Symform is based in Seattle but doesn’t rely on hydro-powered data centers in the Pacific Northwest like Amazon or Google do. Symform assembles an ambient cloud based on their customers’ local storage.

When I was a cloud & virtualization Entreprenur in Residence at Trinity Ventures, I saw a fundraising pitch from Symform (or maybe or one of their competitors…) I was intrigued at the time and wanted to pursue investing in the deal because of the massive savings in service delivery costs, but the (way more experienced) VC partners didn’t bite because of concerns over consumer discomfort about sharing their drives and their (encrypted) data.

Here’s how Symform works:

• You install the Symform software agent
• Data from your machine gets sliced into 64 megabyte segments, each encrypted with 256-bit AES encryption.
• Each 64 MB segment is broken in 1 MB chunks
• Each group of 64 chunks gets assigned parity fragments the same way RAID works (this adds 50% to the size of the data but makes it highly available)
• The resulting 96 fragments (each 1 MB) get distributed randomly across other Symform customers, mostly in the US and Europe today

When you request data from the cloud, it gets pulled from the many places where it’s stored. If some machines are unavailable, the parity segments allow reconstruction of the data, which makes for a very highly redundant form of storage. You can’t “take out” a data center to delete this type of data.

The coolest thing about this is that the near-zero use of centralized data centers means the service is startlingly low cost, almost to the point of absurdity compared to older centralized storage clouds like Dropbox or Box.net. Symform charges nothing for the first 200 gigabytes of storage. That’s 100 times more storage than Dropbox’s 2 gigabyte freemium offering. 100x differences in capacity are definitely in the range of disruptive technology, which is why I believe ambient clouds will disrupt centralized clouds, and we’ll end up with an cloud architecture mantra that says:

Distribute when you can.
Centralize when you must.
Control everything centrally.

Even when it comes to paying for a storage service, you’re looking at further disruption. $100 buys you 50 gigabytes on Dropbox for a year. That same $100 buys unlimited storage for a year on Symform, which is infinitely more than 100x better. Dropbox’s highest level service is 100 gigabytes for $200 per year. Disruption here we come…

There is only one catch to this disruptive “unlimited” idea – you have to provide as much storage on your machine as you want to get from the Symform ambient cloud. What this does is make Symform cost just as much as local storage. Call them storage communists.

Here’s my two Bold Predictions of the Day (BPD):

In 5 years, most consumer data will be stored this way, as its WAY cheaper than centralized clouds, and it’s also significantly more immune to data loss. The availability of a solution like this has at least 2 more 9’s than Dropbox or Box.net because of data redundancy.

No one will trust ambient cloud encryption, so they will add their own layer of encryption, or go with clouds that use individual keys per customer, with those keys solely controlled by the customer.

Which brings us to security as a differentiator in cloud storage. The widespread use of Dropbox by enterprises is amazing given their spotty security architecture. All it takes is for one shared cloud storage provider to suffer a big public breach for people to feel like their personal docs aren’t safe in the cloud.

That’s why I still store my docs on SafeSync, which lets me control the key to my documents online. (It helps that I work for Trend Micro, which provides SafeSync, but I’m not involved with that product strategy.)

How did they get my personal information?  Working in the security industry, I’m pretty careful.  I’m good at recognizing phishing scams; emails that use various ploys to get you to reveal your personal information (see this paper I co-authored on the Anatomy of a Phishing Email).  I rarely provide all of that personal information at one time, I don’t keep it stored on my computer, and I don’t even keep documents with all of that information in the same place.  I also shred any personal mail.  (For my tips to consumers on how to protect against identity theft, see my blog post on Trend Micro Fearless Web that covers preventative measures).  So my guess is that a company I do business with got hacked—and they probably don’t even know it. 

 What did the cybercriminals do with my personal information?  They created a fake driver’s license, walked into bank branches in Southern California, and emptied my checking account (I live in Northern California).  Then they made counterfeit checks with my account number and somehow cashed these checks, overdrawing my account.  At the same time, they created another fake driver’s license and someone in Lexington, Kentucky opened new accounts in my name with various retail stores—including Target, Victoria’s Secret, and AT&T Wireless. 

