You are currently browsing the Michael Kimsal's weblog posts tagged: S3

Responsibility, liability and cloud computing

I was browsing High Scalability this morning and came across this article which got me to thinking about something I’ve not seen discussed yet when talking about ‘cloud computing’ in all its forms: liability.  I’m not talking about downtime, though that’s an issue in and of itself.  Looking specifically at S3, Google’s bigtable, and other similar services, what are the legal ramifications which you face if someone steals your customer data which you store in one of these hosted services?

I’ve not signed up for these hosted services yet so I’ve not reviewed the specific Terms of Service.  I’d have a hard time believing they’ll take *any* legal responsibility for lost or compromised data, even if it’d demonstrated that there was a security breach (physical or otherwise) in their infrastructure.  Why would they?  Perhaps some case law will eventually be established, but I’d be fairly nervous about putting large amount of customer data in to anyone’s inrfastructure that I couldn’t audit/control.

This is a tough call, really, because it’s fairly obvious that Google, Amazon, etc. have pretty smart people working for them, and likely are better at security than my organization might be.  That may be true, but it still doesn’t mean I can take a look at how they’re handling things, and doesn’t really give me much of an excuse if my customers’ data gets compromised.  If anything, S3 and others will likely be a bigger target for more advanced criminals to target.  Yes, it’s likely more secured, but the payoff will be much bigger.

Is this an acceptable risk for you, putting customer data in the hands of others for whatever reason?  To some extent we all do it – I’m putting customer data on servers in data centers where I don’t always have direct physical access.  I can lock down the machines via software as much as possible, but it’s not a perfect option, certainly.  Going the next step and just moving your data in to databases over which you basically only have read/write functionality seems like too big a step for me at this point, at least for sensitive data.

Are you using these ‘cloud’ services yet?  If so, what’s your take?

I'm currently working on a book for web freelancers, covering everything you need to know to get started or just get better. Want to stay updated? Sign up for my mailing list to get updates when the book is ready to be released!

Web Developer Freelancing Handbook