Markus
Rex is cofounder and CEO of ownCloud and
brings a European and global view to the business. His open source storage company
delivers file synchronization and sharing with an eye to defending against
enterprise data leakage. In a nutshell, ownCloud provides universal access to
files via Web interface, allowing users to view and sync contacts, calendars,
and bookmarks across devices, as well as allowing direct editing on the Web. Markus
talked with me about his ideas on security and risk management and how his
thinking has been developing, particularly as the accessibility landscape
continues to change.

1. Jeff: Growing up in Germany and
now living in the U.S., what influences have brought you to your current thinking
about technology, security, and risk management?

Markus: For the longest time, I
have loved reading about data and processing being transferred in ways that don’t
require carrying 50 pounds of equipment around with you. I grew up reading
about that kind of idea in science fiction like The Keltiad and The Moon Is a
Harsh Mistress
. Those books are what started my thinking about independent
computing regardless of physical location.

Fifteen
years ago, we worked at terminals and the real computer power was centralized
in another location. Then along came Windows and changed all that. But bear in
mind it’s not enough to solve the problems you wouldn’t have without IT in the
first place. The other issue I believe lies at the heart of things is privacy.
Societies have fought and endured totalitarian regimes for freedoms like owning
your own data and deciding what to share. I have always believed fundamentally
in the importance of individual data ownership.

So
the merging of those two concepts gets me to this idea of cloud computing being
independent of a storage location, which is a beautiful thing but also requires
the appropriate privacy controls around it. Both at the individual and corporate
levels, you or the IT department own the data and have the right to decide
where it should be. You can decide to put it out on Rackspace or Amazon or
another cloud service. What we do at ownCloud is put the IT department in a
position to make the best decisions on what data to put in which location.

2. Jeff: In the last year or so,
both of those areas have continued to accelerate even more quickly. What kinds
of things have you seen happening?

Markus: There are a few things in
this category, but the one that really jumps out at me is that initially people
were overwhelmed by the idea that they now have central data storage. That
benefit overwhelmingly outweighs everything else. Other factors do come into
play, one of them being cost. But cost is not lower because a gigabyte or
terabyte of information on a hard disk is cheaper when someone else owns the hard
disk. Businesses are still concerned with their increasing annual cost of
storage. I was talking with a CEO recently whose storage cost was growing at more
than 40% year over year without any end in sight. That is a truckload of money
to take care of accumulating data. Using the cloud has some other positive
attributes, but cost is still one that grabs our attention.

The
second thing that comes to mind is in the consumerization of IT. This development
has put pressure on the IT industry in general as well as on IT departments
because they no longer get away with delivering whatever they want to users who
can’t do anything about it. They have to make things flow nicely, be nice
looking, and actually be working all the time. In the last two years or so I
see a lot of users who now have access to technology they didn’t before, and
they don’t settle for what longer-term IT consumers have just been trained to
accept. The new attitude expects things to be easy and aesthetic and work all
the time or people just won’t use it.

3. Jeff: So with an iPhone app, for
example, new apps are not created in a vacuum. You’re saying there already are expectations
for the app you’re creating and what should be possible with it, based on other
apps people are already using?

Markus: Sometimes we don’t even
realize how dramatically our expectations have leapfrogged what we used to
accept as the status quo. Remember your old Motorola Razr or Nokia brick phone,
compared to your iPhone? Which one would you rather use? Or think about your
old Dell laptop vs. an iPad. People have become much more effective and efficient
at their jobs with these improvements in their information management
abilities. The downside for the company is the data gets loaded onto a highly
versatile device like this. Then there are certain types of data where it is
not only a matter of convenience or propriety, but also a legal issue that this
data cannot be taken off and duplicated somewhere, such as legal or financial
records. But the doctor likes his iPhone or iPad better than carrying around a
paper document the nurse gave him. The problem for IT is that they are the ones
charged with keeping track of the data at the end of the year when there is an
assessment of whether they are in compliance. So they had better know where
their data is.

4. Jeff: What criteria do you use to
recommend to your clients how they manage their data among the onsite or
private and public cloud options?

Markus: With anything that could be
considered sensitive data, there is no question that it has to be either onsite
or private cloud. With public cloud, the name says it all. But there are
certain things where public cloud makes absolute sense. PDFs or photos of files
that are already published don’t need to be in a high-security data vault where
a gigabyte costs you 10 dollars a month as opposed to 50 cents on public cloud.
There is a key point to note here. We need to distinguish between two things,
and I feel very strongly about this: the location of the actual files and the
software being used to put the files in this particular spot. The software
should always be in a secured location. This is where the policies need to be consistently
enforced, and you need to have encryption keys and maintain control. So even
when you decide to put documents out in the cloud, access to the management software
needs to be limited in order to claim responsibility for your data.

5. Jeff: What is the expectation for
vendors around data breach indemnification?

Markus: The question revolves
around who indemnifies what and what happens when you are indemnified. There
was a high-profile case here in Massachusetts recently where TJ Maxx lost a lot
of credit card numbers, and they suffered quite badly from it for a long time.
No degree of indemnification could protect them from those repercussions and
consequences.

