Counting the Cost of Cloud Backup
Thursday, 26th April 2012
All information here was correct at the time of initial publication. Any differences between statements here and the actual status quo are likely to be either the cause of the vendors, or your strange little minds.
With Google's latest release of their "cloud storage service", "Google Drive", I'm once again brought to review and contrast the differences between a number of online storage providers. There's an absolutely epic list, far too many to pick apart individually here, but I'll try to cover a few that I've used personally, and some that I haven't, and the various pros and cons of each.
Here's a brief list:
- Apple iCloud
- Windows Live Skydrive
Things I'll be looking at:
Is file-synchronisation supported across Linux, Windows, Mac, iOS, Android, Blackberry, Windows Phone and anywhere-access from a web browser?
It's no point having the best possible service if it costs the earth.
Also, if it's free, what's the downside? Where's the catch?
What's the maximum amount of storage you can allocate (and what will that cost!?)
This is my biggest complaint about a number of cloud storage providers. Where is that data stored? How is that data stored? Can other people potentially access it? Does the host have access to it?
Terms of Service:
Does the data remain your property? Do you waive rights to it?
Let's look first at Cross-platform Support.
I've included WL Skydrive and SugarSync in this list in an effort to cover more potential vendors, but haven't personally used either of them.
As you might predict, Apple's iCloud is poorly supported on anything other than an Apple device, and similarly, Microsoft's Skydrive is poorly supported on anything other than a mainstream platform.
I suspect that the reason so few (only WL Skydrive) support WP7 is because the platform is still relatively new. I'm sure that full vendor support for WP7 will be along in time. Spideroak are certainly working on a Blackberry client for their service. 
If you're a die-hard blackberry user, or your company is very blackberry-centric, then your options are basically Box.net, Dropbox or SugarSync.
All of the above services provide a web interface so that you'll always be able to get at your files from a modern web browser. If you're still using IE6, it's time to move on.
This is the dealbreaker for many home users, and quite a number of business users too! All of the above vendors give you a certain amount of free storage when you sign up. Dropbox (and some others) allow you to increase the amount of storage space you have by getting your friends and family to sign up too.
The amount you get for free varies quite widely, between 2GB (Dropbox & Spideroak) to 7GB (WL Skydrive). [Why it's 7, and not 8 is anyone's best guess...]
For simplicity of comparison, all cost figures are in US Dollars per month.
Sugarsync's actual values are for 30GB, 60GB and 100GB.
Spideroak has an interesting pricing model, where the first 2GB are free, as per usual, but their increment in pricing starts with a chunk of 100GB for $10/month for each 100GB incremental chunk.
Maximum Storage Capacities:
For the majority of vendors, the actual maximum storage capacity is unclear. GoogleDrive is the only one I could find with a maximum storage capacity stated to be higher than the largest pricing bracket.
Google's maximum is 16TB, which will cost you a handsome sum of $799.99 a month. At this scale of storage, you really should be thinking about how to do it more cost-effectively. Amazon S3 or a colocated disk array would probably be a sensible alternative at 16TB.
Box.net's Personal plan caps out at 50GB (19.99/mo), and their Business plan starts at $15/user/mo, with a maximum cap of 1000GB.
Box.net also offer an enterprise level of storage, where there's no cap on the amount of storage you can use, it's just listed as "Unlimited". Naturally, there's the limitations of economies of scale, if you asked them to host a petabyte of data, you're gonna pay them through the nose for it.
Dropbox on the other hand, for non-business users, the maximum seems to be 100GB, and for business users, the pricing plans start at $795 for 5 users and 1TB of storage.
With regard to Apple's iCloud, it's unclear from their website what happens after you've used 100GB of their storage, whether it's a hard limit, or you can buy more 100GB chunks. I'd love to know the answer, but I'll bet it's expensive after 100GB. 
SugarSync offer 3 plans higher than their widely publicised 100GB plan (just after the fold on their pricing page , of 250GB for $24.99/mo, 500GB for $39.99/mo, and 1TB for $79.99/mo.
SugarSync for Business's maximum is 2TB, priced at $2099.33/year ($209.93/mo)
Let's see how the vendors shape up in terms of security.
Spideroak, SugarSync are the only two which I'd say have the strongest security out of the lot of them. Dropbox is famously insecure, here's one reason why, once a file is shared, you've effectively lost control over it, as anyone it's shared with can then invite more people to view it. Dropbox also have the power to view your files, as they own the encryption keys. We should also not forget the major security outage in 2011, when dropbox accounts were effectively open to the public with no authentication whatsoever. Whilst this hole was fixed quite quickly (4-5 hours, ISTR), it still leaves a lingering feeling of malaise regarding the service.
