Honest VARs and MSPs face problems with cloud storage services

If you’ve been in the IT industry for awhile, you’ve no doubt noticed that it goes through one hype cycle after another.  Many of us witnessed the dot-com explosion, implosion and subsequent MSP market conversion. Watching the cloud hype cycle of the past few years is a little disturbing -- not because I lack excitement about the massive possibilities of distributed computing, utility billing, virtualization advancements and economies of scale; they are large parts of my company’s business model. What bothers me is the extent to which companies will go to make a claim about the cloud. The exaggerations and omissions -- stemming from either ignorance, lack of risk aversion or outright dishonesty -- being used to sell cloud computing and cloud storage services are just nauseating. As an officer of a company competing in this environment, it’s especially hard for me to ignore these problems with cloud storage.  

This trend is similar to that of the mid-2000s MSP craze, when it seemed every vendor and VAR had an MSP service. Misrepresentation during the MSP craze got so bad that those of us who were MSP pioneers stopped using the term “MSP.” “Cloud services” today are all too often being over-sold, under-disclaimed and offered as appropriate for all. Today, if it’s on the Internet, it’s a cloud service.

The overhype seems continuous. I am rapidly growing tired of talking very smart people out of ill-conceived plans to move their entire world of highly sensitive data into a public cloud environment.  I cannot tell you how many people I run into who have been sold a bill of goods by opportunistic salespeople or investors who couldn’t properly engineer a turkey sandwich. They have convinced good people and good companies to sign long-term contracts for services that are way under-engineered or significantly insecure, exposing these companies to genuine risk of failure and the possibility of serious legal problems.

For example, I worked with a health care provider whose CEO had unfortunately signed a multiyear agreement for “hosted EMR.” The company is now stuck with a service that doesn’t meet their needs. The service is not secured, lacks database support and sufficient bandwidth, and the company cannot even run scheduling reports during the day because it taxes the system too much. The hosted EMR agreement disclaims any responsibility on the part of the service provider for security, availability and data integrity, which is a blatant violation of the provider’s HIPAA-related Business Associate obligations.

I suppose it’s up to the clients to verify the claims of organizations they do business with. But many customers considering the cloud are the least sophisticated and most likely to be caught up in the hype and misrepresentations of marketing twists or even outright fraud. Entire white papers are written without a single mention of risk, definitions of the cloud are all over the map, and the clients -- especially smaller businesses -- are left to fend for themselves. One confused potential client recently said, for example, that his company could move its data into a “compliant” cloud service and become compliant. Some agreements of major cloud service providers disclaim this by explaining that the client must secure its own data, but it’s often late in the process when a client makes this discovery, if ever.

Customers run into cloud storage issues in other areas as well. Over the past year I have seen several clients who have wanted out of the cloud, with their cloud provider unwilling to tell the client how to get their data, charging outrageous sums of money for conversion or offering the data in forms that are basically unusable or less compatible. On one occasion, a cloud backup services provider said its service was for convenience and that clients should not count on the backup. (Um, isn’t that the point of the backup service?) These firms say security (other than, usually, encryption of data in flight and at rest) is the client’s problem and offer no capability for the client to monitor the infrastructure or otherwise take responsibility for the security. Most cloud providers (the big cloud players, such as Amazon, as well as those that use Amazon to provide cloud services) take little or no liability for failure to protect data from loss or damage and typically have a “too bad” attitude about outages and downtime. Amazon’s response last year to a loss of data on EC2 is a perfect example of this. The company admitted 0.07 percent of its Elastic Block Storage (EBS) volumes weren’t recoverable and offered the equivalent of 10 days' billing in compensation to all customers.

To make matters worse, the agreements that many of the cloud service providers mentioned above are offering make outrageous claims to ownership of the data being stored and passed over the network. 

How is an honest company focused in this environment to survive, with such cloud challenges: competitors that are willing to cut corners; go without insurance; misstate facts; claim regulatory compliance when it does not exist; or even outright lie about the capability, cost, security and reliability of their services? The truth is, an honest company can compete in this market, but it is difficult and costly. If these issues of ethics and honesty are used as differentiators and if you can afford to get above the noise through guerilla marketing and PR, you can win against even the big players. The key question is, Can a small company get above the noise? The answer to that, all too often, is no.

If the cloud is to have a chance, we should let the hot air out now and peel back the layers of marketing hype to get to the real meat value in the cloud. This needs to happen before we have a repeat of what went on in the MSP market: The brand/market was damaged, which delayed its maturity and reduced its growth potential. If we are going to get past the spin, we are going to need an industry body to come up with cloud services certifications and to have terms clearly defined. We need to do a better job of policing our own market and calling out those who are doing a disservice to our industry. I’ll write more about those possibilities in an upcoming column.

Kevin McDonald is executive vice president and director of compliance practices at Alvaka Networks, a network services and security firm in Irvine, Calif.