How secure is Windows Live SkyDrive?
One of the most notable features of Office 2010 is that you can save directly to the Web, without any fuss. In most of the applications this option is accessed via the File menu and the Save & Send submenu. Incidentally, this submenu used to be called Share, but someone decided that was confusing and that Save & Send is less confusing. I think they are both confusing; I would put the Save options under the Save submenu but there it is; it is not too hard to find.
Microsoft does not like to be too consistent; so OneNote 2010 has separate Share and Send menus. The Share menu has a Share On Web option.
What Save to Web actually does is to put your document on Windows Live SkyDrive. I am a fan of SkyDrive; it is capacious (25GB), performs OK, reliable in my experience, and free.
The way the sharing works is based on Microsoft Live IDs and Live Messenger. You can only set permissions for a folder, not for an individual document, and you have options ranging from private to public. Usually the most useful way to set permissions is not through the slider but by adding specific people. Provided they have a Live ID matching the email address they give, they will then get access.
You can also specify whether the access is view only, or “add, edit details, and delete files” – a bit all-or-nothing, but still useful.
SkyDrive hooks in with Office Web Apps so you can create and edit documents directly in the browser – provided it is a supported browser and that the Web App doesn’t detect you are on a mobile device, in which case it is view-only. The view-only thing is a shame when it comes to a large screen device like an iPad, though the full version nearly works.
Overall it’s a major change for Office, even though similar functionality has been around for a while from the likes of Zoho and Google Docs. This is Office, after all, the most popular Office suite; and plenty of users will be trying out these features because they are there, and thinking that they could be pretty useful.
There is one awkward question though. Is Windows Live SkyDrive secure? It turns out that this is not an easy question to answer. Of course it cannot be 100% secure; but even assessing its security is not easy. If you try to find out you are likely to end up here – the Microsoft Service Agreement. Which says, in bold type so you don’t miss it:
13. WE MAKE NO WARRANTY.
We provide the service ‘as-is,’ ‘with all faults’ and ‘as available.’ We do not guarantee the accuracy or timeliness of information available from the service. We and our affiliates, resellers, distributors and vendors (collectively, the ‘ Microsoft parties’) give no express warranties, guarantees or conditions. You may have additional consumer rights under your local laws that this contract cannot change. We exclude any implied warranties including those of merchantability, fitness for a particular purpose, workmanlike effort and non-infringement.
14. LIABILITY LIMITATION.
You can recover from the Microsoft parties only direct damages up to an amount equal to your service fee for one month. You cannot recover any other damages, including consequential, lost profits, special, indirect, incidental or punitive damages.
I guess Clause 13 could be called the unlucky clause. If you are unlucky, don’t come crying to Microsoft.
There are two big questions here. One is how secure your documents are against unauthorised access. The other is how reliable the service is. Might you log on one day and find you cannot get access, or that all your documents have disappeared?
Three observations. First, despite clause 13, Microsoft has a lot to lose if its service fails. It has to succeed in cloud computing to have a profitable future, and a major data-losing catastrophe is costly, in that it drives customers away. The Danger episode was bad enough; though even then Microsoft eventually recovered the data it said initially had been lost.
Second, it may well be that the biggest security risk is from careless users, not from Microsoft. If your password (or that of a friend to whom you have given read or write access) is a favourite football team it won’t be surprising if somebody guesses.
Third, I have no idea how to quantify the risk of Microsoft losing data or denying access to my documents. That suggests it would be foolish to keep data there without backing it up elsewhere from time to time. The same applies to other cloud services. I guess if you pay for a service, and know how it is backed up to a different location, and have tested the effectiveness of that backup, and know that there are archives as well as backups – in other words, you can go back in time – I guess that then you might reasonably feel more confident. Otherwise, well, see clause 13 above.





An astute reflection, Tim. If you have no control, and no lever to achieve influence, then you are looking at more or less unbounded risk. That’s why private clouds seem like a better idea – use free software (e.g. Eucalyptus – see http://lwn.net/Articles/330872/ for a reasonable starting point) where you have both the benefit of the cloud as well as control. With the fringe benefit of being beholden to no one. Why would anyone buy Azure (the Windows Mobile of cloud technologies) when the real deal is here now, and it’s free forever? I guess some people get a buzz from creating pain, risk, and expense for themselves.