Dropbox's terms of service state that "employees are prohibited from viewing the content of your files", by "prohibited" it's plausible to read that as "we've asked them not to, but there's nothing technically stopping them from doing it if they wanted". They also say that they'll decrypt your files if subpoena'd by law enforcement officals.
I was unable to find information regarding the process of encryption and security for iCloud, as well as GoogleDrive and SkyDrive, but I suspect that as they own the keys, they can be subpoena'd for them, and will probably give them up without too much fuss.
SugarSync will only access your files with your permission, and then they have to use a remote-access tool to allow you to grant access to them. (chatlog)
Spideroak is the interesting one here. When you sign up, you set the key. If you lose the key, you lose the copy of the data. Spideroak staff can't view your data, as they don't have your key. :D
In order to correctly and legally store data from the EU, on servers outside the EU, in a manner protecting Personally Identifiable Information (PII) , the storage vendor must be EU Safe Harbour compliant . This basically means that they meet the standards laid down by the US Department of Commerce.
Finding a cloud storage provider who are a) functionally good, and b) Safe Harbour compliant is not an easy task. I had to do this for a previous employer, and the only one we could find at the time was Box.net.
Sugarsync are also Safe Harbour approved, as is Amazon S3 which a number of storage vendors use for backend storage, but many of the vendors themselves are not compliant.
Where I've listed Backend Storage as "Owned Hardware", that's basically them having their own network for the entire platform, as opposed to using another vendor's storage platform, like the connection between Dropbox and Amazon S3.
Not many vendors are Safe Harbour approved, and some don't state either way whether they are or they aren't. As with all these kind of things, its better to assume the worst case. In this case, if you can't see if they're Safe Harbour compliant, assume they're not.
Similarly, If you're not sure whether the vendor can decrypt your files, assume they can unless it's explicitly stated otherwise.
Role-based Access Control, a frequently requested enterprise feature is only (to the best of my knowledge) available on the enterprise/business account features of SugarSync, Dropbox (Bluebox) and Box.net (Enterprise, not business). As a feature, I don't even think it's technically applicable to iCloud, as that's not really a cloud storage service in the sense that Dropbox et al are, but a set of APIs tightly integrated into a number of devices.
Terms of Service:
Importantly, we come to terms of service for these cloud storage platforms. Basically, Google launched GoogleDrive about 2-3 days ago, and are already under fire for this text in their Terms of Service:
When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide licence to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes that we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content."
The upshot of this is, that once you upload a file to their servers, it's not yours anymore. Which kind of proves another point. The files can't be securely encrypted, if they can examine them in order to reuse them or whatever it is they want to do.
Even Dropbox don't make claims or grabby paws at your data. They might expose it to everyone else, but they won't steal your intellectual property first! Dropbox has this to say:
"You retain full ownership to your stuff. We don't claim any ownership to any of it. These Terms do not grant us any rights to your stuff or intellectual property except for the limited rights that are needed to run the Services, as explained below."
"Except for material that we license to you, we don't claim ownership of the content you provide on the service. Your content remains your content. We also don't control, verify, or endorse the content that you and others make available on the service."
That's pretty interesting, especially with regards to Google who are trying their best at all times (apparently) not to be 'evil'.
There's a very fine line to be drawn between enhancing the service, and Intellectual Property scavenging.
I've reviewed a few salient points which should be considered when choosing a cloud backup vendor. I think it's safe to say that the non-business version of Dropbox has no place in the business environment. Especially when you're dealing with confidential or sensitive files, ones which could be potentially very damaging for the business if they were to be leaked.
There is of course one very important alternative which shouldn't be overlooked. A number of open-source projects exist to replicate the services provided by Dropbox and so on. A quick naïve googling finds Owncloud, Sparkleshare, and Syncany.
Whilst all of these have the nasty side-effect of you having to manage your own storage, they do helpfully allow you to maintain full control of the whereabouts of all of your data. This is ideal for those paranoid few of you, or companies where a traditional cloud provider is unacceptable due to client restrictions.
There are also a few cloud providers who are based in *just* the EU, or the UK, so american law doesn't apply. This is again good for british based companies where you don't want, or can't allow data to leave the country.
If I were choosing a cloud backup provider tomorrow, I'd be looking very seriously at Box.net Enterprise and SugarSync for Business. I think Dropbox for Enterprise is worth a look too, but beware of the underlying taste of Dropbox which may linger like a fart in a lift.
I've been informed on Twitter by a regular journotroll that my article is inaccurate.
Apparently Microsoft are now offering 25GB for "free" to *existing* SkyDrive customers, although I can't find a reference to this on their website directly..
I don't really care that much, as they're still failing to support the wide array of platforms that are supported by SugarSync for example.
There also appears to be a bunch of third-party applications to allow access to SkyDrive from Android platforms. But as they're third-party, I won't be trusting them with the security of my data.