Security and reliability: 10 questions with ownCloud CEO, Markus Rex

ownCloud cofounder and CEO Markus Rex shares his insights about today's cloud computing model, data ownership, and the choices companies are making to achieve secure, cost-effective storage.


lead image

Markus Rex is cofounder and CEO of ownCloud and brings a European and global view to the business. His open source storage company delivers file synchronization and sharing with an eye to defending against enterprise data leakage. In a nutshell, ownCloud provides universal access to files via Web interface, allowing users to view and sync contacts, calendars, and bookmarks across devices, as well as allowing direct editing on the Web. Markus talked with me about his ideas on security and risk management and how his thinking has been developing, particularly as the accessibility landscape continues to change.

1. Jeff: Growing up in Germany and now living in the U.S., what influences have brought you to your current thinking about technology, security, and risk management?

Markus: For the longest time, I have loved reading about data and processing being transferred in ways that don't require carrying 50 pounds of equipment around with you. I grew up reading about that kind of idea in science fiction like The Keltiad and The Moon Is a Harsh Mistress. Those books are what started my thinking about independent computing regardless of physical location.

Fifteen years ago, we worked at terminals and the real computer power was centralized in another location. Then along came Windows and changed all that. But bear in mind it's not enough to solve the problems you wouldn't have without IT in the first place. The other issue I believe lies at the heart of things is privacy. Societies have fought and endured totalitarian regimes for freedoms like owning your own data and deciding what to share. I have always believed fundamentally in the importance of individual data ownership.

So the merging of those two concepts gets me to this idea of cloud computing being independent of a storage location, which is a beautiful thing but also requires the appropriate privacy controls around it. Both at the individual and corporate levels, you or the IT department own the data and have the right to decide where it should be. You can decide to put it out on Rackspace or Amazon or another cloud service. What we do at ownCloud is put the IT department in a position to make the best decisions on what data to put in which location.

2. Jeff: In the last year or so, both of those areas have continued to accelerate even more quickly. What kinds of things have you seen happening?

Markus: There are a few things in this category, but the one that really jumps out at me is that initially people were overwhelmed by the idea that they now have central data storage. That benefit overwhelmingly outweighs everything else. Other factors do come into play, one of them being cost. But cost is not lower because a gigabyte or terabyte of information on a hard disk is cheaper when someone else owns the hard disk. Businesses are still concerned with their increasing annual cost of storage. I was talking with a CEO recently whose storage cost was growing at more than 40% year over year without any end in sight. That is a truckload of money to take care of accumulating data. Using the cloud has some other positive attributes, but cost is still one that grabs our attention.

The second thing that comes to mind is in the consumerization of IT. This development has put pressure on the IT industry in general as well as on IT departments because they no longer get away with delivering whatever they want to users who can't do anything about it. They have to make things flow nicely, be nice looking, and actually be working all the time. In the last two years or so I see a lot of users who now have access to technology they didn't before, and they don't settle for what longer-term IT consumers have just been trained to accept. The new attitude expects things to be easy and aesthetic and work all the time or people just won't use it.

3. Jeff: So with an iPhone app, for example, new apps are not created in a vacuum. You're saying there already are expectations for the app you're creating and what should be possible with it, based on other apps people are already using?

Markus: Sometimes we don't even realize how dramatically our expectations have leapfrogged what we used to accept as the status quo. Remember your old Motorola Razr or Nokia brick phone, compared to your iPhone? Which one would you rather use? Or think about your old Dell laptop vs. an iPad. People have become much more effective and efficient at their jobs with these improvements in their information management abilities. The downside for the company is the data gets loaded onto a highly versatile device like this. Then there are certain types of data where it is not only a matter of convenience or propriety, but also a legal issue that this data cannot be taken off and duplicated somewhere, such as legal or financial records. But the doctor likes his iPhone or iPad better than carrying around a paper document the nurse gave him. The problem for IT is that they are the ones charged with keeping track of the data at the end of the year when there is an assessment of whether they are in compliance. So they had better know where their data is.

4. Jeff: What criteria do you use to recommend to your clients how they manage their data among the onsite or private and public cloud options?

Markus: With anything that could be considered sensitive data, there is no question that it has to be either onsite or private cloud. With public cloud, the name says it all. But there are certain things where public cloud makes absolute sense. PDFs or photos of files that are already published don't need to be in a high-security data vault where a gigabyte costs you 10 dollars a month as opposed to 50 cents on public cloud. There is a key point to note here. We need to distinguish between two things, and I feel very strongly about this: the location of the actual files and the software being used to put the files in this particular spot. The software should always be in a secured location. This is where the policies need to be consistently enforced, and you need to have encryption keys and maintain control. So even when you decide to put documents out in the cloud, access to the management software needs to be limited in order to claim responsibility for your data.