All together, they got away with over $13,000 in money and goods from banks and retailers—and they did all of this in just a couple of days.  Thanks to a call from Target that questioned the account application, I found out early enough to freeze any new accounts.  I have spent countless hours and heartache trying to gain control of my accounts and credit again.  I would have been spared this nightmare if my personal information had simply been encrypted. And I would not be questioning my business relationships.  With today’s explosion of data in physical, virtual, and cloud servers and endpoints, many of us at Trend Micro have recommended encryption in this blog.  But now my recommendation is much more personal.  I am pleading with companies to please encrypt sensitive data. 

I’m guessing that the organization that was hacked is unaware because I have not received a notification that my personal information was accessed.  In the U.S., the vast majority of states have security breach notification laws that require this disclosure.  However, many of these laws have a safe harbor exception if the personal data acquired was encrypted.  One example is new notification requirements in California that went into effect on January 1, 2012, for “any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person”.  The law specifies the information that must be included in customer notifications and requires that a copy of the notification be sent to the Attorney General if more than 500 customer records are breached—but all of this can be avoided if a company uses encryption.  And this is just one example.  Forty six states have security breach notification laws as well as many other regions around the globe.  

 Trend Micro has encryption solutions for data stored on physical, virtual, and cloud servers, email, and endpoints.  These solutions can help avoid notification requirements, but, more importantly, encryption can help to preserve a business’s reputation and customer relations.  After becoming a victim of identity theft, I changed banks and I’m questioning my use of numerous businesses. (Read my blog on Tips for Limiting the Damage to get a small feel of the aftermath and what is required to regain control of your identity). If my personal information had just been encrypted, I would have been spared this nightmare.   I don’t know where my personal information was compromised, but before I do business with anyone that might store my personal information I’m going to ask, “Do you encrypt your data?”

The founders of Sumo Data are Kumar Saurabh and Christian Beedgen, a couple really impressive entrepreneurs who cut their teeth at Arcsight. I had the pleasure of meeting with them a month after they were founded back in April of 2010, when they were still setting up in the TechMart Regis Facility on Great America Parkway in Santa Clara. It was kind of cool because they were moving into the same office that I had used when I was VP of marketing at Zeus Technologies, now an arm (tentacle?) of Riverbed. It’s a small valley.

At the time, I was working as cloud and virtualization Entrepreneur In Residence (EIR) for Trinity Ventures, but Sumo Logic wasn’t quite yet far along enough for VC then. It was pretty exciting when I came across them anyway because I am a long-term believer in this space.

So long-term, in fact, that I invested as an angel in the very 1st blog file management company which was named Addamark. They were ahead of their time and morphed into SEIM vendor SenSage when security became the main use for log management in the mid-2000’s. Then, I backed SenSage’s founder again with another angel investment in the world’s first cloud-resident log management/big data play, hosted on AWS way before it was cool for SaaS companies to do that. Despite some big wins – like Playdom – it was ahead of its time again. Either that, or I’m a sucky investor because I keep thinking things will happen before they do.

Why Big Data Is a Bigger Deal than Cloud Was

My thesis for investing in big data has nothing to do with data from e-commerce or IT management systems. I believe that the volume of data we are generating now from machines absolutely pales in comparison to the volume of data we will soon be generating from our own bodies via new consumer grade medtech offerings.

The Internet of things is limited in scope because we have to make and power things, and we get to define what data they can present. The human body is a blank slate – there is limitless data to gather about electrical, chemical, and physiological states, as well as about behavior and location. That’s not even including 24/7 audio or video.

That’s why I’m one of the leaders in the emerging Quantified Self movement. (Here’s a talk I gave at the first ever QS conference, and that was me on the cover of the Financial Times wearing electrodes on my head.) That’s also why I’m still a huge believer in the log monitoring and analytics part of the cloud computing space. It will be exciting to moderate a panel in New York at the upcoming GigaOm Structure:Data conference, because it gives me a chance to combine my career in cloud security with my weekend passion, biohacking.

What’s Missing in Log Management

There are 2 things that don’t receive enough attention in the log management space. The 1st is real scalability, which means thinking beyond what data centers can do. That inevitably leads to ambient cloud models for log management. Splunk has done an amazing job of pioneering an ambient cloud model with the way they created an eventual consistency model which allows you to make a query to get a “good enough” answer quickly, or a perfect answer in more time. They can do this because the data is spread all over the place but it is controlled centrally, which is a hallmark of ambient cloud architecture. Plus, ambient cloud providers are valued higher than IaaS cloud vendors. That sucks for us infrastructure guys.

