Agility symbol green

Where in the world? Location and the sanctity of data

The location of your data is more important than ever: there are some vital questions to ask your provider.

Last year, I wrote a blog on the importance of data residency in the cloud. Over the last couple of years most, if not all, cloud providers have only been declaring where their data centres are based on a particular continent, with the three main locations being Europe, AsiaPac or North America.

I said then it was very important where data was held and, as we move into 2013 and beyond, this was going to become a critical part of any service selection process. I focused on the laws and regulations that cover this area, which are numerous and complex, but noted the total lack of harmonisation and that certain jurisdictions have laws stating data has to reside within it and access being limited to only users that are resident within that jurisdiction.

I also discussed that certain laws gave governments the right of access to data without the need to follow any real due-process, let alone get a court order. I want go into that in more detail now.

In the last few weeks you couldn’t help but note the numerous articles discussing the recently renewed US Foreign Intelligence Surveillance Act Amendment Act (FISAAA) until 2017. This, basically, allows the US authorities to spy on cloud data.

What in practice does this mean? For most of us, probably not a lot. However, I do think it’s something that should be carefully monitored as ultimately they can get copies of your data as the fibre-optic cables that carries data are split with any material of possible “interest” being instantly picked up by the US National Security Agency. The question that needs to be asked is what exactly is classed as “interesting”?

This capability has been in place since 2008, with the recent update now taking into account cloud-based services. For many people this is in breach of European Law and there is due to be a hearing on the European Parliament’s findings next month, which could spark a very interesting discussion between the US and the EU authorities.

So, what are the main considerations when selecting a cloud provider? I’ve listed again my starting point list, which I outlined before but I have tweaked it slightly. It covers some of the most important areas that all companies and individuals should consider verifying before undertaking any form of outsourcing of their services.

This whole area is now starting to become the big issue I thought it would, and should, become. As a technologist this is a fascinating area; the technology and techniques being deployed to collect data on as many people and businesses as possible is stunning but as a person who, quite rightly, believes in the right to privacy, this whole area is very worrying.

Watch out for a third blog on this area later in the year as this discussion topic continues to change and evolve.

By Julian Box, Posted 5th March 2013.