In another case of governments behaving badly with personal data, the state of Utah has learned that a data breach a year ago is likely to be even more costly than originally estimated – and that’s after the initial estimate was itself increased by almost 30 times.
“In late March 2012, hackers broke into a Medicaid server that a technician had placed online without changing the factory password and downloaded the personal information of 780,000 Utahns,” writes the Salt Lake City Tribune. (To put that in perspective, that’s one out of every six Utahns.) “Some were on Medicaid, but also affected were the privately insured, uninsured and retirees on Medicare whose providers had sent their data to Medicaid in the hopes of billing the low-income program.” Of those, 280,000 people had their Social Security numbers exposed, which puts them at particular risk.
Initially, it was thought that only 24,000 people had had their information put at risk. Stephen Fletcher, executive director of the state’s Department of Technical Services lost his job over the incident.
“Utah’s Medicaid Management Information System, which receives eligibility inquiries and billing information from providers, was not protected by a firewall as it was upgrading on March 10, when hackers in Eastern Europe first gained access to the state server,” wrote the Deseret News last May. “That server was also installed by an independent contractor more than a year ago, which is not typical protocol for the department, [new DTS director Mark] VanOrden said. A process to ensure that new servers are monitored and a risk assessment performed prior to use was not followed, and factory-issued default passwords were still in effect on the server, which is also not ‘routine.’ The final ‘mistake,’ he said, is that information stayed on the server for too long and while it was there, it was not encrypted, leaving it vulnerable to hackers who began downloading the sensitive information March 30.”
A year later, the state is now saying that the damage is estimated to be $9 million, with $3.4 million coming from the department. It includes $467,000 to hire an ombudsman, staff a hotline, run ads and hold community meetings to notify victims; $1.9 million to provide two years of credit monitoring for those whose Social Security numbers were compromised; $741,000 on a legal consultant and forensic security audit; and $300,000 to create an Office of Health Information and Data Security. The state also spent $1.2 million on a review of state servers and $4.4 million to increase security, according to the Associated Press.
In addition, state residents and businesses face potential fraud of up to $406 million, according to new estimates from Javelin Strategy & Research, which examined the Utah breach. “Based on Javelin’s calculations, 122,000 cases of fraud will occur as a result of this breach, with each incident resulting in $3,327.87 of loss,” wrote the company – which admittedly has a vested interest in making the case look as bad as possible. ”Each Utahn whose info is misused as a result of this data theft will incur $770.49 in out of pocket costs and spend 20 hours resolving these cases.” The company estimates that victims of data theft now have a 1 in 4 chance – up from 1 in 9 – have having their information using fraudulently.
Unfortunately, this is not uncommon. “According to information posted by the Privacy Rights Clearinghouse, of the 203 data breaches reported so far this year in the US, 103 involved either government or healthcare information,” Mary Jander of Internet Evolution wrote last year. “Of that subset, 16 cases were the result of hacking.”
As in a similar case in South Carolina last fall, Utah said it didn’t encrypt the data because the federal government didn’t require it. After the South Carolina incident, politicians from the Republican party – normally the party of small government that is against federal mandates – called for the federal government to require encryption of PII by state governments, apparently not trusting state governments to connect the dots themselves. Like South Carolina, Utah is also a Republican state, but thus far its politicians have limited themselves to a state bill that requires more notifications – but also not requiring encryption.
Jingming Zhang is one unlucky SOB. After five years of research, as he was working on the thesis required for his PhD in chemistry from Rutgers University, the laptop containing all of his data was reportedly stolen from an unlocked lab in the college.
Zhang wrote a note and put up flyers about the theft, which was picked up by ABC News and which a friend of his posted to his Facebook page, and which was then posted to Reddit and many other websites beyond that. He offered $1000 to the thieves for the data, telling them exactly where on the disk they could find it, giving them the password, and telling them they could keep the computer already; he just wanted to graduate.
Now, in honor of the “Everything Wrong With … in X Minutes” CinemaSins YouTube movie spoofs (and they’re hysterical), here’s everything wrong with this story.