The 2nd thing is security. Log data is next to useless if it is not nonrepudiatable. (is that even a word?) Basically, all the log data in the world is not useful as evidence unless you can prove that nobody changed it. That’s why I’m a believer in what Mark Searle, the original Addamark founder, is doing at Kinamik. His experience founding 2 early log management companies has led him to focus on the emerging problem of security for log management. It’s very meta. His 1st start up a decade ago ended up focusing the other way around – on using log management for security.

In any case, I want to see my brain waves, my temperature, my pulse, my heart rate variability, my galvanic skin resistance, the number of steps I take, what I eat, what I breathe, who I talked to, my hormone levels, how happy I was, my brain’s efficiency at any time, and anything else I can think of stored in a very large, very secure, very friendly cloud analytics application. And then I want to share that data anonymously with any researcher who is doing something cool.

So how about it, Sumo Data, Loggly, Splunk, and Kinamik? Are you ready for the onslaught of data? My friends at Quantified Self are building it now. That’s how they roll.

Kudos to GigaOm’s post that inspired me to think of this.

Here are a couple peeks of the new design.

First impressions of the new design? Let us know!!

Using the cloud for security can deliver faster threat protection and better security.  Traditional security has relied on signature files.  But it can be time consuming to retrieve and disseminate signatures across your network.  The time it takes to conduct this update creates a security gap and the sheer size of signature files needed to defend against today’s threats can burden resources and performance.  But with a cloud-client architecture, a thin client can be placed on servers and endpoints and this client can access the latest threat intelligence in the cloud, such as threat protection from email, web, and file reputation databases.  The security provider can make faster updates to the cloud service and you don’t have to wait on signature file updates to be protected.

With faster protection, you save money because less IT labor is needed to clean infections, there is less productivity loss while cleaning infections, and there is less IT time spent on tasks such as managing signatures, upgrading resource capacity, and managing false positives—not to mention costs related to security breaches. 

But what can you actually save?  Osterman Research just released a paper called, “A Cloud-Client Architecture Provides Increased Security at Lower Cost.”  In this paper, Osterman Research surveyed enterprises to get the estimated costs of these IT tasks for a 5000-employee company.  And the paper calculates the estimated savings if these companies were to deploy a cloud-client architecture using a single vendor for protection across their networks.  The results were significant.  A company could save over $49 per employee per year and reduce security management costs by 41%.  Take a look at the paper for an overview of today’s threat landscape and detailed information on these savings.

We’ve posted this paper on our Trend Micro Securing Your Journey to the Cloud—Physical, Virtual, Cloud web pages (www.cloudjourney.com) in the Physical section.  With a cloud-client architecture, you can leverage the cloud to protect your physical servers and endpoints without changing your current infrastructure, making this approach a great early step in your journey to the cloud.  Of course this type of security can also protect virtual machines in your data center or in the cloud—so it can continue to provide faster protection and cost savings throughout your journey.

Trend Micro offers a cloud-client security architecture with our Smart Protection Network, providing real-time security from the cloud.  As a global company, Trend Micro leverages our worldwide network of threat intelligence sensors to continually update email, web, and file reputation databases in the cloud.  This threat intelligence identifies and blocks threats before they can reach your network.  Using the cloud for security can stop more threats faster.  And this can equal big savings.

But governmental seizure of data is only a small component of potential data loss. It doesn’t really matter if your data is lost to one government or another, to a cybercriminal, your service provider, or a competitor. Enterprises have a vested interest in controlling *all* access to their data. The truth is that whenever a company trusts its data to a cloud provider, there is the potential for its data to be infiltrated.

How should enterprises protect their data?  Encrypt!  Both Dave and Jonathan mention this in their posts as well,  and recommend that companies encrypt the data that they store with cloud providers using policy based key management. A government, cybercriminal, competitor, or other party may still try to access your data, but odds are that they won’t want to invest the time and resources it takes to brute force crack your encryption.  Most will give up.  In the case of government data seizures, officials may ask you for your encryption keys. But this will give you notice that the government is trying to seize your data and will give you the opportunity to challenge the request—or at least prepare for the consequences.

