Do you know where your data is?
September 30, 2011In the beginning, when cloud computing was all about public cloud services, many finance chiefs held back because of their concerns about the safety and security of their valuable and sensitive corporate data. But things change – well, some things…
Putting it in the hands of a third party – outside the firewall, on multi-tenant boxes – emerged as a security risk too far in survey after survey, despite widespread awareness of the cloud’s potential to deliver business benefits, cost savings and strategic opportunities.
The cloud has evolved. Public clouds have been joined by private clouds, and hybrid clouds, and other variations on the theme, and use of them is increasing.
However, finance chiefs remain cautious. When a recent Deloitte survey found half of CFOs using cloud computing or planning to within two years, a whopping 89 percent were, perhaps understandably, still citing data security as their main reason for holding back. Meanwhile, uncertainty about the location of data concerned just 44 percent, and legal issues 40 percent – and this may need to change.
"This is a complicated area," says Alistair Maughan, a partner at the international law firm Morrison Foerster.
The explosion in cloud computing has increased use of third party service providers, and some of them in turn use other third party providers to host and backup data, so its physical location can be hard to pin down (a problem), as can the legislation that applies to it and the jurisdictions in which this can apply (another problem).
"Generally speaking, the law that’s applicable is the law of the country where the data controller is located," says Maughan; but there are some exceptions (yet another problem).
"There was controversy earlier this year when India issued rules that seemed to suggest that Indian law would apply to data processed by Indian providers on behalf of Western customers," he says.
Many cloud service providers and legal experts worried that this would result in additional (and more restrictive) rules, on top of the national laws that already apply to personal data that is transferred offshore from the UK, EU or US.
Ignorance is no defence
"The Indian government has since clarified that this is not its intent," Maughan says, but adds that China and the Philippines are among other countries that are currently developing their own data privacy laws, so CFOs will need to monitor developments.
The UK Data Protection Act 1988 (based on the EU Data Protection Directive 1995) has been around in one shape or another for quite some time, so awareness is high among affected organisations. But the Act’s stipulation that personal data should not be transferred to a country or territory outside the European Economic Area – unless that country provides an adequate level of protection – isn’t always factored in to the decision-making process where cloud-based services are concerned.
Sometimes this happens because the money comes from departmental budgets, and is spent by people who are not aware of the implications of their actions; sometimes the ignorance is higher up the food chain.
"A minority of organisations are getting very smart about incorporating information security and sovereignty into their contracts with cloud-based providers," reports Rob Rachwald, director of security strategy with Imperva (a data and application audit and security specialist), and may even go as far as auditing their cloud-based service provider.
"It will get better, because it’s an evolutionary thing," he says, but at the moment, most organisations are less evolved. "When you go into the cloud, it’s often because it’s cheaper, and you think you can forget about hardware and software," he explains, "so a lot of organisations don’t think about issues such as data security or sovereignty until there’s a problem."
Cloud computing allows you to abdicate responsibility for a lot of the processes that would otherwise need to accompany their use of computing resources, but this doesn’t include compliance with data protection law; so users of cloud services must know the physical location of the servers on which their data is processed and stored.
"It’s as simple as asking the question," Rachwald says.
Although he warns that ensuring your service provider is contractually obliged not to transfer the data to any other countries without prior consultation and agreement can be more of a challenge. Many cloud service providers have one-size-fits all contracts and service level agreements that they are not willing to vary.
Some cloud service providers do try to make it easier for their customers to comply with data protection legislation.
"When we expand from the United States into Europe, we will have a data centre within the EU," says Eric Webster, VP of sales with cloud business continuity and disaster recovery specialist Doyenz.
"We have a worldwide agreement with Internap and will be using their co-location data centre in London," he says, so the data of European customers of Doyenz will never leave the EU. The behemoth that is Amazon Web Services also has regional data centres across the world, that service only certain geographies: the EU Region, for example, uses servers that are physically located in Ireland.
The reach of governments
However, there are scenarios where the location of your data seems to impact less on its privacy and security than the nationality of the organisation that is storing or processing it.
"The issue of whether a government or public authority can gain access to data that is located outside their national jurisdiction is a hot issue right now," says Maughan, because of the international reach of the US Patriot Act.
"The US government can request information that is under the jurisdiction or control of a US company," he explains, regardless of the physical location of the data or the nationality of its owners and it can do this in a way that seems to undermine the US-EU Safe Harbour Framework.
Safe Harbour was introduced as a companion to the EU Data Protection Directive (and national implementations such as the UK Data Protection Act) in 2000. Since then, it has allowed for the sharing of data between the EU and US, but only when certain conditions are met – such as the provision of reasonable data security – and this is accompanied by clearly defined and effective enforcement (because the EU has higher data privacy standards than the US).
But earlier this year, when Microsoft launched its cloud-based Office 365 service in the UK, it explained (in its Online Services Trust Centre) just how long the arm of US law is because the Patriot Act can be used to force US-owned companies to reveal EU citizens’ data, secretly.
This revelation has troubled some Euro ministers including Sophie in’t Veld, Dutch MEP and vice-chair of the European Parliament’s Civil Liberties, Justice and Home Affairs committee, who is pushing for clarification.
"The European Commission should make it clear that European businesses and citizens operate under European privacy laws, and that EU institutions can enforce their own laws," she asserts in a blog on her party website. She suggests that EU subsidiaries of US parent companies are breaking European law by meeting Patriot Act requests, and that while these subsidiaries are operating in Europe, EU law must take precedent.
Maugham doesn’t see the balance of power tilting quite so heavily in the direction of the US.
"The UK government as well as most EU member state governments can also go to court and get a subpoena to access data from any organisation over which they have jurisdiction," the lawyer points out.
"So while the focus is on the US Patriot Act, most EU member state governments have very similar powers."
But if you are a cautious CFO considering a move into the cloud, you may still feel more comfortable selecting from among the offerings of UK or EU-owned service providers that will be storing your data solely within the UK or EU.