If
you keep data within your own firewall on your own premises, there is no need
for indemnification because you own it. You have faith in your own system and
your own data setup. Something could still happen, make no mistake. But if you
leave it at the mercy of someone else and it is their mistake and your files
get exposed, indemnification cannot always solve that problem. Your brand does
not get repaired. So the sensitive data stays on premise or private cloud.

6. Jeff: Once a business separates out
its sensitive data and decides to save some money by getting the non-sensitive
files off its servers, how much confidence can it have that it can delete the
originals?

Markus: In general, I am not aware
of a problem with that. Although there could be a problem if a company is
forced to go out of business. I believe there have been cases where doors were
shut abruptly and there was a problem with access to the data. I believe that was
related to a shutdown by the FBI, but I think we are past that kind of thing
now. In general, you can trust public cloud to have your files accessible when
you need them. Let me just say one other thing with regard to that, though.
Over the last 50 years, IT has learned that backups are there for a reason.
Would I put certain data out there without keeping a copy anywhere else,
independently accessible to me? Probably not, just because one never knows. You
need to reference a particular file, and you need it right now or this two
million dollar deal won’t work. So backups are not obsolete.

7. Jeff: Not to minimize the
importance of a good track record, but outside that quality, how does a service
provider demonstrate its ability to provide security and availability? Are they
all making the same kinds of claims?

Markus: If you read the fine print
in a standard contract, you will see that your data will be available, but with
the caveat of no guarantee implied that files will never be lost, 100%
availability or constant uptime, because that can’t be done. If you were the
owner of a cloud-hosting service, what kind of penalties would you include if,
for example, data can’t be reached for an hour vs. three hours? For the most
part, these companies are making very similar bottom-line claims. One might say
they have ways to keep the wrong people from accessing files, or some security
certification or a certified data center, but they are really all saying the
same thing regarding the essentials. Those are all check boxes for a service
provider, and rightfully so. There are a lot of things being caught and
corrected before they become a problem.

8. Jeff: What specific attributes
have changed in the way data is managed with the cloud model?

Markus: Cloud computing, in general,
in the largest possible sense has changed the mindset around continuity,
contingency, reliability, security, and backup and has moved them all to the
forefront. For example, people are generally aware of the fact that Amazon northeast
went down for four or five hours, although it was during the non-working hours.
That is quite an accomplishment, a great step forward from five or 10 years
ago. Actually, I think those cloud attributes have put pressure on the internal
IT people to deliver an increasing level of quality. I certainly expect my internal
wikiserver to be there, and my e-mail to work. When was the last time e-mail
didn’t work? E-mail always works, right? Cloud has helped to push those things
forward. Another thing is that with cloud you have more options, greater
flexibility. You could even have two service providers if the cost is justified
and use a public-private cloud hybrid solution.

9.
Jeff:
Recently, we’ve become more aware of the government
looking into people’s files, tracking calls and eavesdropping, and so on. What
are the appropriate steps for companies to take in light of the government’s
apparent proclivity for accessing more and more private information?

Markus: There
are two answers to that. One is what companies inside the U.S. should do and
the other is what companies outside the U.S. should do. If you get your company
off U.S. domestic-based servers, that’s a good first step, and companies are
doing that. It’s interesting to see all these large, U.S.-based technology
companies starting to say to the government, “We want to start talking
about the level at which we have to cooperate with you. We are losing business
because people don’t trust us anymore.” That has become a very real issue
we are seeing. Having said that, we have to be realistic here. We’re talking about
commercial information, not about state secrets or spying. Companies need to
take reasonable precautions and not make access any easier than necessary. Let’s
say you keep things in your data center under control, have good firewalls, and
encrypt your files — will it still be possible for the NSA to get to your files?
Yes. Will it be more challenging and less likely for them to go to the trouble?
Yes. At the end of the day, if the NSA decides they really want to know what is
in that file on your server, trust me, they will get it.

10.
Jeff:
What are the key elements for success in the next
three to five years?

Markus:
We’ve
built our business on the premise that the company needs to do two
things. First, end users have to have a Dropbox-like user experience. If they
don’t, people won’t adopt it. They will just use Dropbox. At the same time, one
of the central questions for the company is where to put its data. It needs to
be able to look back and say, “We made an educated decision on where to
put the data and did that with a tool that allowed us to put that into reality
among on premise, off premise, public, and private cloud locations.” The
end user is oblivious to this and is happy in his ignorance. He just wants the
files to be there. The thread that goes through our thinking in this process is
that the company makes good choices, and if all goes well, the end user shall
never notice.

CEO Markus Rex cofounded
ownCloud with a small group of colleagues just under two years ago and has seen
the company grow to 40 employees and 80 customers this year. In the 2013 Reader’s
Choice Awards for best cloud-based file storage, ownCloud came in second to
Dropbox, ranking ahead of Google, Box, and Ubuntu. ownCloud’s most recent
enterprise version is v5, while the current community version is v6.

To see the company blog and
overview, including solving “the Dropbox problem,” visit www.owncloud.com or follow on twitter @owncloud.