Trend Micro offers cloud encryption through SecureCloud.  This encryption service with policy-based key management secures data stored in private and public clouds as well as on physical and virtual servers.  It is provided as either an on-premise software solution or as a Trend Micro hosted service.  You control the keys, allowing you to choose the cloud provider that’s right for you—regardless of where your data is being stored.  And any entity wanting access to your data will need to ask you for the encryption keys.

Companies should insist on encrypting all of their data in the cloud.  Trend Micro predicts that U.S. cloud service providers will embrace encryption in 2012 as an option for their customers.  They will use this to effectively respond to the marketing FUD around the PATRIOT Act from international cloud providers. But enterprises should deploy encryption not only to secure their data against governmental seizure, but to protect against all types of data loss.

• Any law that is abused or misinterpreted is bad for society and business
• There is a delicate balance between protecting citizens’ safety and violating civil liberties

First some history. The Patriot Act, passed in 2001, is not the first American law to provide law enforcement authorities with the powers to retrieve information.

•  The Wiretap Act: Title III of The  Omnibus Crime Control and Safe Streets Act of 1968 permits authorities to obtain wiretaps
• FISA: The  Foreign Intelligence Surveillance Act of 1978 is an Act of Congress, (signed by President Jimmy Carter), which describes procedures for the physical and electronic surveillance and collection of information

Both of the above laws have provisions to protect civil rights and liberties.

A careful reading of the Patriot Act does not give the Federal government, unfettered carte-blanche access to data stored in an organizations’ databases. Rather, the section quoted by Dave, specifies:

 ‘‘SEC. 501. ACCESS TO CERTAIN BUSINESS RECORDS FOR FOREIGN INTELLIGENCE AND INTERNATIONAL TERRORISM INVESTIGATION”

 The Director of the Federal Bureau of Investigation or a designee of the Director (whose rank shall be no lower than Assistant Special Agent in Charge) may make an application for an order requiring the production of any tangible things (including books, records, papers, documents, and other items) for an investigation to protect against international terrorism or clandestine intelligence activities, provided that such investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment to the Constitution.

 Request for information have to either fall under Executive order 12333 (1982) or a panel of judges.

Use of encryption:

Use of encryption in the United States is not regulated. If a cloud service provider encrypts information and has the encryption key, the service provider must decrypt the communications when served with a Federal wiretap order. But a service provider has no obligation to decrypt communication encrypted by the end user when the service provider does not have the encryption key.

Few if any wiretap orders have been hindered by encryption.

As Dave says “….you should consider using policy based key management with your keys stored away from your data…“, that way your  data is safeguarded, regardless of who attempts to access it, since you control the encryption keys.

This should come as no surprise, but people, and companies also, prefer to operate in a world where they have some level of control over who sees their private data.  American cloud providers are required to adhere to the infamous PATRIOT Act, which means they are legally bound to hand “business records” data to American government agencies who legally request it. In some cases, cloud providers may be forbidden to even speak of it or notify their customers of the government request.

The International Business Times recently covered the PATRIOT Act and wrote:

…Critics say the business records provision [of the PATRIOT Act] is the most insidious because of the sweeping powers they say it gives to gather large volumes of data. In an interview with Wired’s Danger Room blog, Sen. Ron Wyden (D-OR) said that provision is the one he is “extremely interested in reforming.”  He declined to elaborate further.

Believe it or not, this affects tech darlings like Google and Amazon. In my work as vice president of cloud security for Trend Micro, I travel globally from my home base in Canada to speak at conferences about cloud computing. Whenever I am at a conference outside the US, the most frequent question I hear from IT executives is: “I don’t want to expose my data to disclosure under the PATRIOT Act. What can I do?”

Regardless of how often the U.S. may actually take advantage of the PATRIOT Act, companies outside the US often believe they have something to fear by storing data in the United States.  The truth is that governments everywhere have ways of getting to things that are important to national security, regardless of where they’re stored. But to make sure that your data is safe regardless of what jurisdiction your cloud provider is in, you should consider using policy based key management with your keys stored away from your data. That means that anyone – government or not – who wants to see your data without permission has to brute-force their way into your data or legally ask you for the keys.

Like this blog post?  Contact me on twitter @daveasprey or comment below.

The virtual appliance writing has been on the wall for some time now. It’s why I left my position running Strategic Planning for the Citrix virtualization business unit in 2006 (ish) in order to become VP of Technology & Marketing at Zeus Technologies, one of the first virtual appliance networking companies. (Zeus recently sold to Riverbed for $100 million).