- “Zhang’s laptop had been in an unlocked room in Wright-Rieman, which houses laboratories.” People can walk into Rutgers University lab rooms and walk out with laptops? Doesn’t campus security worry about thieves stealing other equipment, student records, dangerous chemicals, and so on?
- “Rutgers is an open campus,” said [Rutgers Police Lt. Paul ] Fischer. “It’s not like a small liberal arts college where it’s gated in. So, even if the buildings are secured, people can piggyback in.” This is the reaction of the security guy, whose job it supposedly is to keep the campus secure? Oh well, people can walk in and take things?
- Campus security doesn’t have security cameras, even in laboratories where people are working with chemicals and on laptops?
- Does Rutgers really want their security guy on national television telling everyone how easy it is to steal things from the campus?
- Just how many things get stolen from Rutgers, anyway?
- If it’s so easy to steal things from Rutgers, wouldn’t it be a good idea for the campus police to tell this to the students, before students lose five years of research?
- “Fischer said that he wouldn’t suggest offering monetary rewards in the future” because it can invite fraud. Okay. What should the student have done differently (other than your barn-door suggestion that he hang on to his laptop next time)? Can’t he get the student to withdraw the reward if it’s such a bad idea?
- Is the Rutgers security guy working with this student to ensure he doesn’t agree to meet someone, get bopped on the head, and also be out $1000? Or to otherwise protect him from fraud?
- Does the Rutgers security guy think that having the theft nationally publicized on ABC News is a smart move? And on Facebook? And on Reddit?
- Shouldn’t the Rutgers security guy suggest to Facebook that maybe it would be a good idea to redact the student’s personal information from the posting, which has more than 33,000 shares?
- Is the Rutgers security guy maybe checking Craigslist? And eBay?
- Doesn’t the chemistry department have a server to which students can save their data? Hell, I went to Boise State and we had that.
- If it’s this easy to steal things from campus, and there’s no provision for students to back up their data on campus, and nobody warns students their work is that vulnerable, and the student may have to start his research over, doesn’t he have the basis of a nice lawsuit?
- Just what sort of chemical research is this student doing, anyway? Do we need to worry about a new kind of poison gas or IED springing up in New Jersey?
- How competitive is the chemistry research program at Rutgers? Is it possible the thief is someone in his department who’s fighting with him for grants or something?
- What are the chances that the student isn’t actually ready for his thesis defense and this is his way of procrastinating until the laptop is “found”?
- This student’s been going to Rutgers for five years and he didn’t know the buildings are insecure?
- “…from where his computer was taken sometime between 10 a.m. and 5:15 p.m.” This student leaves his laptop unattended in an unlocked room from 10 am to 5:15 pm and is surprised that it’s gone? Are we sure that Lost & Found didn’t pick it up?
- We’ve got a student smart enough to be getting a PhD in chemistry but not smart enough to keep from leaving his laptop in an unlocked room?
- Or to copy his data to a DVD?
- To a thumb drive?
- To a cloud storage service?
- To an external hard disk?
- To email it to himself?
- To do a backup? “’A lot of people are asking me why I didn’t back up my data,” Jim told the Daily Dot. “I think the reason is that I am pretty busy recently and this kind of thing never happened to me before.’”
- “The posters contained very specific instructions and details regarding his dilemma, including his laptop’s password.” Well, that certainly makes it easier for the thieves to use the laptop.
- Where is the student getting the $1000, anyway? And how did he come up with that figure?
- The posts also included his phone number. If the thieves even wanted to call, would they be able to make it through the blizzard of harassing phone calls he must be getting by now?
- He has also suffered several scamming attempts. “’There are a few people sending me messages saying they have my laptop and asking for money, but when I asked for proof, they cannot give anything to me,’ he said.” You think?
- Really, should this student even be allowed to be messing with chemicals in the first place?
- Does the student think that the thief is stupid enough to show up to a meeting to exchange the data and money?
- Or to pick it up at a mailbox?
