If a cloud service provider goes out of business, what happens to your data?

In times of change there re always *unintended consequences*. We're seeing a heap of innovation in the cloud right now and with that comes the flip side, that sometimes things break...

There are no real *standards* right now - although OpenStack is trying to provide some at the IaaS layer - this is why Krish is completely correct, it comes down to due diligence on the part of he customer - terms of service, SLAs, data extraction, data portability etc are all very important issues to look into....

Some cloud companies give their customers the freedom to move the system in-house at any time, not just when they go bankrupt.
See http://www.enterprisewizard.com/hybrid-saas-platform.htm

Naturally, you still want to choose a stable company with a great product, but if they ever do go belly up, at least the application will continue running while you arrange an orderly transfer to a new system.

No, there are no real standards for what will happen. And yes, the current options provided by the cloud providers are all over the map.

Several other factors can come into play, however:

-- The type of cloud-based service can be a factor...
-- The method by which a business expires (including if another vendor takes over those assets or accounts)

This is essentially a Wild Wild West situation, and requires businesses to ask key questions, such as presented by Krishnan.

Great points. In terms of standards - the gorilla in the industry gets to set the standard (as is the case with most disruptive technologies or methods). Ben's comment about OpenStack is prudent - many cloud projects are striving to be Amazon EC2 compatible in their approach (including parts of OpenStack). This works out well for consumers in this case as Amazon is (arguably) the big innovator in the space - so the standard is naturally broad.

Don't forget your datacenter principles, though. The questions you ask are still the same - only the answers differ in the cloud computing paradigm. DRP, redundancy at critical service layers. etc. are all best practices that don't disappear when you move workloads to the cloud. Protect your data - even offsite if necessary.

If a cloud provider fails, you are fine provided that:

1) You have your data backed up
AND
2) You have access to the application(s) that were running against that data.

Simply having access to the meta data and the export in some open format such as XML will not enable you to use it. It could take tens of millions of dollars and many years of effort to re-create the original application.

Your SLA with cloud providers should specify that they will allow you to transfer the data to the application running on your server, before they switch off the lights.

Let's not dwell in hypothetical situations. Data security has been around since the beginning of computing. Also centralized computing has been around too...it was called time sharing. This discussion is taking a narrow view of data security as a whole. You, as the data owner, must still manage your security policies. You have to have your own backup plan if the SaaS provider goes off line. Also, know whether your SaaS provider conforms to international audit standards. The SAS 70, and now upgraded to SSAE 16 and ISAE 3402 are making the audit standards a forced set of standards that cloud centers must comply to vis a vis Sarbanes Oxley standards that financial institutions use.

Patrick last paragraph is key. Prudent datacenter techniques still apply to data storage management. I am curious as to how cloud vendor address this one.

Also consider that your data can be vulnerable due to data location, different jurisdictions and the impact of law enforcement. In a public cloud environment there are multiple cases where private customer data has been seized by law enforcement if either a cloud service provider is suspected of misconduct or a particular owner of data stored at the provider's data center. Wired Magazine reported that the FBI seized records of 50 companies last year. As the data is stored in a "shared" environment, many customers can be affected as complete servers or databases can be seized.

It might evaporate! I always assume that a provider will go out of business. Thus, your DR data center should be from another cloud vendor with replication between the 2. This solves the continuity of operations problem. Your next problem is making sure the data is erased and doesn't show up on a drive on an eBay auction.

Bill makes excellent points.

Without being a legal expert I would say what happens will largely depend on the provider and their location. In 'theory' the data could be available through some sort of 'escrow' but I doubt very much that is desirable or practical (data backup, no certain who might now have access etc.). In more normal situations the data will probably be considered an 'asset' of the company and fall under the control of the receivers (at least in the UK if your car is in a garage for service on the day they go bust you won't get your car back - at least not straight away).
You may find that your data and service are unavailable for many weeks at a time, perhaps never again. Can your business survive without its data for such a period - no meeting calendars, no invoicing service....
Even if you can get the data back can you make use of it? Perhaps it is double encrypted (company code and provider code) to ensure security, perhaps its just in a format no other service providers software will understand.

