files.

Nevertheless, Apple’s MobileMe pushes the security and data sensitivity question to a higher level: What happens with the data I’m transmitting to my Cloud? Where is it actually stored? Who has access? Et cetera. The presentations of MobileMe really look cool, and it’s interesting to see all that implemented without using Redmond’s “ActiveSync”. Though, it’s questionable in what way the data users upload will be used. And it’s even more questionable, why people might pay for letting third-parties use their data, without thinking twice of the consequences this could have.

I mean, of course it would be possible to use GPG for encrypting every mail and every file pushed to the Cloud, unfortunately this would make the data pretty unusable on the mobile gadgets, what by the way makes me think of another point: How come, there are nearly no data encryption products available for Cloud services, provided by other companies? I know, that PGP has some BlackBerry add-on which allows the clients to secure at least their e-mails through PGP encryption and even make them readable on their mobile gadgets. Unfortunately this only solves the mail part, everything else could theoretically still be read by other parties (for example the government of India ). And MobileMe doesn’t provide something like PGP at all.

To sum it up, I would say that the general problem with Clouds is the lose of control about data and functionality. Sensitive information gets spread through the net to service providers and maybe other companies, without the client even noticing it. And all this because of all kind of push services and synchronization features, which could actually be done in other ways, without a third party clouds. Why not using IMAP(S) idle on the mobile gadgets for e-mails? Why not setting up an MS Exchange and using ActiveSync with your iPhone or whatever else mobile device? It would work, just the way BlackBerry or MobileMe does, with pros and cons. But at least, it would be a solution managed by oneself, not involving a third-party and especially not sending sensitive data through not trust-worth services.

Oh well.