- How exactly does the student think this is going to work? The thief will send him the data and trust him to send the money? He’ll send the money and trust the thief to send him the data? The thief will hand him the data and hang around while he checks it?
- Even if he gets the data back, how is he going to know that the thief didn’t change some of the data just to mess with him?
- How many backup companies are offering to pay all the student’s expenses in return for his doing an ad for them?
You know how every time you go to a new doctor, you have to sign this form (does anybody read it?) that talks about your rights to privacy for your medical records? Vendors of medical services have their own requirements to live up to, and Box has announced that it is complying with those regulations, in hopes that it will become more widely used as a file transfer medium in the healthcare industry.
“Compliance with the Health Insurance Portability and Accountability Act means that Box provides file redundancy to prevent data loss in a disaster, restrictions on employees’ access to documents, a breach-notification policy, data encryption and other features, ” writes GigaOm’s Jordan Novet.
In addition, the company now has ten new healthcare applications. Box is doing this by partnering with a number of other vendors. According to Jasmine Pennic at HIT Consultant Media, those applications are:
- Clinical documentation: Drchrono, a cloud and web-based HER application accessible from iPads and iPhones; and Umbie DentalCare, a dental care web-based practice management system for dentists available on the desktop and tablet.
- Care coordination: TigerText, an encrypted SaaS platform for secure text messaging in a clinical setting; Doximity, an online professional network designed for U.S. physicians; and mMedigram, a secure group messaging app for the hospital environment; PostureScreen Mobile, posture analysis screening and evaluation software for mobile devices.
- Interoperability: MedViewer, a DICOM viewer for viewing, communicating and sharing medical images on iPhone and iPad; iPaxera PACS Viewer, a PACS viewing app designed for iPad, iPhone and iPod; and Medi-Copy, which provides Release of Information (ROI) request services and creates electronic copies of patient medical records.
- Access to care: HealthTap, which provides users with personalized health information and free online and mobile answers from physicians.
Box is also supporting the requirements of the Health Information Technology for Economic and Clinical Health (HITECH) Act, and is investing in drchrono.
Compliance requirements include the following, writes Patrick Ouellette in Health IT Security.
- Data encryption occurs in transit and at rest
- Restricted physical access to production servers
- Strict logical system access controls
- Data file access granted by customers
- Audit trail of account activities on both user and content
- Formally defined and tested breach notification policy
- Training of employees on security policies and controls
- Employee access to customer data files are highly restricted
- Redundant data center facilities to mitigate disaster situations
Support for HIPAA and HITECH could also help the cloud storage company improve its reputation for security and privacy overall; various incidents have sometimes led to such services, rightly or wrongly, being seen as insecure. In particular, noted GigaOm, it may make Box more attractive to enterprise users, as well as for a planned initial public offering.
Moreover, HIPAA support could also make it easier for healthcare providers to implement BYOD, writes Ouellette. “Clinicians would now be able to set up secure cloud folders for a patient’s medical records or collaborate on a patient’s diagnosis with the Box mobile application in a compliant manner,” he writes.
HIPAA requirements can be pretty arduous; for example, the Boise-based WhiteCloud Analytics healthcare analytics software company, had to have a separate set of doors, through which one can enter only by being buzzed in, due to HIPAA requirements.
Chances are, this isn’t the first such announcement. Now that Box has come up with the idea, one can expect that other cloud storage vendors — like Dropbox, Microsoft’s Skydrive, Google’s Drive, and so on — will soon follow suit. Microsoft’s Office 365 already supports HIPAA and in fact the company has also announced improvements in its HIPAA support.
You’d think that, when planning a new data center, “Not Underwater” would be a primary criterion, but apparently that’s not true.
At least, that’s the observation GigaOm’s Barb Darrow recently made of a Digital Realty survey of managers’ data center plans. “Despite the angst that superstorm Sandy and Hurricane Irene caused data center providers and their customers in the New York metro area over the last two years, businesses still want to expand their data center capacity in that low-lying, suddenly storm-surge-prone area,” she writes.
