Blog Post

Is it too easy for your cloud provider to snoop on your business?

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

In today’s world of fierce co-opetition, your cloud provider may be both your partner and competitor – and building your business on top of your competitor’s cloud is a very dangerous way to live. When the ancient Chinese wanted to keep their population safe from dangerous invaders, they built a wall. So, does your business need a Chinese Wall to provide protection from a possible invasion by your cloud provider?

Public clouds reveal crucial data

Your public cloud computing provider knows a lot about your business. That knowledge may be giving them an unfair competitive advantage against you. This has always been a fear when using a public cloud – your business relies on a cloud being built by your competition. This issue has become more acute in the past few years as many companies have leveraged their competition to build and scale infrastructure that is the critical technology foundation for their business.

To help understand the implications here, let’s examine what your public cloud provider could know about your business. Assuming that your business is using infrastructure-as-a-service (IaaS), the cloud knows: where, when and how often your users connect; the types of devices and browsers your users have; how much data your business has stored; the number of compute servers that your business uses; the geography where these servers are deployed; and your active business relationships (seen by watching traffic flows).

If you’re using platform-as-a-service (PaaS), your cloud provider could know: the number of payments that you process (and peak payment hours); your database transaction rates and query patterns; the types of data that your business sends and receives; the velocity of your software changes; when you are upgrading or releasing new products (seen by watching traffic to specific locations on your site); and more.

For most businesses, all of the above data is considered intellectual property and carefully restricted for competitive and, in the case of a public company, regulatory, reasons.

Giving away a competitive advantage

For some public cloud computing providers, knowing the above information (excepting the regulatory data) is acceptable and could help them run their cloud in a predictable and scalable manner. Public clouds in this category are the ones that solely provide IaaS or PaaS services, such as Joyent, Rackspace, SoftLayer and Terremark. (My current company, ServiceNow, also falls into this category because we are building a PaaS for enterprise IT applications and not providing competitive applications.)

Now, let’s consider public cloud companies that have businesses that directly compete with, or could compete with businesses in a variety of markets, such as shopping, movies, advertising, gaming, search, social and so on. Public cloud computing companies, such as Amazon Web Services, Google Compute Cloud and Microsoft Azure, have large businesses in one or more of these markets. Thus, these companies, while providing a cloud for your business, very well may be your direct competition as well. And the knowledge of how your business uses their IaaS and PaaS may influence their competitive offerings.

While this may be only a hypothetical concern for now, it seems safe to say that if the company that operates the cloud has a business that directly competes with your business during a major outage the cloud employees will be motivated by who pays their wages. In other words, if your business and Amazon’s both suffer an outage because of an Amazon Web Service outage, I am willing to bet that the cloud team takes the call from Jeff Bezos first.

For example, a public cloud company could offer a store that sells the same products, have a similar file or photo storage service, provide a competing restaurant review service, provide a competitive video streaming service, and so forth.  Do items that are selling well in your store appear on their storefront, or traffic patterns of your users influence when and where they launch their next service offering? Does an increase in your mobile traffic affect their product direction, or your business partnerships affect where they spend their business development efforts?

In reality, maybe not. But the temptation to share data across multiple groups in such an organization must be powerful. And that is why you may need a Chinese Wall.

Good walls make good neighbors

A Chinese Wall, a term that is believed to have originated in the business world after the stock market crash of 1929 to separate people who make investment decisions from those that have undisclosed public information, separates groups within an organization and restricts the information flow to avoid conflict of interests.

I am not a lawyer and do not have access to the latest terms of service and license agreements offered by public cloud computing companies. The agreements may already provide a Chinese Wall and cover information sharing and this potential conflict of interest. To alleviate these concerns though, the cloud computing industry needs to acknowledge the need for a Chinese Wall, validate that one does or does not exist, and a provide a way for your business to audit adherence.

Yet, a Chinese Wall and an audit process may not be enough. The profitability of your business may influence your cloud provider to become your competitor even if they do not share data across their organization.

When your business reaches the scale that attracts the attention of your cloud provider, one potential solution without relying on a Chinese Wall is to build a hybrid cloud – a cloud computing infrastructure that leverages both the public cloud and a private cloud working together to match the needs of the business. When engineered for scale, hybrid clouds have been shown to be more cost-effective and higher performing than public clouds.

Using a hybrid cloud, competitive information and processes can be kept on your private cloud where your competition cannot be tempted by confidential and competitive data. The public cloud could then be used to scale the infrastructure for multiple parts of the business without putting all of your IaaS and PaaS reliance on your competition.

