Many organizations are considering use of cloud storage to help simplify their data storage environments, improve data protection, and reduce overall costs. However, many challenges still exist with using cloud storage natively for traditional on-premises applications that drive businesses today, and security remains as a concern in terms of data privacy, confidentiality, and control.
A number of cloud storage on-ramp, or cloud storage gateway, devices have emerged, each promising to turn elastic, on-demand, low-cost cloud storage services into capacity that can be utilized by your on-premises servers while eliminating concern.
While the cloud storage on-ramp/gateway market is still nascent, customers should weigh out a number of factors before trusting their application environment and storage needs to such a system. Like other vendors, we have an opinion on what those factors are, and why they're important. When considering a cloud storage gateway, we encourage customers to consider:
- Performance - when using cloud storage, you are effectively injecting Internet latency, bandwidth, and packet loss in between your server and its storage. Gateway devices mitigate this, and an understanding of the architecture - and quantification of the system's performance - will help you understand whether or not the solution is applicable in your particular application environment
- Caching vs Tiering - many devices provide a "caching" architecture, where the cloud storage service is effectively your primary storage. StorSimple provides a "tiering" architecture, where the on-premises appliance is your primary storage. The differences are subtle, but substantial when viewed through the lens of data integrity, coherency, performance, and availability. We'll write more on this one later
- Security - devices should provide protection for both data in motion (over the network) and also data at rest (as stored in your cloud storage service provider network). Keys should never be shared with your cloud storage provider, as that can fundamentally put your control of your data at risk in the event of litigation/subpoena
- Data Protection - devices should simplify data protection and help you - when possible - eliminate multi-tiered backup and restore architectures. The fundamental unit of data protection in the enterprise today is the snapshot, and the longer you can extend the usefulness and liveliness of a snapshot-centric architecture goes a long way in minimizing operational complexity when you need to restore data
- Application Awareness - some devices claim to be "application aware", while also claiming to support everything including the kitchen sink. The vendor should take a pragmatic and focused approach to specific applications, with the necessary technology integrated to provide compelling value for specific applications rather than broad brush strokes that make their approach seem applicable to a broad array of applications. Our assertion - better to be the best at a small number of things than to fail at all of them
- High Availability - people deploy storage in a highly-available manner today, and when you move to a cloud storage-centric model, this should not change. Devices should provide you with the availability characteristics you expect from your current storage systems, and not require you to undergo configuration gymnastics or ridiculous server-side changes to meet your availability metrics
We'd love to get your feedback on criteria that should be considered; please feel free to leave a comment and let us know if these are valid considerations or if there are some that we missed!
Many of us didn't feel comfortable doing our online banking until encryption using SSL became commonplace. While no one can 'guarantee' the privacy that is provided by encryption, it does provide us with the comfort of knowing that a large number of brilliant minds spent a massive amount of time coming up with a mechanism by which we could establish trust in a world of insecure communication, allowing us to authenticate the website we were communicating with, and establish a reasonable level of confidentiality as we peruse our checking, savings, brokerage, and other statements over a public network.
Cloud storage gateways, or 'on-ramp' devices, provide a similar function for enterprise data centers using public resources (cloud storage services). Some of the same concerns existed with online banking that exist today with using public cloud storage services, such as:
- How do I know that the web server that I am interacting with is really from <insert your favorite financial institution here>?
- How do I know that when I'm viewing my financial transactions using my web browser that no one else can read that same data by sniffing the network?
In the case of cloud storage services, similar questions are asked. Encryption, certificates, and certificate authorities give us a reasonable sense that a network endpoint we are communicating with is who they say they are (authentication) and that the data we exchange is kept private (encryption).
Cloud storage gateway devices help improve security when using public cloud storage services in a number of ways, but some of the more prominent ways are:
- They use SSL for encryption, which implies that at least one party in the conversation is authenticated by a trusted third party, making it very difficult for man-in-the-middle attacks (some cloud storage services authenticate BOTH parties)
- They encrypt the data that is written to the cloud storage service using keys that your cloud storage service provider does not have, meaning you are storing data that they are far less likely to be able directly discern. The same goes for anyone else that gains access to it, maliciously or not
- They obfuscate the data that is sent to the cloud prior to encryption using techniques such as data deduplication and compression. Deduplication effectively puts your data "through a paper shredder" - which in and of itself can be stitched back together, but the effort required becomes increasingly difficult - and compression further assists in this matter
Based on the above, what the industry is starting to see thanks to cloud storage gateway devices like StorSimple is the emergence of 'Virtual Private Storage', or 'VPS'. This approach goes a step further than the security innovations that occurred in online banking in that not only are endpoints able to authenticate one another and exchange data with a reasonable degree of security, the owner of the information is able to control the disposition of that data - and the control of the data itself - through encryption.
So what does this mean?
This means that cloud storage gateway devices open up a new world of opportunities to take advantage of public cloud storage services in a secure manner. In many ways this approach can rival the level of security that is found in many data centers today, where many are still behind on implementing things such as DH-CHAP within their storage fabrics. Having an increased level of security decreases the level of perceived risk which makes public cloud storage more digestible for a broader range of applications and data, even those that have a high degree of scrutiny placed upon them through compliance and regulation.
Does the analogy resonate? Are there others that you can think of that would be equally or more appropriate? We welcome your feedback, and of course if you are interested in learning more, I encourage you to comment or reach me via Twitter or email!