Apparently the familiar is more comfortable than the unknown. According to the survey, two-thirds of respondents would rather see the data center in the city where they work, and target locations, other than New York were Los Angeles (earthquakes and fires), Dallas (tornadoes), Chicago (blizzards), the San Francisco Bay Area (earthquakes again), and Phoenix.
“Of course, when two 100-year storms hit the same area within two years of each other, you might start evaluating new locations,” Darrow writes. “Then the question becomes what areas are not susceptible to natural disasters,” echoing what she wrote at the end of last year about Fidelity Investments setting up a data center in the far-from-water, far-from-earthquakes, yet tornado-prone Omaha, Neb.
And recall that last June, just a little ol’ thunderstorm took out Amazon Web Services.
The most important reasons given for data center expansion, Digital Realty notes, are (in order of priority) the need for increased security, energy efficiency, new applications/services, and more space. It isn’t clear whether “Not Being Under Water,” “Not Being on Fire,” or other variations on “Not Being Destroyed” were choices. (To be fair, when respondents were asked to provide multiple reasons for expanding data centers, “disaster recovery/Sarbanes-Oxley” came in second after “security.”)
The other interesting factor that cropped up was the data sovereignty issue. As you may recall, this is becoming more of a thing as an increasing number of countries, including the U.S., claim some degree of access to data stored on their shores, regardless of the data’s country of origin or the residence of the company that owns it.
“Geopolitical location of data” was extremely important to 50 percent of respondees, though it was slightly beaten out by data authenticity and security, physical security, control over the facility, and the total cost of the technology. “The two factors in data sovereignty (data authenticity/security and geopolitical/legal location) are the most important considerations for 29% of the respondents,” Digital Realty noted.
Physical security — that is, Not Being Underwater, Not Being on Fire, and Not Being Destroyed — was apparently a consideration for only 14 percent of respondees.
Got your party scheduled? The traditional foods made? Your gift list ready? Sunday is World Backup Day!
Now in its third year, the event — deliberately scheduled for the day before April Fool’s Day, to ensure your data is backed up in the case of a prank gone awry — is intended to encourage people to make sure their data is backed up, much like the days that daylight saving time starts and ends get piggybacked by Change the Batteries in Your Smoke Detector Day.
Last year, I didn’t find out til afterwards, but this year, I found out in plenty of time to celebrate it properly.
As of Thursday, almost 4500 people had pledged to observe the day, which not only includes making backups of your own data and checking your restores, but also alerting your friends and family.
Vendors such as Carbonite and Kroll also released surveys associated with backups. The Carbonite study found that 30% of small businesses believe their backup plan is insufficient, 45% said their organization had experienced data loss, and 14% were never able to restore their lost business information.
Small businesses often lack a formal disaster recovery plan is because they do not have the budget, the survey showed, but there’s an average cost of about $9,000 for a small business to recover their data after a failure, Carbonite said.
Surveying its own users, Kroll Data Recovery found that of the 81% who do have backups now, 53% use an external hard drive, while 15% used tape and 15% used online or cloud backup services. And while 60% of its customers did have a backup running at the time of the data loss, it wasn’t current or was operating incorrectly, Kroll warned.
World Backup Day now also has posters and t-shirts, as well as a Tumblr. In addition, the event asks people to take pictures of themselves celebrating. “Be sure to take pictures or videos of you promoting World Backup Day!” reads the website. “Just send them to email@example.com, tweet us @WorldBackupDay, or submit them to our Tumblr!” There’s also a Facebook page, an Instagram feed, and a Pinterest page.
In addition, there’s a full press kit, which includes an infographic.
All kidding aside, it’s not a bad time to re-examine your backup strategy; a number of vendors actually do have World Backup Day Sales.
There’s even a contest.
And as a bonus, this year’s World Backup Day is also followed the next day by my favorite holiday, Cheap Chocolate Day, though you can’t always count on that happening, plus some people hold out for the traditional February 15 for that one.
AIIM, which is currently having its annual conference in New Orleans, has also released its annual report, “Information Governance — records, risks and retention in the litigation age,” where it surveyed a number of professionals in the industry about their attitudes toward issues such as E-discovery.