If you are using a public cloud that may be your competitor today or tomorrow, you might think about asking for the construction of a Chinese Wall or to build your own hybrid cloud. Both may help keep dangerous competition at bay.

Allan Leinwand is VP and CTO, Platform Development for ServiceNow, the enterprise IT cloud company. He was previously CTO of Infrastructure for Zynga and founded the software-based networking company Vyatta.

Photo courtesy of  fotohunter/

8 Responses to “Is it too easy for your cloud provider to snoop on your business?”

  1. keaocaindec

    Alan, you raise an interesting point regarding client data privacy and coopetition. The telecom industry has always operated in a state of coopetition, whereby carriers both compete and buy services from each other. AT&T Wireless competes with Verizon Mobile, while both companies buy long haul fiber from each other. That’s the reality of a model in which no single provider has perfect coverage and access into markets.

    There are rules in place for carriers in how they may use client data. The US Telecommunications Act of 1996 granted the FCC authority to determine how customer proprietary network information (CPNI) can be used. The 2007 FCC CPNI Order further defined how carriers can use client information to market and what whey can and cannot share with third party marketers. In 2007, when I was at Yipes, we in fact had to change the way we handled client data in order to satisfy some elements of CPNI as a carrier. The CPNI order effectively says that you cannot use CPNI data to market to them unless the client opts in.

    I am not aware of any CPNI rule that extends to cloud providers, however, I wouldn’t be surprised if the FCC expands its definition of CPNI to include cloud data some day.

    Clients have been sharing product plans, expansion plans, and entrusting their vendors with confidential information for years. NDAs should explicitly limit the use of such confidential information to the teams working on their project for that project. As telecom carriers, systems integrators, hosting companies and pure cloud providers compete with each other, we all will have to live in a world of beneficial coopetition. Caveat emptor as they say. The reality is that if enterprises and service providers cannot entrust their cloud provider or cloud technology vendor to help them drive their business, they will have to build their own technology or service or slow their growth.

    At the end of the day, I think the coopetition model wil prevail in cloud, and enterprises wil have to ensure that they trust their cloud provider (with appropriate NDAs) as needed. In fact, the coopetition model is alive and well at the PTC Conference in Honolulu right now where hundreds of carriers are bartering, buying and selling capacity at one of the most interest conferences in our industry. Aloha!

  2. Jeff Schneider

    Allan –
    You’ve hit on a valid concern. However, if you go through a reseller (or broker), the specifics of your account are hidden from the CSP. The brokers holds your keys and bill the customer directly. The cloud provider never sees the end customer nor do they see line-item billing. By blending multiple customer accounts, the broker is able to obfuscate the activity of any one account. Of course, very large accounts would still stand our like a sore thumb (e.g., Netflix).

    The hybrid (private/public) is another way of hiding workload activity, but may limit you to a least-common-denominator solution and create extra gyrations. I’m a fan of hybrid clouds – but to do it purely for ‘account activity obfuscation’ seems like too much effort (IMHO).

    • Allan Leinwand

      Jeff – agreed. I was more thinking of a business that has reached a large enough scale that it merits the cloud infrastructure provider to consider entering the same market. When your business get to that scale, a hybrid cloud may make sense for both performance and commercial reasons.

  3. Vinod Shintre

    Certainly helps them understand the trends in demand & see which use case applies across their own customers. No one stops XaaS providers from doing this other than the thin line they would draw in terms of business ethics but hey in this competitive world that can be violated easily

  4. The real concern is what will your cloud service provider do when the IRS or other government agency sends a request for information about your company? We already see what happens with the cell phone companies and location data requests, and who can really blame them? They’re trying to run a business not stand up for anyone’s civil rights.

    I’m not in favor of supporting people who break the law, but internal information that shouldn’t or wouldn’t be exposed to the light of day could look very bad and lead to a lot of extra work defending yourself in court, especially to a regulator trying to keep busy.

    • Allan Leinwand

      I’m not an expert in law enforcement requests and authority, but it will clearly vary per company. Regardless, those are legal issues.

      The issue I am bringing up is if the cloud provider who your business uses as your infrastructure and platform provider can use information that they already have as a competitive advantage. As I said in the post, I am not a lawyer and have not read every contract between customer and provider, but I feel that more disclosure or the use of hybrid clouds is a pragmatic approach.