Dropbox – risks and remediation

Archive for April, 2011

Dropbox – risks and remediation

Posted by Wolf Goerlich

Dropbox is a cloud service that presents storage as a local computer drive. Michael Galligan introduced me to the service about a year ago, when he redid the SimWitty branding. You install the Dropbox app, the folder appears, you copy files to the folder, and they synchronize with anyone else who has access to your Dropbox folders.

There are some real risks with transferring files using someone else’s system, of course. There is the chance of local attacks on your Dropbox (see: Dropbox authentication: insecure by design). More likely, there is a chance of a security incident at Dropbox’s systems, thus allowing a malicious insider or attacker to gain access to the documents. A big collection of documents presents an attractive target.

What to do? Dropbox released some guidance this week. Using the tried-and-true Truecrypt software, you can encrypt your Dropbox folder. This restricts access to only those who have access to your decryption key. It is a good option for those who want the ease of the cloud with some assurances as to the safety of the data.

Innovating in storage – apps and clouds

Posted by Wolf Goerlich

“Driving innovation through information infrastructure”, that was the theme of SNW Spring 2011. I spent a good portion of the time looking for innovation.

I will tell you what did not seem innovative to me. Boot from SAN? No, been doing that for more than a decade. Thin provisioning? Automated tiering? Replication? Nope. Been there, done that, for more than five years. Faster disks? Faster SSD? Faster FC and iSCSI? Incremental improvements to be sure, but not radically innovative.

These advances are all within the storage stack. Moving up the stack into applications, and down the stack into cheap cloud storage, that is innovative.

Today’s primary storage is great at working with blocks, but it is largely ignorant about what the operating systems are doing with the block-level storage. This reminds me of old school stateful firewalls: excellent at TCP/IP but largely ignorant at what the applications were actually doing with the packets. Just like the firewall innovations during the last five years were driven by application awareness, storage innovations in the next five years will be all about the application.

At the same time, we need to keep lowering the costs. Another realm of innovations is in using cloud storage. (Read hosted off-premise multi-tenant storage made available via XML/HTTP calls.) Cloud storage from Amazon, Google, and Microsoft cost a fraction of what enterprise HDD cost from Samsung, Seagate, and Western Digital. Innovation will come from balancing cost/performance by tiering with SSD, HDD, and the cloud.

What will an innovative information infrastructure look like?

Here is my take of a 2014 SAN: Fast access to block storage on-premise over maturing protocols (FC, iSCSI, FCoE). Self optimizing for IO cost or IO performance thru automatic tiering. Optimizing for application thru application awareness (SharePoint, Exchange, SQL, Oracle, et cetera). Enabling new application-specific features. All back-ended onto the cloud with deduplication, compression, and WAN optimization.

That is what the new SAN will look like. And I want one.

Disaster recovery metrics – beyond RTO and RPO

Posted by Wolf Goerlich

A recording of my talk at SNW 2011 today is online:

Disaster recovery metrics – beyond RTO and RPO

Many people consider only the recovery time and recovery point, RTO and RPO, when developing their strategies. This is a problem. Left unattended, certain characteristics of a recovery strategy will cause us to miss our recovery time. So it is important to look beyond the surface.

To meet RTO, we must have sufficient time metrics. To meet RPO, we must have sufficient data metrics. And to balance the ongoing operational costs with the per incident costs, we must have supporting scalability metrics. My talk reviewed these necessary metrics and considerations.

Today’s talk was on the high-level management of a disaster recovery program. Back in 2008, I did a nuts-and-bolts talk about our recovery strategies. I also put my talk from SNW 2008 up, for those interested.

Evolution of disaster recovery (Video no longer available)