I was merciless when it came to competing with hardware players like F5 and NetScaler/Citrix (I was Dir of Product Management at Netscaler) – I actually traded Zeus software licenses for brand-new $50,000 pieces of hardware. When customers discovered that a virtual appliance could match or even beat performance from a dedicated hardware box, they preferred to run a virtual appliance on a Dell server rather than deal with hardware support costs from a networking vendor.

Now, in the days of cloud, it’s an even easier situation. You can’t do anything with dedicated hardware boxes in the cloud. Unless maybe you’re a cloud provider, in which case you break your beautiful n+1 scaling when you add extra hardware that can’t be reprovisioned instantly. And you break your already low margins too by paying $50,000 or more for a $5,000 server with a pretty bezel and some software you can’t even migrate to a faster box.

IT departments that really get this are figuring out they save money with virtual appliances too, as these numbers from Trend Micro and Osterman Research show.

Some startups are really taking advantage of the intersection of virtual appliances and clouds. The ones that I’m paying attention to now include Vyatta, CloudOpt, and of course Trend Micro. Trend is interesting because we are using virtual appliances at branch offices that are tied in to our hosted cloud security service, going far beyond the idea of just deploying a virtual appliance on AWS. (We do that too…) Zeus would have made the list if Riverbed hadn’t eaten them.

Virtual appliances for the cloud get even more interesting when you tie them in with OpenStack and enable them with Openflow. Better yet, usage based pricing works well for virtual appliances and software, but it breaks hardware selling models completely.

Why would a cloud provider – or an enterprise – want any hardware beyond big dumb switches, massive n+1 storage, and lots of commodity servers running cloud software and virtual appliances?

I wouldn’t.

(Disclaimer: I’ve either worked for, been present for the founding of, tried to sell my startup to, partnered with, blogged about, advised, competed with, or had steak with every company mentioned here…there are other cool cloud appliance focused companies too. If you’re one of them, drop me a line!)

For the timber industry and file cabinet manufacturers, it’s refreshing to think that every trial has hundreds of board-feet of trees sitting in a file cabinet somewhere, but the costs of creating and storing the huge volume of paper records created by our huge volume of laws is becoming burdensome, especially for state and local governments.

It’s a foregone conclusion that more and more records will be electronic only and will be stored in the cloud. I predict we will hear more cases like the one above were electronic data is destroyed on a PC before it gets to the cloud or simply “goes missing” when it is in the cloud. Techniques like role-based access, access logging, and even DLP (Data Leak Prevention) are far from commonplace for every single document placed in the cloud.

We are rapidly approaching a time when there is no realistic way to prove that a person did or did not put something in the cloud a month ago, much less a year ago. This is one of the reasons enterprises and companies have a vested interest in semi-–closed systems where they can maintain some semblance of visibility and control over their data. That’s why private clouds, or at least virtual private clouds, are here to stay.

When it comes to public clouds in particular, the problem gets more difficult when you’re dealing with shared storage and IAM (identity and access management) systems that may or may not be integrated with corporate identity records.

This is one of the reasons I believe encryption is a fundamental technology to enable the cloud. If you encrypt what you put in the cloud using a key that is stored on a cloud other than where your data is stored, there will necessarily be records showing that the data was encrypted in the cloud and therefore was placed in the cloud. In the case of the stenographer above, there could have been an alert set to go off if no court records were encrypted and uploaded according to schedule.

Third-party encryption services have the potential to become modern digital “tracking numbers” for files that are used in the cloud. This will prevent excuses like “the check is in the mail” or “the cloud ate my homework.”

However, there is a simpler use of the cloud to stop this kind of data loss. If you configure your documents directory to synchronize in real time with an encrypted online storage service, the odds of a virus destroying your data go down dramatically. One example here is SafeSync, the Trend Micro system that syncs any directory on your PC to a fully encrypted cloud service.

If the stenographer had used SafeSync, the court records of the trial of a convicted murderer would have stayed safe, and the stenographer would have kept her job.

In any case, economics and environmental concerns should drive all governments to cloud-based records that are properly encrypted so that they may not be modified without all affected parties being alerted, and anyone dealing with sensitive data should be syncing it to encrypted data stores today. It’s too cheap and too easy not to do it.