Cloud computing is touted as the answer — to pretty much anything and everything. For example, if you need elastic resource provision, use the cloud. If you don’t want the cost of a facility and hardware plus maintenance, use the cloud. If you want greater flexibility in onboarding new employees and getting rid of old ones, use the cloud.
All told, much of this is true. But the cloud is not a silver bullet, and one big issue is the location of the data center in which the main part of the cloud resides.
“What?” I almost hear you cry. “Surely, the cloud makes location immaterial. With modern approaches, latency can be minimized and performance optimized. Location is not the issue it once was.”
Again, true –- to a certain extent. The problem is no longer the technology behind it all, but the politics and cultures. In earlier posts (Politics and Networks May Not Mix and Avoiding a High-Speed Data Breach) Bob Tarzey and I touched on some of the issues here.
The biggest issue for the burgeoning global cloud computing market is not lack of standards, or problems with overall performance, or with the multitudinous different platforms that can be chosen. It is down to how much trust you can place in the company, and the country, in which the data center facility — and therefore the data — resides.
There are certain areas of the world the majority of Western organizations would steer clear of — it may not be a good idea to store mission-critical information in North Korea, for example, and places such as Russia (where encryption is illegal) and China should be worrying enough to make these a non-choice.
However, the USA PATRIOT Act and the Foreign Intelligence Surveillance Amendments Act (FISAA) in the US send shivers down the spine of those who could be impacted by them — essentially any organization operating in the US, any organization using facilities operating in the US, and any organization using facilities operated by a US-headquartered organization.
Such worries about a “friendly” nation are beginning to have an impact on how things are done — look at the number of facilities around the world which may have what looks like a US company’s name on them, yet are set up as completely separate, local organizations to be able to bypass the Patriot Act and FISAA reach.
Other companies, such as Calligo, operating out of the British Crown Dependency of Jersey in the Channel Islands, take yet a different view. Jersey is in the European Union (EU), but has its own law-making capabilities which are often more pragmatic and business-friendly than is the case in larger countries, while still offering strong data security and audit capabilities.
Therefore, through operating facilities through such island nations, a more targeted approach to data security can be offered. The “big country, big brother” data laws can be bypassed to an extent, although in Jersey’s case, any EU data law would still apply. At the moment, the EU seems to be erring towards requiring anything that is similar to the Patriot or FISAA acts to have a warrant provided by a court, which makes “fishing expeditions”, where investigations are carried out based on dodgy intelligence, a little harder to initiate.
In the end, your data’s security is only as good as the trust you know you can place in the facility, its owners, and the country it is in. Make sure that you ensure that your organization will not find itself suddenly captured in a data-trawling net that could bring the business down.