Another current-events topic we briefly touched on continues on the vein of examining options of data and device separation. Bruce Scheier has a recent entry on the separation of ownership of data and ownership of the containing device, pointing out if you own the data but don’t trust the containing device you are in for trouble.
Managed storage providers fit in the model of separating data ownership from hosting device ownership. Their success depends on their trustworthiness much like the success of a bank depends on its reputation for trust with its customers (which in today’s world may be a bit misplaced). The degree of trust between providers varies widely. I know someone whose web site went down for a few days, because an employee of the hosting company stole the disk the site happened to be stored on to sell on ebay. Of course he was caught immediately because he showed up on the cameras (not a very smart employee). He wasn’t really interested in the data (which was all public in my friend’s case), so it was just an availability problem.
So for most folks it is a risk analysis. For most small operators, outsourcing the care and maintence of non-sensitive data is a good ecconomic trade off. In fact this entry is hosted on non-local machine.
But to move to the next level, the storage providers must convince people to trust them with sensitive data. And this is already done in the physical world with disaster recover. Large companies may be able to afford to create and staff their own off-site storage sites, but it is not ecconomically feasible for small and midsized companies. Here is an example of The Bunker, a secure storage management company that is using old military bunkers to house data centers. Good from a natural disaster point of view but mainly PR from more mundane data security concerns. According to their site they implement the standard good data security produres to keep their customer’s data safe from the bad guys. Otherwise, the bunker wouldn’t be much protection from a good social engineer, a disgruntled employee, or a less than honest co-located customer.
Another approach that relies less on the integrity of a single host is being implemented by CleverSafe.. They rely on data spliting or secret sharing. They divide the data into 11 somewhat redundant streams and store them on widely geographically distributed services. If you can retrieve a majority of the streams, you can reconstruct the original data. It is like RAID in that you have availablity. The hardware is physically separate, so you are not subject to disasters at a single site as you would with RAID. In addition, you have protection against untrustworthy devices. The attacker would have to subvirt a majority of the storage locations to access your data. This is of course still possible, but much harder.