The report, which is freely downloadable, surveyed 512 information professionals.
Legal holds and E-discovery were the fourth most likely element to be included in an information governance policy, with almost 50% saying it was included (plus almost 20% who included it in an “all of the below” choice).
“Only 18% have a sufficiently comprehensive policy that covers all of these areas,” AIIM warns. “Taking these into account, over 80% in total have included information retention and access restrictions in their policy. While 75% include data protection of personally identifiable information, this is likely to be a legal requirement for almost any organization that keeps personnel records of employees. Only 57% are dealing with “information in motion” i.e. laptops, USB sticks, etc. Only 49% have a policy on mobile access and only 27% are covering cloud-based file shares.”
In terms of email storage, about 55% of respondents said that employees were expected to manually declare or save important email messages as records, while more than 30% said they expected there were multiple copies of messages on various systems,
That said, while the content may be electronic, E-discovery mechanisms are still manual, the survey found, with 53% of respondents saying they are still reliant on manual processes for E-discovery searches across file shares, email and physical records. However, only about 5% either automatically classified important email messages as records or used outsourcing or the cloud for email archiving.
That’s even more so for social media interactions. Almost 35% said they believed there are social interactions that could be important but that they were not currently recording them; about 22% said they didn’t do social; and about 18% said they weren’t looking at the issue. 34% reported that they have used their social business records for purposes such as staff disciplinary action, staff dismissal, or resolving a customer/citizen dispute or complaint.
For E-discovery, more than 60% of respondents said they needed to deal with re-trial request by attorneys (eg, US –style), about 25% for judge-directed disclosure (eg, UK-style), about 15% for no defined disclosure (civil law, eg, France, Germany), about 30% for competition/anti-trust, fraud, or trading investigation, and more than 20% said “All of the above.”
“We asked if respondents feel that their organization has a consistent and effective E-discovery mechanism across all of their physical and electronic records,” AIIM writes. “Overall, only 9% have achieved this, but a further 29% are optimistic that they are getting there. Another 24% have plans, but 20% consider the task to be simply ‘too difficult.’”
However, in what may be some incentive, the survey also asked respondents about the consequences of their lack of an E-discovery system. In the last three years, 14% of organizations have suffered from embarrassing data loss, 21% have disciplined or dismissed employees for non-compliance with governance policies, 31% have had issues with their regulators, and 18% have been questioned in court about their records, AIIM finds. “As might be expected, larger organizations score nearly double in many of these areas with, for example, 28% suffering from embarrassing data loss — an arguably bigger disaster for a large organization or well-known brand than a small one — and nearly half having issues with auditors or regulators,” AIIM writes.
How do you carve an elephant?
Simple. Take a block of wood and carve away everything that doesn’t look like an elephant.
How do you make a virtualization company? Simple. Take VMware and carve away everything that doesn’t look like a virtualization company. And then you spin it off.
EMC CEO and Chairman Joe Tucci announced today that the company was forming the Pivotal Initiative, comprising Pivotal Labs and Greenplum from parent company EMC, and Cloud Foundry, Spring and Cetas from VMware. It will be headed by former VMware CEO Paul Maritz, who was named chief strategy officer at EMC in July 2012, when speculation arose as to his future role. His role as chief strategy officer at EMC will now be shared with VMware CEO Pat Gelsinger and EMC COO David Goulden.
Altogether, Pivotal, which will technically come to life on April 1, is 69 percent owned by EMC, 31 percent VMWare, with about 1,250 employees and $300 million in revenue, though Maritz predicted it could be a $1 billion business in five years.
“What the newly minted Pivotal Initiative brings to the table is Greenplum’s parallel query and data processing strengths; Gemfire’s ability to rapidly ingest events (lots and lots of events); Cloud Foundry’s application development and deployment strengths and Spring’s Java rapid application development framework,” writes Barb Darrow in GigaOm. Cloud Foundry, which is a platform as a service that currently runs on VMware, will now also run on Amazon Web Services, she added.
