Last year, I wrote a blog on the importance of data residency in the cloud. Over the last couple of years most, if not all, cloud providers have only been declaring where their data centres are based on a particular continent, with the three main locations being Europe, AsiaPac or North America.
I said then it was very important where data was held and, as we move into 2013 and beyond, this was going to become a critical part of any service selection process. I focused on the laws and regulations that cover this area, which are numerous and complex, but noted the total lack of harmonisation and that certain jurisdictions have laws stating data has to reside within it and access being limited to only users that are resident within that jurisdiction.
I also discussed that certain laws gave governments the right of access to data without the need to follow any real due-process, let alone get a court order. I want go into that in more detail now.
In the last few weeks you couldn’t help but note the numerous articles discussing the recently renewed US Foreign Intelligence Surveillance Act Amendment Act (FISAAA) until 2017. This, basically, allows the US authorities to spy on cloud data.
What in practice does this mean? For most of us, probably not a lot. However, I do think it’s something that should be carefully monitored as ultimately they can get copies of your data as the fibre-optic cables that carries data are split with any material of possible “interest” being instantly picked up by the US National Security Agency. The question that needs to be asked is what exactly is classed as “interesting”?
This capability has been in place since 2008, with the recent update now taking into account cloud-based services. For many people this is in breach of European Law and there is due to be a hearing on the European Parliament’s findings next month, which could spark a very interesting discussion between the US and the EU authorities.
So, what are the main considerations when selecting a cloud provider? I’ve listed again my starting point list, which I outlined before but I have tweaked it slightly. It covers some of the most important areas that all companies and individuals should consider verifying before undertaking any form of outsourcing of their services.
- Know your provider
- Can it show proof of data residency?
- Do its contracts clearly state ownership of the data stays with you or your business?
- Who are the ultimate owners and what are the laws within the jurisdiction that the owners reside and what are the potential impact of these laws?
- How does it operate its services especially in jurisdictions that are local access only?
- Understand you local data protection laws and residency requirements and assess your providers ability to meet these requirements
- Does your provider give you the ability to control where your data resides
- How easy is it to move your data to another provider should a change of ownership take place that potentially puts your data at risk
- Ensure that the provider has the ability to fully delete your data including backups
- These checks should be undertaken on a regular basis as this area is constantly changing and the abilities for unregulated and, therefore in my mind unlawful, access is growing.
This whole area is now starting to become the big issue I thought it would, and should, become. As a technologist this is a fascinating area; the technology and techniques being deployed to collect data on as many people and businesses as possible is stunning but as a person who, quite rightly, believes in the right to privacy, this whole area is very worrying.
Watch out for a third blog on this area later in the year as this discussion topic continues to change and evolve.
By Julian Box, Posted 5th March 2013.