Where Is My Data? (Part 1)
Cloud remains a hot subject and whether you love or loathe it, it’s not something you won’t have heard of or likely have had pushed your way.
Inevitably, when considering cloud, security questions arise – and certainly in the light of the recent well-publicised Prism debacle where the USA has been heavily cited for spying on data, much of it from outside the USA stretching into Europe and the UK. This has put emphasis on and raised awareness for UK businesses asking questions about and of cloud suppliers – and rightly so.
A cloud provider should welcome such questions and be open to answering them in a straightforward and open manner – one could even say openly promoting its wares and answers, expecting customers to “want to know”. However this is not the norm today. Many providers are hiding away the fact that they only host in the USA unless customers ask; some are positioning that they have a UK presence “so that’s all okay”; and worst still some customers are not realising some of the implications of the answers they do possibly get, putting themselves in a precarious position.
Questions that should be at the forefront include: where are my data centres? What happens to my data? How can I ensure the decision I am making does not expose us to risk? Blatantly ignoring cloud in today’s competitive environment is not a viable option and nor should it be. Cloud is disruptive and is changing the way we do many things, but its form factor inherently delivers us more choice and flexibility to service an ever-more-demanding user base pushing for mobile device access, easier interfaces and rapid change.
There are a multitude of security areas that encroach on cloud solutions, varying based on whether you adopt a public, private or hybrid cloud approach and whether you use SaaS (Software as a Service), PaaS (Platform as a Service) or IaaS (Infrastructure as a Service).
Let’s focus on the most common platform in use: public cloud, SaaS, expected to be worth E11 billion in the next year according to Gartner (compared to expectations of 4.7bn euros for IaaS and 923 million euros for PaaS).
Security in the cloud should be approached and treated in a similar way as security in a physical shared environment, evaluating risks, the technology, the vendor and reputation – although there are new areas to consider with cloud that typically have not come up when deploying product-based solutions. If a company utilises cloud computing, its data will not be located within servers in its own office; it is therefore vital to know where that data is being held and who has access as well as what jurisdiction it is covered by.
When using a cloud provider you are likely to no longer be in exclusive control of your data and will not be deploying the technical, organisational and people measures to ensure the availability, integrity and confidentiality of the data stored. Data security and privacy are consistently reported as the top concerns and hindrances to cloud adoption as reported again in the most recent end user study from the Cloud Industry Forum:.
Trust in cloud is growing however; in fact, according to an Attenda survey amongst 100 CIOs and IT directors, 87 per cent of respondents stated that they have more trust in the cloud today compared with a couple of years ago. Whilst trust is growing, concerns remain over data security, privacy and location.
There is much debate over the data issue, with varying opinions both legally, commercially and emotively. At the recent Cloud Computing World Forum a European Commission Director stated that “it shouldn’t really matter where Europe’s data is stored, as long as it’s secure and protected”. However the Attenda survey found that 52 per cent of Financial Services respondents still ranked the location of data as a top-three barrier to moving business critical applications to a cloud environment, and it was even more important for the other commercial sectors where 76 per cent of respondents ranked it as a top-three concern. So the location of data remains one of the key hurdles in cloud adoption, particularly in regulated industries such as the finance sector, and this is also extending across other commercial sectors such as retail, manufacturing, transport and distribution.
Cloud providers have a responsibility to their users to provide clarity over data sovereignty. The question usually asked by customers is simply “where are your data centres?”, but it needs to be closely followed by “where will my data be stored?”, “where will the backup and failover data be held?” and “are you a US-owned company?”
Simply assuming data will be stored in the local instance of data centre you have been told about may not be wise. This is best cited by the 2013 Salesforce announcement of plans for their first UK datacentre in 2014 followed by Steve Garnett, Salesforce’s EMEA chairman stating in a public interview that “UK customers will not necessarily end up in the UK data centre”, that the company would not be offering a service to relocate UK customers that are currently hosted in North America, and that UK customers who do go on the UK centre would be backed up to the North American data centre.
Understanding local and EU data legislation and any appropriate vertical legislations affecting your sector is key to making educated choices of what cloud platforms and vendors to consider and utilise.
Example considerations are the European Union’s Data Protection Directive of 1995 and the UK-enacted Data Protection Act (DPA) of 1998. The EU directive requires all EU Member States to protect people’s fundamental rights and freedoms and, in particular, their right to privacy with respect to the processing of personal data, which includes the storing of data. It also, importantly, directed that personal data should not be transferred to a country or territory outside the European Economic Area, except to countries which are deemed to provide an adequate level of protection.
So there are a number of strict controls in place to ensure the protection of data. However, business and IT managers need to ask vital questions about how and where data is stored in order to continue to comply with the European regulations and local data laws when utilising a cloud environment.
To read Part 2 of this article, click here.
This article originally appeared in Outsource magazine Issue #35 Spring 2014.
About the Author