The companies had signaled their intention to form the spin-off in December and said more details would be available in the third quarter. With 18 days left in the quarter, apparently they figured they’d better get on the stick. Darrow said at that time that the effort, which had long been predicted, was the companies’ attempt to better compete in the cloud space.
“Last December, while others in our industry suggested that VMWare was shedding its components that weren’t performing to help its bottom line and to keep the company focused on its highly successful virtualization business, we said that that was nonsense — that there was something much bigger at play (especially because EMC’s precious assets Greenplum and Pivotal Labs were involved), that EMC would be spinning off a new company and that its business would be Big Data Apps,” agreed Virginia Backaitis in CMSwire.
Bloomberg also talked about the stock aspects of the move, noting that VMware’s stock has been falling and that Pivotal might eventually have an IPO.
The upshot is that VMware will also be able to focus more on its virtualization business. It said it expects to boost its annual revenue growth as high as 20 percent in coming years, according to Reuters.
It’s not the first time that we’ve learned that our data on a cloud storage system isn’t necessarily private, but it’s a useful reminder.
William Steven Albaugh, 67, was arrested after police found “numerous files of child pornography” on his Verizon online storage locker and several thumb drives, the Baltimore Sun reported. “Detectives began investigating Albaugh after Verizon Online notified the National Center for Missing and Exploited Children that Albaugh, a subscriber, had stored images of children engaged in sexual acts on the online cloud storage system, police said.”
We already learned, in 2011, that cloud storage systems such as Dropbox would turn over files if requested by law enforcement. We also learned that some systems such as Dropbox, when a file is uploaded, check to see if it’s already online, and, if so, just save a pointer to the original copy. While this saves space, it also means that, in theory, law enforcement could upload any number of files it’s illegal to own — such as copies of movies — and if the stored file length is less than the original file, it means someone has it on the system already.
In the process of that, we learned, if we didn’t know already, that in 2010 New York Attorney General Andrew Cuomo made an agreement with several online services such as Facebook and LiveJournal to check uploaded images for child pornography. “Through its investigations, the Attorney General’s Office has created a database of more than 8,000 hash values that are associated with images of child pornography,” the Attorney General’s office wrote at the time. “The database can be used to identify the corresponding child pornography images through the fingerprints and stop that picture from ending up on a site.” The office also said it would continue working with other online services to encourage them to do the same thing.
Apparently, at least one of them was the Verizon Online Backup and Sharing cloud storage service.
Media outlets have pointed out that this was all clearly spelled out in the terms of service. “Like many types of online storage or media services, Verizon’s Online Backup and Sharing states in its terms of service that the company is ‘required by law to report any facts or circumstances reported to us or that we discover from which it appears there may be a violation of the child pornography laws,’” writes the International Business Times.
Because, of course, we all read every word of our terms of service.
If this sounds familiar, it may be because, as of last July, four out of the five cases concerning whether people have to provide the key to their encrypted storage also have had to do with child pornography, according to the Electronic Frontier Foundation’s attorney Marcia Hoffman.
Look, there isn’t any question that child pornography is bad. But there’s a saying, “Hard cases make bad law” — that is, an unpleasant case can lead to a harsher general law that can end up being more widely applied. (We don’t know whether law enforcement is more likely to push the envelope of legal search because they so badly want to catch child pornographers, or because they think people will be less likely to criticize their methods because the crime is so heinous.)
If it’s determined through these cases that checking people’s files as they are uploaded to a cloud storage service is an acceptable practice, it has the potential to apply to all files and all people, not just ones we don’t like.
In the meantime, it sounds like we’d better be sure to read our terms of service carefully.
The storage industry is exciting. No, really. People are throwing millions of dollars at storage startups, which apparently seem more secure to them than things like Facebook.
“In Silicon Valley, data centers are heating up with startups like Pure Storage and Nimble Storage pulling in massive funding rounds and Michael Dell announcing a storage-focused investment fund,” writes Christina Farr at VentureBeat.
