The USA PATRIOT Act. The Federal Information Security Management Act (FISMA). The NSA/GCHQ data snooping issues. The issuance of a disclosure warrant under the Electronic Communications Privacy Act (ECPA) by a US judge to Microsoft to disclose information held in emails in an Irish datacenter.
These and other issues have focused thoughts yet again as to whether the use of co-location or cloud services can meet perceived data security needs. Many organizations are now looking for service providers who can prove that their facilities are outside the general reach of the jurisdiction of such laws.
To be clear here, it is very difficult to ensure that this will be the case. Just because a data center is built under the ownership of a company registered in the UK does not preclude a friendly call from the NSA via GCHQ to the UK government leading to a UK warrant being issued for information disclosure. Sure, co-lo and cloud service providers such as Calligo get around this by building their data centers in off-shore environments such as Jersey and the Bahamas, but there are other issues that also need to be taken into account.
With data being a global issue, you need to consider not only where you know your data is being stored (the physical and logical arrays that it resides on), but also what technologies are being applied to it to make it both globally available and responsive.
For example, are you or your cloud or network provider using a content delivery network? If so, your data is being stored in multiple different environments that are, in the majority of cases, outside your control. How about if you or your providers are using network acceleration — is caching being used? If so, again, copies of data are being held for periods of time on kit that may not belong to you, and could well be subject to any disclosure warrants being issued by the country under whose jurisdiction the equipment lies in.
If you choose the right partners and discuss things properly, you may be able to ensure that your data will only ever be on defined physical or logical arrays with no staging being used anywhere — as long as you can cope with the inevitable hit on performance that could result. Or, you could ensure that data encryption is used for data streams on the move and data at rest anywhere so as to make the access to the actual information harder for any agency wanting to access it.
However, the real question has to be around what it is that you are trying to protect. Sure, within all that data lies the information that makes up your corporate intellectual property (IP). Within that IP lies all the value of the business — so it is critical to you.
The biggest risk in data attacks, in the majority of cases, is not that the US, the UK or some other nation state gains access to that data through the issuance of a warrant or even through more nefarious means of state-sanctioned (and enforced) back doors. Outside of the accidental leakage of data by employees, it is more likely to be down to industrial espionage — your competitors are trying their best to find out what you are doing and how, and what you plan to do in the future. In some cases this is just being carried out through fairly standard means of identifying a weak link within your organization who can feed the information to an external. In others, it is being done on a highly commercial basis, with blackhat hackers being used to try and break into your systems without your knowledge. These blackhats don’t care for any data sovereignty or suzerainty; all they are aiming for is to get at the data itself.
Again, here, data encryption, when also combined with data leak prevention (DLP) and digital rights management (DRM) can help in fighting off these attacks.
But, in many cases, it is more than probable that your perception of your data’s worth is far in excess of the reality. If you manufacture widgets, the likelihood that there is a team of hyper-paid blackhats attacking your databases and file stores is pretty minimal — there just isn’t enough value in it for them.
For large or specialized defense, oil and gas, pharmaceutical, aerospace, automotive, financial services, legal and others, yes — your data has distinct value to your competitors (and in some cases, such as defense and oil and gas, to nation states). For the rest of us, any attack is more than likely to be either some kid just trying it on, a low-level attack to hold an organization to ransom, or an attempt to gain access to personal identifiable information and credit card details for personal gain (or sale on the open market).
These issues are well-known and in most cases legislated for — for example, through PCI-DSS and data protection laws.
When it comes to the reality, much of what we are worried about around data security is stuff that we shouldn’t worry about — the chances that the NSA has any interest in the IP of your organization is infinitesimally small in the greater scheme of things. Why would US security spooks be interested in the fact that your staff were offered fish in the canteen last Friday and that you sold 12% fewer widgets last quarter than you did in the matching quarter a year ago? Much of this information is likely to be in the public domain anyway if you are a publicly-quoted company.
Far better to focus on the security issues that you should worry about — those where a breach could lead to brand and revenue damage than the things which are very unlikely ever to happen.