Would you pay $33,000 for a used Dell PowerEdge R410 blade server? What if it were the one that made WikiLeaks a household name?
That’s what someone paid on eBay, where Bahnhof, Wikileaks’ hosting provider, put the server up for sale. The auction is a cautionary tale for any SMB that outsources its telecom or IT to a cloud provider.
For example, if your data shares a server with another company that subsequently becomes the subject of an investigation, are you confident that your cloud provider will scrub all of your data before handing that box to investigators? For that matter, is the data center in a country whose laws even give cloud providers that option?
Those are just a few questions to ask when comparing cloud providers, and they highlight how the cloud can be a double-edged sword. Case in point: Hosted solutions are distributed geographically, so they provide far more reliability than on-premise solution, which can be wiped out by a single flood or terrorist attack. But if that geographic distribution spans multiple countries, then multiple sets of laws apply to your data. SMBs need to be aware of which laws apply.
In the U.S., for example, laws limit a service provider’s ability to share customer proprietary network information (CPNI) with third parties such as marketers. Even so, SMBs should ask prospective cloud providers to provide clear descriptions of the types of information collected and how long its stored.
It’s also important to note that CPNI doesn’t apply when the third party is a law-enforcement agency. So SMBs also should ask prospective providers to describe how they react to a legal request to provide customer information – and what happens afterward. In the case of WikiLeaks server, Bahnhof’s eBay listing said: “The hard disks…have been erased according to the U.S. specification DoD 5220.22-M where every byte of the hard disk is overwritten several times. The original information cannot be re-created, not even by NSA.”
But that didn’t placate WikiLeaks, which tweeted: “Bahnhof did not seek permission to auction the WikiLeaks server or to use it for marketing purposes, or to send the proceeds to others.” The moral of this story is that SMBs should require prospective cloud providers to describe their policy for disposing of equipment, including the processes used to scrub customer data before it goes out the door.
It’s also important to note that cloud providers sometimes are limited in terms of the privacy and security guarantees they can provide. For example, a hosted VoIP provider can require its downstream network providers to meet certain performance metrics, but it can’t tell them not to route calls through countries whose laws – or lack thereof – facilitate eavesdropping.
SMBs also should ask prospective cloud providers whether they’ll submit to third-party audits to ensure their clients’ compliance with industry-specific regulations and with broader best practices such as ISO 27002. That advice highlights another reason why hosted telecom and IT services can provide greater security, privacy and compliance than premise-based solutions: SMBs that try to do everything in house often don’t follow best practices such as changing passwords on a regular basis or implementing security patches in a timely manner. Reasons include not enough time, budget or both, but either way, cloud providers are better positioned to ensure that their clients’ data and communications don’t fall into the wrong hands – at any price.
Ari Rabban is an IP communications industry veteran, with specific expertise in the start-up environment, moving companies from concept to operation. He joins Phone.com from Pulver Ventures, an incubator for new IT companies, where he served as managing director and vice president. Previously, Ari served as vice president of corporate development and marketing for VocalTec Communications, the VoIP market pioneer and developer of the first Internet phone.