- Nexenta, a software-based storage company, received $24 million this week in its fourth round of financing from new investors Four Rivers Group, Presidio Ventures, and UMC Capital with participation by existing Nexenta investors Menlo Ventures, TransLink Capital, Javelin Ventures, Sierra Ventures, Razor’s Edge Ventures, and West Summit Capital. Its previous round, in January 2012, raised $21 million. In the process, the company also got a new CEO and CMO. It has experienced triple-digit growth for three consecutive years and reportedly has more than 5,000 users.
- Skyera, a flash startup, closed $51.6 million in second round financing led by Dell Ventures a week ago. It was founded in August, 2012.
- Pure Storage, another flash vendor, got $40 million in its fourth round of funding in August, 2012. The latest funding round was led by Mike Volpi at Index Ventures, with participation from Greylock, Redpoint, Sutter Hill, angels from VMware and DataDomain, and others, according to VentureBeat.
- Nimble Storage, a startup that provides data storage, backup, and disaster recovery, closed a $40.7 million second round of funding in September, 2012. First round investors Accel Partners, Sequoia Capital, Lightspeed, and Artis Capital participated, alongside newcomer GGV Capital. It was founded in July, 2010.
Dell’s $60 million fund, run by its investing arm Dell Ventures, was founded in July, 2012 to seed $3-$5 million in five to 10 promising startups, with Dell maintaining an equity position. This was not new to Dell; it was an early investor in VMWare and flash memory startup Fusion-io (whose chief scientist is Apple co-founder Steve Wozniak). (Skyera is also setting itself up as a competitor to Fusion-io.) This is on top of Dell itself acquiring more than two dozen storage companies.
“What’s happening in Flash memory is kind of an interesting place to start because if you think about the relationship between servers and storage and how sort of performance occurs and apps are distributed, not what we’re able to do is put large amounts of memory — we’ve actually designed this ourselves into our 12th-generation servers that we’re shipping now,” Dell told Fortune in announcing the fund. “Put several terabytes of memory directly in the server. We acquired a little company that gives us cache coherency across a large number of servers. And so you start to rethink what is a server, what’s storage, what’s the network when you have virtualization and now you have 50 virtual machines, 100 virtual machines, 500 virtual machines in one. So, the storage world is really getting shaken up a tremendous amount.”
A funny thing happened on the way to Backblaze’s automated backup product — it sort of turned into a storage design company.
The company has been known for some time for its storage designs, which, instead of making real real big storage, uses a whole whole lot of commodity storage devices hooked together into “pods,” with as much of the extraneous stuff stripped off as possible. This reduces costs and is more scalable than large storage systems that require forklift upgrades to be expandable.
Backblaze has been getting so well known for its storage system that other companies, such as Netflix, have taken to using it as well, and several vendors have started selling storage systems based on the Backblaze designs.
The system has its flaws — such as, if the company has trouble finding commodity disk drives — but in general it works pretty well. (Facebook has also taken to designing its own disk drives, as well as servers, for a similar reason: economies of scale make it more efficient to design its own hardware.)
The system works so well that the fact that Backblaze has designed a new generation of the storage pods it uses has itself made the news, because so many organizations – Vanderbilt University, Crispin Porter + Bogusky, Rensselaer Polytechnic Institute, NASA’s Jet Propulsion Laboratory, and Shutterfly, along with Netflix — have been using the Backblaze designs.
“In the world of high-volume storage, we’ve come to a place similar to the PC market decades ago when it was cheaper to just buy the parts and build your own than it was to buy a pre-assembled computer,” writes GigaOm’s Derrick Harris.
Version 3.0 of the storage pods now have a capacity of up to 180 TB — up from 135 TB, because they’re based on 4 TB, rather than 3 TB, commodity drives. In addition, a number of the other components have also been replaced. The result is a drive that is more reliable, easier to manage — and cheaper than the 135 TB second-generation systems it replaced.
Backblaze also releases the specs of the system — including a parts list, prices and all, right down to the screws, as well as very detailed instructions — to enable other companies to use its designs as well. That is, if they can. “To obtain these prices we do purchase them in quantity,” Backblaze warns.
Disclosure: I am a BackBlaze customer.