5. Jeff: What is the expectation for vendors around data breach indemnification?

Markus: The question revolves around who indemnifies what and what happens when you are indemnified. There was a high-profile case here in Massachusetts recently where TJ Maxx lost a lot of credit card numbers, and they suffered quite badly from it for a long time. No degree of indemnification could protect them from those repercussions and consequences.

If you keep data within your own firewall on your own premises, there is no need for indemnification because you own it. You have faith in your own system and your own data setup. Something could still happen, make no mistake. But if you leave it at the mercy of someone else and it is their mistake and your files get exposed, indemnification cannot always solve that problem. Your brand does not get repaired. So the sensitive data stays on premise or private cloud.

6. Jeff: Once a business separates out its sensitive data and decides to save some money by getting the non-sensitive files off its servers, how much confidence can it have that it can delete the originals?

Markus: In general, I am not aware of a problem with that. Although there could be a problem if a company is forced to go out of business. I believe there have been cases where doors were shut abruptly and there was a problem with access to the data. I believe that was related to a shutdown by the FBI, but I think we are past that kind of thing now. In general, you can trust public cloud to have your files accessible when you need them. Let me just say one other thing with regard to that, though. Over the last 50 years, IT has learned that backups are there for a reason. Would I put certain data out there without keeping a copy anywhere else, independently accessible to me? Probably not, just because one never knows. You need to reference a particular file, and you need it right now or this two million dollar deal won't work. So backups are not obsolete.

7. Jeff: Not to minimize the importance of a good track record, but outside that quality, how does a service provider demonstrate its ability to provide security and availability? Are they all making the same kinds of claims?

Markus: If you read the fine print in a standard contract, you will see that your data will be available, but with the caveat of no guarantee implied that files will never be lost, 100% availability or constant uptime, because that can't be done. If you were the owner of a cloud-hosting service, what kind of penalties would you include if, for example, data can't be reached for an hour vs. three hours? For the most part, these companies are making very similar bottom-line claims. One might say they have ways to keep the wrong people from accessing files, or some security certification or a certified data center, but they are really all saying the same thing regarding the essentials. Those are all check boxes for a service provider, and rightfully so. There are a lot of things being caught and corrected before they become a problem.

8. Jeff: What specific attributes have changed in the way data is managed with the cloud model?

Markus: Cloud computing, in general, in the largest possible sense has changed the mindset around continuity, contingency, reliability, security, and backup and has moved them all to the forefront. For example, people are generally aware of the fact that Amazon northeast went down for four or five hours, although it was during the non-working hours. That is quite an accomplishment, a great step forward from five or 10 years ago. Actually, I think those cloud attributes have put pressure on the internal IT people to deliver an increasing level of quality. I certainly expect my internal wikiserver to be there, and my e-mail to work. When was the last time e-mail didn't work? E-mail always works, right? Cloud has helped to push those things forward. Another thing is that with cloud you have more options, greater flexibility. You could even have two service providers if the cost is justified and use a public-private cloud hybrid solution.

9. Jeff: Recently, we've become more aware of the government looking into people's files, tracking calls and eavesdropping, and so on. What are the appropriate steps for companies to take in light of the government's apparent proclivity for accessing more and more private information?

Markus: There are two answers to that. One is what companies inside the U.S. should do and the other is what companies outside the U.S. should do. If you get your company off U.S. domestic-based servers, that's a good first step, and companies are doing that. It's interesting to see all these large, U.S.-based technology companies starting to say to the government, "We want to start talking about the level at which we have to cooperate with you. We are losing business because people don't trust us anymore." That has become a very real issue we are seeing. Having said that, we have to be realistic here. We're talking about commercial information, not about state secrets or spying. Companies need to take reasonable precautions and not make access any easier than necessary. Let's say you keep things in your data center under control, have good firewalls, and encrypt your files -- will it still be possible for the NSA to get to your files? Yes. Will it be more challenging and less likely for them to go to the trouble? Yes. At the end of the day, if the NSA decides they really want to know what is in that file on your server, trust me, they will get it.

10. Jeff: What are the key elements for success in the next three to five years?

Markus: We've built our business on the premise that the company needs to do two things. First, end users have to have a Dropbox-like user experience. If they don't, people won't adopt it. They will just use Dropbox. At the same time, one of the central questions for the company is where to put its data. It needs to be able to look back and say, "We made an educated decision on where to put the data and did that with a tool that allowed us to put that into reality among on premise, off premise, public, and private cloud locations." The end user is oblivious to this and is happy in his ignorance. He just wants the files to be there. The thread that goes through our thinking in this process is that the company makes good choices, and if all goes well, the end user shall never notice.

CEO Markus Rex cofounded ownCloud with a small group of colleagues just under two years ago and has seen the company grow to 40 employees and 80 customers this year. In the 2013 Reader's Choice Awards for best cloud-based file storage, ownCloud came in second to Dropbox, ranking ahead of Google, Box, and Ubuntu. ownCloud's most recent enterprise version is v5, while the current community version is v6.

To see the company blog and overview, including solving "the Dropbox problem," visit or follow on twitter @owncloud.