Hi Tim, a keen observation indeed. 🙂 While interpretations and reactions to the Microsoft Service Agreement are widely varied (such as http://marypcb.livejournal.com/410422.html on the other hand), my personal understanding is that this is considered common practice among free services today. For example, it’s quite similar to Google’s terms of services (http://google.com/accounts/TOS; sections 14 and 15):
14.1 NOTHING IN THESE TERMS, INCLUDING SECTIONS 14 AND 15, SHALL EXCLUDE OR LIMIT GOOGLE’S WARRANTY OR LIABILITY FOR LOSSES WHICH MAY NOT BE LAWFULLY EXCLUDED OR LIMITED BY APPLICABLE LAW. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF CERTAIN WARRANTIES OR CONDITIONS OR THE LIMITATION OR EXCLUSION OF LIABILITY FOR LOSS OR DAMAGE CAUSED BY NEGLIGENCE, BREACH OF CONTRACT OR BREACH OF IMPLIED TERMS, OR INCIDENTAL OR CONSEQUENTIAL DAMAGES. ACCORDINGLY, ONLY THE LIMITATIONS WHICH ARE LAWFUL IN YOUR JURISDICTION WILL APPLY TO YOU AND OUR LIABILITY WILL BE LIMITED TO THE MAXIMUM EXTENT PERMITTED BY LAW.
Regardless of legalese (and really not trying to use the “lesser evil” angle), as you said, Microsoft will try our best to provide highly reliable and secure services for customers, and through time we will continue to build trust with the world. For example, to my understanding, Hotmail supports 450M+ active users securely today and the most recent episode of security breaches that also impacted Gmail and Yahoo Mail was due to phishing; not inherent vulnerabilities in these services. And if you’re willing to believe me, the Danger episode was due to the assets as they were implemented before we acquired them; at the time Microsoft hasn’t yet migrated those assets (which weren’t built using Microsoft technologies) to our cloud environments and implemented our management processes. But Microsoft took full responsibilities for the incident.
Yes it is not ideal. As a vendor when providing free services to customers, we need to make sure we can continue to do so without being over-abused by the few individuals who would take those opportunities. These clauses are really intended for that purpose; it is in Microsoft’s best interest to act responsibly and provide value to customers.
Lastly, these comments are my opinion and don’t reflect the opinion of my employer.
Best regards, -David Chou (Microsoft)
@Dave Lane: interestingly, Microsoft’s overall direction isn’t too different from what you said. 🙂 We do recommend customers to leverage private clouds when that makes sense, and have the tools and products to help them do so. We see the world as a full spectrum of choices and trade-offs; control and risk included. But it is not a one-size-fits-all story. There are customers who will find public cloud offerings compelling, as do those with private clouds, and then hybrid scenarios as well. Microsoft intends to provide solutions to support the full range of scenarios spanning that spectrum.
If I may – my interpretation of your comment is more related to free software vs. commercial (or Microsoft) products in general. And to that aspect, there is always a flip side to the story. I think it’s very debatable that free software really is free from a total-cost-of-ownership perspective. There are always trade-offs depending on the scenario, and have already been discussed endlessly on the web.
Another point of ongoing debate in the cloud computing space is a private cloud really cloud computing? How can one have cloud-like elasticity in compute capacity when the hardware infrastructure is still finite and procured through capital investments? Ultimately, cloud computing isn’t just virtualization and hosting in other people’s data centers. In my opinion that is more related to the utility computing aspect of cloud computing. To truly benefit from cloud computing, I think, we can writing applications using a horizontally scalable architecture (apps that don’t have to care how much physical infrastructure is in place) and building on cloud platforms like Windows Azure, then trying to lift-and-shift traditional vertically scaled applications into someone else’s data centers.
I respect your opinion that Azure isn’t relevant and that some people may choose to use it for the reasons you identified. Though adoption on Microsoft cloud services has been quite substantial, such as the 40M+ seats on BPOS and 10K+ apps in Azure, and we will share more updated numbers (which are indeed higher) very soon.
Best regards, -David Chou (Microsoft)
Let me see if I have this correct:
1. No real guarantees from Microsoft. Still there is the reputation issues that would probably drive them to do the right thing, at least if many were impacted with data lost or from illegal access.
2. Probably similar issues from many other cloud storage providers.
3. No real guarantees from other options either. Even portable HDs (I have two recently purchased ones from major vendors that have failed).
Outstanding question from me: How likely is it that many of the other cloud storage companies are going to be around in 5 – 10 years? And what happens to my data when they either disappear or get consumed by larger companies? At least MS and Google will be around for a while.