Add this to the problems of lack of internet access in some places, possible intrusion by US 'homeland security', possible hacking... I think the cloud is going to get burnt away pretty quickly in truth and is just a passing fad.

This is like the old two bobs (and a dog) and a data rack business model. You will get exactly what you pay for.

Your data will be sitting on their servers and they will have it.

ALWAYS ensure you have your data backed up on some server other than the service providers.

Our CRM is in a cloud now and we're loving it in general. They tout several back up servers. Our database, now over 35K people, is too large to export to a .csv every few weeks. There IS NOT any other way to back it up that I know of - I am forced to blindly trust that they will keep it safe for me. Terrifying, but I seem to have no alternative.

Its a big concern, which is discouraging us to go cloud. We know its positives and specially the cost factor. But, the data security is a big concern.

If I talk about VAS as a domain which is growing to be the next big thing in South East Asia cloud is highly attractive for start-ups, MVNOs, etc. However, when it comes to

1. Data security
2. Security in terms of uniqueness of the products, product templates
3. Subscriber information security - mobile numbers, address, usage pattern, etc.
4. Legal interception
5. Freedom to access
6. Audit and reconciliation
7. Backup - mandatory for 12 months as per statutory guidelines
8. Revenue leakage

So many unanswered questions that are concerns and prevent us to go cloud.

Has anyone seen any verbiage in their contracts regarding this type of situation? I am still curious to know how this situation is handled. I guess this could happen outside the cloud if you do not back up you data properly. Do you legally have assess to your data if a company goes out of business? I would assume that they would have to provide you some type of notification about going out of business so you would have time to move your data somewhere else. But I am not a lawyer.

The Statement on Auditing Standards (SAS) no. 70 compliance offers an auditing guideline for assessing the data centre's security protection level and whether it meets the claims made by the SaaS provider. They aim to audit that the vendor is compliant with what they claim. The website for SAS 70 is www.sas70.org. My whitepaper entitled "Acieving Securty of Data in a SaaS BI enviroment. (see whitepapers at www.datarrange.com)Addresses other security issues to be aware of too.

Except for the Apple doomsday scenario, there has been a lot of good discussion here. Very valuable stuff. Now, let me add some more for consideration. Everyone seems to be focused on a SaaS implementation where the data resides in one place. There are several other types of implementations and they all have security considerations. For example, if you are using a global CDN where your data is spread over multiple geographies, how do you determine definitively if it is destroyed? Also, public cloud providers may use a carrier to connect their data centers. Those carriers transmit copies of your information across the network with store and forward, and they could be holding copies at any time. Probably encrypted, but so?

The comment from Simon on the application is also key and not many people talk about this important area. From a CIO perspective, my applications are a large part of my competitive advantage. If I am using Public PaaS or IaaS, how do I ensure that my application code does not end up in someone else's application? Anybody with a USB key in a 500,000 square foot datacenter could walk with the crown jewels - and I may never know.

There was a Google video of one of their massive data centers and it showed the drive destruction piston - which was kind of cool. However, they filmed inside one of the control rooms and on the inside of the door in the control room, there was some amateur spray painted graffiti . It was a total crack up. A video to show the world how safely they handle the data, with graffiti on the inside of the control room door. I wonder if the tagger knew Perl?

When you give your data and applications to someone else, it is a real gamble regardless of how restrictive you make the contract. Once your data is gone or compromised, there is no "undo". I think it is a safe bet that a public cloud provider is not going to create or agree to a binding contract that ultimately favors the customer if something really bad happens.

At the end of the day, it is about balancing Cost, Value and Risk. Like Ram discovered, there is a lot of risk. But, the risk is not equal for all implementation types and levels of data sensitivity and criticality.

I will be using Apple as soon as they fire up their Cloud.... If Apple goes out of business then it will be because of some unnatural cholesteric event so who cares after that...
it will happen eventually anyway… it’s just a matter of time… You can neither plan or prepare for it… it will be one of those unexplainable experiences like the Great
Depression… It came and it went away… The only difference between then and now is there seems to be one recession after another… The Boom’s are getting shorter and the Bust are getting longer… The next Bust will be so Bad that everything will be topsy~turvey anyway….
And that will be some real Doom and Gloom....