We aren’t sending out any Christmas cards this year at Quality Integrators Corporation.
Instead, rather than contribute to landfills by sending Holiday Cards, we have decided to use our Christmas Card budget to purchase a goat, some pigs and other assorted livestock for third world families through World Vision Canada, www.worldvision.ca on behalf of our friends, suppliers and clients.
Have a happy and safe holiday.
As you know from my previous blog entry, it is my opinion that using the cloud (some server out there in cyberspace) for MES data is not a good idea. Here I will explore some of the risks that led me to this conclusion.
My first concern is with the confidentiality of the data. Although certainly the very nature of the internet poses some security risks, I do think that it is largely over stated, particularly by those who want to sell security solutions. Most of us are pretty safe in common transactions. Obviously large or visible organizations are more at risk, but also have tighter security protocols.
However, you may not realize that some content that you create or post “in the Cloud” does not stay confidential. Here is an example of the terms and conditions of a popular Cloud solution:
11.1 You retain copyright and any other rights you already hold in Content which you submit, post or display on or through, the Services. By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services. This license is for the sole purpose of enabling Google to display, distribute and promote the Services and may be revoked for certain Services as defined in the Additional Terms of those Services.1
However, if you have your formulations, production stats, costing, regulatory compliance data, and other very confidential internal information off site on someone else’s server, all it takes is one greedy technical person with a memory stick, and that data can be in your competitor’s hands tomorrow. While I realize that most providers take exceptional security provisions, even the most secure systems can be hacked. Perhaps one could make the argument that data on a secure server is more secure than on one of yours, precisely because the supplier has more security experience. But there is no substitute for locking the server room door, and disconnecting the MES server from the outside world.
True that the same greedy individual with a memory stick and access to your server room can do the same damage – but she can do that damage as your trusted employee no matter where your data physically resides.
Secondly, as we all know, once something is on the internet, it is there forever. That picture of you mooning the dean during hell-week may cost you the top job some day. Even if it is removed from the primary server, with the replications, backups etc that are performed on these servers, there is a copy somewhere – maybe it will never surface, maybe it will. But, if it was never there, it cannot surface.
For regulatory data, there is usually a provision that the data must be kept for a period of time (with net contents data it is usually 2 years plus shelf life), after which it can be destroyed. However, if there is additional data in existence, it must be available to regulators in an audit situation. Even if one has nothing to hide, it is usually just good business practice to supply only the information that is required, no more. Who knows what silly oversight may show up in a single datum from 4 years ago that at the very least will cost time and energy to investigate and justify? On your server, you can ensure old data is deleted. Someone else may archive it, or keep old backups, or whatever.
Conversely: data is NOT like money in one way: there is no Deposit Insurance. If you keep your money in a bank, and the bank is robbed, your money may have been stolen, but the bank and insurance company make good by giving you the same amount of money – different bills, but every bit as negotiable. If your data is stolen, corrupted, or erased, and this is done effectively from backups and archives as well, it really is your data that was stolen. No one can give you equivalent data!
But in many ways cloud computing may parallel banking: At one time banks paid reasonable interest for your money (about half the rate they charged for lending it) – now they pay almost nothing and invent new fees every day for each transaction or service. ATMs started as a way for the bank to save money on teller salaries and are now costing consumers up to $3.00 or more so that they can do the teller’s job for the bank! As cloud providers consolidate and become the same kind of oligopoly that the banks are, there will be changes to agreements that will result in charges for anything measureable – per user, per month, per cpu, speed, priority, GB transferred, GB stored, number of transactions, maybe even types of transactions, database access cycles, connect time, cancellation fees or transfer of data to another institution… In the digital age, everything can be measured, and hence charged for.
Unscrupulous, or financially troubled vendors may even hold data for ransom. Or, a bank error in paying your bill may cause the cloud supplier to restrict access to your data until you are paid in full.
I am not saying that data should not be on the cloud. Sharing family photos is a great idea, as are numerous other cloud applications. But storing your mission critical, sensitive, confidential or regulatory data outside of your system is, in my opinion, too big a risk.
The nature of my job dictates that I spend a great deal of time participating in various technical forums. Recently, someone raised the question of whether it was a good idea to use the “cloud” for MES – Manufacturing Execution Systems – (actually it is a pretty common question floating out there). I responded with an opinion that, while using a browser-based system was certainly preferred in many cases, actually storing any confidential, sensitive, mission critical or regulatory data on a server “somewhere” was not something I would recommend. I cited issues around security of data as well as availability. Relying on several outside companies (the ISP, comm provider, the cloud provider at least) to access my data was too much of a risk for my liking.
I even went so far as to say that the emphasis on “cloud computing” was, in some ways, a backup business plan for the service providers of the world. “If a great deal of the country’s personal and commercial data is on Microsoft servers”, I reasoned, “then the government could not afford to let Microsoft (or equivalent) go under. The ramifications would be too far reaching.”
Someone responded with a comment that we used to keep our money in our homes, but it is now better in banks – the same may be true in the future of data. Being the open-minded individual that I think I am, I thought that had some merit and considered it.
Considering that even with extensive regulation (which is pretty much non-existent on the web) the banking system is at least partially responsible for the current (and previous) economic crisis, although this may in fact be our future, I think it reinforces my point. The banks were “too big to fail” and the government bailed them out with TARP… and we all know how successful that has been, at least for Mercedes dealerships.
Data may well be the currency of the future, and much as I am not a big supporter of government regulation/interference, the “cloud” without regulation will be a really scary place. Can you imagine completely unregulated banks, drugs, or transportation? There is just too much greed out there.
People who had their money in a mattress when this last downturn hit may have, in fact, done much better than those who were “fully invested” (I know that is different than “money in the bank”, but work with me here). And the returns on “money in the bank”, after bank charges and fees, may, in fact be negative in some cases!
So I stick by my original statement that, although for many MES applications, browser-based solutions are recommended (and many of QIC’s solutions are browser-based), the data should be stored on internal servers – perhaps accessible over the WWW, but keep the data in-house. This is far more secure, and, in the long term less expensive – storage is cheap, and housekeeping is just a matter of discipline and procedure.
Future blog entries will explore some of the risks inherent in storing your private data in a semi-public place.
Email